Microsoft KB Archive/920356

= You experience a two minute delay when you access an HTTP Web site from an HTTPS Web site by using Internet Explorer configured as an ISA Server 2004 SP2 Web proxy client =

Article ID: 920356

Article Last Modified on 12/4/2007

-

APPLIES TO

 Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 2, when used with:  Microsoft Internet Security and Acceleration Server 2004 Standard Edition

 Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition 

-





SYMPTOMS
When a Microsoft Internet Security and Acceleration (ISA) Server 2004 Web proxy client computer accesses an HTTP Web site from an HTTPS Web site, the Web browser on the client computer stops responding, or &quot;hangs,&quot; for approximately two minutes.

For example, consider the following scenario:  You visit a URL that resembles the following by using a version of Microsoft Internet Explorer that is configured as a Web proxy client:

https://contoso.com/login.aspx

</li> You enter the correct credentials when you are prompted.</li> The HTTPS Web site directs you to a URL that resembles the following:

http://contoso.com/index.aspx

</li></ul>

In this scenario, Internet Explorer may take approximately two minutes to switch from the HTTPS Web site to the HTTP Web site.

You experience this problem if you are running ISA Server 2004 with ISA Server 2004 Service Pack 2 (SP2) installed.

<div class="cause_section">

CAUSE
When Internet Explorer establishes a security tunnel through a Web proxy server, Internet Explorer uses the HTTP CONNECT method. Because this method is an HTTP request for a security tunnel only, ISA Server expects that the tunnel must be established until the client program closes the tunnel. Therefore, in response to the HTTP CONNECT request, ISA Server returns the HTTP Connection: Keep-Alive header and the Proxy-Connection: Keep-Alive header. This causes Internet Explorer to determine that this Keep-Alive connection for any HTTP request even though this HTTP request is only to open a security tunnel. Then, because Internet Explorer marks this connection as a Keep-Alive connection for any HTTP request, Internet Explorer uses the connection to communicate by using HTTP instead of HTTPS. If you access a Web by using HTTP, Internet Explorer first checks to determine whether a Keep-Alive connection exists that it can reuse.

In this situation, Internet Explorer tries to reuse this connection for HTTP traffic because the HTTP Connection: Keep-Alive header and the Proxy-Connection: Keep-Alive header exist in the HTTP response to the HTTP CONNECT request. However, ISA Server cannot reuse this connection for HTTP traffic. Therefore, ISA Server does not respond to the connection for HTTP from Internet Explorer. Then, Internet Explorer waits for two minutes for the connection to time out before Internet Explorer tries to connect to the HTTP Web site over a new connection.

<div class="resolution_section">

Hotfix installation information
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To resolve this problem, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:

920716 Description of the ISA Server 2004 hotfix package: June 6, 2006

After you install this hotfix, you must run the following script to enable the functionality that this hotfix provides. 

'

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.





' This script adds a new VendorParametersSets under the array root.

' Used to added new parameters that are needed for hotfixes or service packs.



Sub SetDontKeepAliveCONNECTRequest

' Create the root obect.

Dim root ' The FPCLib.FPC root object

Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed.

Dim array      ' An FPCArray object

Dim VendorSets ' An FPCVendorParametersSets collection

Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object

' and the network rules collection.

Set array = root.GetContainingArray

Set VendorSets = array.VendorParametersSets

On Error Resume Next

Set VendorSet = VendorSets.Item( &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; )

If Err.Number <> 0 Then

Err.Clear

' Add the item

Set VendorSet = VendorSets.Add( &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; )

CheckError

WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else

WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(&quot;DontKeepAliveCONNECTRequest&quot;)

End If

if VendorSet.Value(&quot;DontKeepAliveCONNECTRequest&quot;) <> true Then

Err.Clear

VendorSet.Value(&quot;DontKeepAliveCONNECTRequest&quot;) = true

If Err.Number <> 0 Then

CheckError

Else

VendorSets.Save false, true

CheckError

If Err.Number = 0 Then

WScript.Echo &quot;Done with DontKeepAliveCONNECTRequest, saved!&quot;

End If

End If

Else

WScript.Echo &quot;Done with DontKeepAliveCONNECTRequest, no change!&quot;

End If

End Sub

Sub CheckError

If Err.Number <> 0 Then

WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description

Err.Clear

End If

End Sub

SetDontKeepAliveCONNECTRequest

Hotfix removal information
Important Before you remove the hotfix that is mentioned in KB920716, you must first run the following script to remove the DontKeepAliveCONNECTRequest value. 

'

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.





' This script removes a VendorParametersSet value.



Sub RemoveDontKeepAliveCONNECTRequest

' Create the root obect.

Dim root ' The FPCLib.FPC root object

Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed.

Dim array      ' An FPCArray object

Dim VendorSets ' An FPCVendorParametersSets collection

Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object

' and the network rules collection.

Set array = root.GetContainingArray

Set VendorSets = array.VendorParametersSets

On Error Resume Next

Set VendorSet = VendorSets.Item( &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; )

If Err.Number <> 0 Then

Err.Clear

WScript.Echo &quot;VendorParametersSet does not exist.&quot;

Else

Err.Clear

VendorSet.RemoveValue(&quot;DontKeepAliveCONNECTRequest&quot;)

If Err.Number <> 0 Then

CheckError

Else

VendorSets.Save false, true

CheckError

If Err.Number = 0 Then

WScript.Echo &quot;Done removing DontKeepAliveCONNECTRequest, saved!&quot;

End If

End If

End If

End Sub

Sub CheckError

If Err.Number <> 0 Then

WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description

Err.Clear

End If

End Sub

RemoveDontKeepAliveCONNECTRequest

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbbug kbfix kbprb KB920356

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.