ISA Server 2000 Fixes Included in Feature Pack 1 by Scott Jiles
Compiled and Authored by
Scott Jiles
Hotfixes included in ISA Feature Pack 1
Title: 318319 Access Violations Occur in the Web Proxy Service If an Impersonation Failure Occurs
Hotfix:
1200.170Link: http://support.microsoft.com/?id=318319
Files: 27-Mar-2002 14:10 3.0.
1200.170 383,760 W3proxy.exeSummary: When users try to access resources in an outgoing Web Proxy or in a Web Publishing scenario, the Web Proxy service may generate an access violation error and stop responding if Proxy authentication is required globally, if
Ask unauthenticated users for identification is enabled on the Outgoing Web Requests tab for the properties of the server, or if it is enabled specifically by access rules. Typically, the access violation error occurs only for users that are not a local administrator on the computer that is running Internet Server and Acceleration (ISA) Server. If local administrators try to access resources through the Web Proxy service, requests are served without any issues.
Title: 317822 FIX: Problems with Web Browser if ISA Server 2000 Is Chained to an Upstream Web Proxy Server
Hotfix: 1200.170
Link: http://support.microsoft.com/?id=317822
Files: 27-Feb-2002 14:10:00 3.0.
1200.170 383,760 W3proxy.exeSummary: If Internet Security and Acceleration (ISA) Server 2000 is chained to an upstream Web proxy server, you may experience unexpected delays, incomplete pages, random authentication warning messages, and so forth, when you browse the Web.
This behavior does not occur if the upstream proxy server requires NTLM authentication and the routing rule on the downstream server is configured to provide Integrated Authentication credentials to the upstream Web proxy server.
Title: 317122 Web Proxy Sends TCP Reset Instead of Only Closing Session
Hotfix: 1200.170
Link: http://support.microsoft.com/?id=317122
Files: 27-Feb-02 13:10:39 3.0.
1200.170 383,760 W3proxy.exeSummary: You may receive the following error message in your Web browser program (such as Microsoft Internet Explorer, NetScape Navigator, and so on) when you are posting data to a Web site:
The connection was reset by the server
The browser clients are connecting to the Web sites through an Internet Security and Acceleration (ISA) Server Web proxy server. Subsequent attempts to repost the data may work.
Title: 318005 ISA Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter
Hotfix: 1200.171
Link: http://support.microsoft.com/?id=318005
Files: 28-Feb-2002 09:21:34 3.0.1200.171 294,672 Wspsrv.exe
Summary: The Internet Security and Acceleration (ISA) Server Firewall service may not start if you add more than 85 IP addresses to the external network adapter. When you start your computer after you do so, you may see an event that is similar to the following event:
Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
Description:
The Microsoft Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.
Title: 321846 Incorrect Canonicalization in Rules Engine
Hotfix: 1200.174
Link: http://support.microsoft.com/?id=321846
Files: 5-May-2002 11:30 3.0.
1200.174 384,272 W3proxy.exeSummary: Some specific URLs are not blocked by the Rules engine even when they are denied by a Site and Content rule. If a Site and Content rule exists that denies access to a specific destination such as www.example.com, a user can still visit that site if they type the destination in the following format:
www.example.com.
Note the period at the end of the domain name (also known as the "root" in DNS terms).
Title: 319374 Web Proxy Service Stops Responding
Hotfix: 1200.174
Link: http://support.microsoft.com/?id=319374
Files: 5-May-2002 11:30 3.0.
1200.174 384,272 W3proxy.exeSummary: When an Internet Security and Acceleration (ISA) Server-based computer that is Web publishing an SSL Web site receives an invalid SSL packet, the ISA Server Web Proxy service may crash, generate an access violation error message, and may stop providing services.
Title: 323889 Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice
Hotfix: 1200.177
Link: http://support.microsoft.com/?id=323889
Files: 11-Jun-2002 13:08 3.0.
1200.177 30,992 W3pinet.dllSummary: A problem may occur on an Internet Security and Acceleration (ISA) Server-based or Proxy Server 2.0-based computer during the processing of Internet Gopher protocol requests. A typical Gopher request may look similar to this:
gopher://gopher.example.com:70/11/example%09%09%2b
When a malicious request is received, the ISA Server-based or Proxy Server 2.0-based computer may send back a response that is not valid, generate an access violation error message, and stop providing services.
A successful attack against the ISA Server-based or Proxy Server 2.0-based computer requires a malicious Gopher request. This request must originate from a valid user who is permitted by the firewall policy and that is received by the Web Proxy service. This means that a valid client would have to submit the initial request.
Title: 319376 How to Automatically Authenticate a User Against All Trusted Domains in
Hotfix:
1200.178Link: http://support.microsoft.com/?id=319376
Files: 11-Jun-2002 18:38 3.0.
1200.178 386,832 W3proxy.exeSummary: When you use Basic authentication in Internet Security and Acceleration (ISA) Server to authenticate Web Proxy users, ISA does not automatically try to authenticate the user against all trusted domains when no domain name is specified by the user. This occurs even if a backslash (\) is specified as the default authentication domain under Basic authentication for the Web Proxy listener in question, as explained in the following Microsoft Knowledge Base article:
168908 How to Authenticate a User Against All Trusting Domains
Title: 319375 The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA
Hotfix: 1200.178
Link: http://support.microsoft.com/?id=319375
Files: 11-June-2002 18:38 3.0.
1200.178 386,832 W3proxy.exeSummary: When you try to write a Web filter for Internet Security and Acceleration (ISA) Server that does client certificate Certificate Revocation List (CRL) validation, you cannot use the
CertVerifyRevocation application programming interface (API) because no CERT_CONTEXT structure server variable is available.
Title: 326116 FIX: Cannot Renew DHCP Assigned IP Address on External ISA Interface
Hotfix:
1200.179Link:
http://support.microsoft.com/?id=326116Files: 24-Oct-2002 20:21 3.0.1200.179 176,912 Mspadmin.exe
Files: 24-Oct-2002 20:20 3.0.1200.179 388,368 W3proxy.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 297,232 Wspsrv.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 99,600 Msphlpr.dll
Summary: On a computer running Internet Security and Acceleration Server, where the external interface is configured to have its IP address dynamically assigned from DHCP, you may not be able to renew the IP address on the interface.
For example, if you run ipconfig /release, followed by ipconfig /renew, from a command prompt, you may receive an error message similar to the following:
The following error occurred when renewing adapter MyAdapterName: DHCP Server unreachable
Additionally, you may not be able to turn off and turn on the external network adapter, or to automatically or manually change the assigned IP address on the external network adapter in ISA Server.
This problem also occurs when you have the DHCP Client Static Packet filter turned on in ISA Server.
The only way to renew the IP address is to temporarily turn off packet filtering or restart the computer running ISA Server.
Title: 321219 FIX: Server Publish May Fail on Dial-up Links
Hotfix:
1200.179Link:
http://support.microsoft.com/?id=321219Files: 24-Oct-2002 20:21 3.0.1200.179 176,912 Mspadmin.exe
Files: 24-Oct-2002 20:20 3.0.1200.179 388,368 W3proxy.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 297,232 Wspsrv.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 99,600 Msphlpr.dll
Summary: If you use ISA Server to server publish on a dial-up adapter link (such as an analog modem, ISDN, or ADSL), the server publish operation may fail. This problem may occur although you use a fixed IP address on the dial-up interface.
When you run netstat -an from a command prompt on the computer running ISA Server, you see that ISA Server is not listening on the published port on behalf of the published service. Because of this, no connections can be made to the server published service.
Typically, this problem occurs on a slow link such as an analog modem connection. However, it may occur when you use any type of dial-up adapter.
To get the server publishing rule to work, you must turn off and then turn on the server publishing rule, or you must stop and then restart the Firewall Service.
Title: 326116 FIX: Cannot Renew DHCP Assigned IP Address on External ISA Interface
Hotfix: 1200.179
Link: http://support.microsoft.com/?id=326116
Files: 24-Oct-2002 20:21 3.0.1200.179 176,912 Mspadmin.exe
Files: 24-Oct-2002 20:20 3.0.1200.179 388,368 W3proxy.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 297,232 Wspsrv.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 99,600 Msphlpr.dll
Summary: On a computer running Internet Security and Acceleration Server, where the external interface is configured to have its IP address dynamically assigned from DHCP, you may not be able to renew the IP address on the interface.
For example, if you run ipconfig /release, followed by ipconfig /renew, from a command prompt, you may receive an error message similar to the following:
The following error occurred when renewing adapter MyAdapterName: DHCP Server unreachable
Additionally, you may not be able to turn off and turn on the external network adapter, or to automatically or manually change the assigned IP address on the external network adapter in ISA Server.
This problem also occurs when you have the DHCP Client Static Packet filter turned on in ISA Server.
The only way to renew the IP address is to temporarily turn off packet filtering or restart the computer running ISA Server.
Title: 319378 ISA splits POSTs into multiple frames causing timeouts to some web
Hotfix: 1200.179
Link: http://support.microsoft.com/?id=319378
Files: 24-Oct-2002 20:21 3.0.1200.179 176,912 Mspadmin.exe
Files: 24-Oct-2002 20:20 3.0.1200.179 388,368 W3proxy.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 297,232 Wspsrv.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 99,600 Msphlpr.dll
Summary: A client that is submitting form data through an ISA Server may experience a timeout or an erroneous error message upon submission of the form.
A network trace will reveal that, on the external interface of the ISA Server, the HTTP POST is split into two parts; additionally, the web server can be seen to respond to the first part before it has received and processed the second.
Title: 319377 FIX: ISA Server Blocks Incoming Traffic Although a Valid Server
Hotfix: 1200.179
Link: http://support.microsoft.com/?id=319377
Files: 24-Oct-2002 20:21 3.0.1200.179 176,912 Mspadmin.exe
Files: 24-Oct-2002 20:20 3.0.1200.179 388,368 W3proxy.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 297,232 Wspsrv.exe
Files: 24-Oct-2002 20:21 3.0.1200.179 99,600 Msphlpr.dll
Summary: ISA Server may temporarily block incoming traffic that is destined for a protocol that has a valid Server Publishing rule defined. This blockage typically does not occur for more than a few minutes.
Title: 313318 Cannot Relay Mail Through ISA Server If Authentication Is Required
Hotfix:
1200.180Link:
http://support.microsoft.com/?id=313318Files: 22-Oct-2002 14:25:24 3.0.1200.180 60,176 Fltrsnk1.dll
Files: 22-Oct-2002 14:25:28 3.0.1200.180 93,968 Smtpfltr.dll
Summary: Clients that are outside an ISA server cannot relay mail through that ISA server. This problem may occur if external clients try to send mail to other external recipients.
Title: 331063 Macintosh Outlook Clients Cannot Connect to Exchange Server Through ISA
Hotfix:
1200.181Link:
http://support.microsoft.com/?id=331063Files: 25-Nov-2002 05:19 3.0.
1200.181 47,888 Rpcfltr.dllSummary: When you use Internet Security and Acceleration Server (ISA) to publish an Exchange server and give external clients permission to connect to an internal Exchange server, x86-based Outlook clients can connect to the Exchange server, but Macintosh Outlook clients cannot connect to the Exchange server.
Title: 331064 FIX: ISA Reports May Span Unexpected Date Range or Show Incomplete Data
Hotfix: 1200.182
Link: http://support.microsoft.com/?id=331064
Files: 05-Feb-2003 13:28 501 Os.map
Files: 05-Feb-2003 13:59 3.0.1200.182 792,848 Sumgen.dll
Summary: Reports created on an ISA Server computer may span an unexpected date range or may show blank or incomplete data under certain conditions.
Title: 328705 FIX: ISA may show empty tables on the 'Traffic & Utilization' report
Hotfix: 1200.182
Link: http://support.microsoft.com/?id=328705
Files: 05-Feb-2003 13:28 501 Os.map
Files: 05-Feb-2003 13:59 3.0.1200.182 792,848 Sumgen.dll
Summary: Parts of the ISA 'Summary' and 'Traffic and Utilization' report may show tables that are empty or initialized to 0 for the first 12 days of the month.
Title: 319381 Server-Side Playlists Do Not Work with ISA Server
Hotfix: 1200.183
Link: http://support.microsoft.com/?id=319381
Files: 03-Nov-2002 10:48 3.0.1200.183 176,912 Mspadmin.exe
Files: 03-Nov-2002 10:48 3.0.1200.183 99,600 Msphlpr.dll
Files: 03-Nov-2002 10:48 3.0.1200.183 62,736 Strmfltr.dll
Files: 03-Nov-2002 10:47 3.0.1200.183 388,368 W3proxy.exe
Files: 03-Nov-2002 10:48 3.0.1200.183 297,232 Wspsrv.exe
Summary: When you use the Microsoft Media Server - Universal Datagram Protocol (MMSU) protocol from a Windows Media Player client that is behind an ISA Server computer, the Windows Media Player client may not work when it is connected to an external Windows Media Services resource that is hosting a server-side playlist and you try to move from one item in the server-side playlist to another.
You only see these symptoms when you connect to the server-side playlist host from a computer that is using the firewall client. Secure network address translation (SecureNAT) clients do not experience this issue.
Note that you only see the issue when you use MMSU to connect. If you instead use Microsoft Media Server - Transmission Control Protocol (MMST) to connect, you do not experience this issue. Also, the Windows Media Player client may not work if you connect by using Microsoft Media Server (MMS). By default, MMS tries MMSU first.
Scott Jiles is an Escalation Engineer with Microsoft PSS.
