Microsoft KB Archive/934022

= An ISA Server 2004 downstream server does not reuse the TCP connections to a third-party upstream server =

Article ID: 934022

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

-



SYMPTOMS
Consider the following scenario. A downstream server is running Microsoft Internet Security and Acceleration (ISA) Server 2004. This downstream server is chained to a third-party upstream server through Web-chaining configuration. In this scenario, ISA Server does not reuse the TCP connections that have been created to the upstream server. Instead, ISA Server closes each TCP connection after an HTTP response is received.

When the network is under a heavy load, this behavior may cause ISA Server to exhaust all available TCP ports.



CAUSE
Some third-party proxy servers send an HTTP response that includes both of the following headers:
 * Content-Length
 * Transfer-Encoding: Chunked

According to section 4.4 of the RFC 2616 specifications, these two headers are mutually exclusive, and they must not be used together. This HTTP response indicates a potential HTTP smuggling attack. Therefore, ISA Server processes the response by ignoring the Content-Length header. Then, ISA Server closes the TCP connection to avoid the potential attack.



RESOLUTION
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.

Warning After you follow the steps in this section, ISA Server 2004 will not close the TCP connections, even if both the Content-Length header and the &quot;Transfer-Encoding: Chunked&quot; header are present in the HTTP response. This resolution reduces the protection that is provided by ISA Server. Therefore, we do not recommend that you apply this change unless the upstream server provides protection against HTTP smuggling attacks.

To change the default ISA behavior, follow these steps:  Install ISA Server 2004 Service Pack 3. For more information about how to obtain the latest service pack for ISA Server 2004, visit the following Microsoft TechNet Web site:

http://www.microsoft.com/technet/downloads/isa/2004/servicepacks/default.mspx

 Start Notepad.  Copy the following code, and then paste it into Notepad:  ' ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED.   ' This script sets whether ISA will keep connections open after it receives an HTTP ' response that contains both a Content-Length header and a Transfer-Encoding: Chunked header. ' 

Const SE_VPS_GUID = &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; Const SE_VPS_NAME = &quot;EnableKb934022&quot; Const SE_VPS_VALUE = true

Sub SetValue

' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed. Dim array      ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object ' and to the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item. Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(SE_VPS_NAME) End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, saved!&quot; End If       End If    Else WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, no change!&quot; End If

End Sub

Sub CheckError

If Err.Number <> 0 Then WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description Err.Clear End If

End Sub

SetValue  Save the text file as &quot;Enable934022.&quot; Open a command prompt, switch to the location in which the script is saved, and then run the following command at the command prompt:

cscript Enable934022.vbs



Note To revert to the default setting, edit the script by changing &quot;Const SE_VPS_VALUE = true&quot; to &quot;Const SE_VPS_VALUE = false.&quot; Save the script, and then run it again.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbprb kbexpertiseinter KB934022

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.