Socket Pooling in Windows Server 2003 by Raymond P.L. Comvalius
Well, what goes wrong?
When you try to run ISA Server on the same box that you use to publish services. You will probably run into a lot of trouble when you try to configure your published services. The majority of those problems will not be there when you run the published services on another box inside your LAN.
So what’s the problem?
For example let’s try to publish an SMTP Server on the same box as your ISA Server. The system has two NICs. One connected to your LAN and one connected to the Internet. By default the SMTP Server listens to all IP addresses on the box. You can tell the service to only listen to the IP address of the NIC that is connected to your LAN. This works when you look at the SMTP Service. It will only be reachable on the NIC that is connected to the LAN. In fact it did not free up the NIC that is connected to the Internet. Thus when you try to use that NIC for ISA Server, ISA Server will tell you that the SMTP port (25) on the Internet NIC is already in use by another application.
What is socket pooling?
The fact that SMTP did not let go the NIC that is connected to the Internet is because the service does not bind every IP Address in the system explicitly, but binds to a generic address 0.0.0.0. So when you tell the SMTP service to only listen to the IP address of the Internal NIC, the service still binds to every IP Address and every NIC in your system. This is called Socket Pooling. You can tell this by entering the command netstat –an and have a look at the output. You will see that a lot of your services are connected to 0.0.0.0. Among those services are SMTP (25), POP3, NNTP, HTTP (80) and HTTPS (443) when they are installed.
Figure 1: SMTP (25) and HTTP (80) running with socket pooling enabled
How to solve the problem
To solve the problem you have to disable socket pooling for those protocols that you plan to publish on the box. For SMTP, NNTP and POP3 you can follow the following procedure:
- Open the command box
- change the directory to Inetpub\scripts
- Enter one of the following depending on the service that you want to disable socket pooling for:
a. For SMTP:
| net stop smtpsvc cscript adsutil.vbs set smtpsvc/disablesocketpooling true net start smtpsvc |
This should also work for POP3 (use pop3svc) and IMAP4 (use imap4svc). I currently experience an error when trying to disable socket pooling for NNTP.
How about HTTP and HTTPS?
Until IIS5, disabling socket pooling for HTTP and HTTPS worked the same way as the other protocols. IIS 6.0 though, has a complete different implementation of those protocols because they are handled by the http.sys driver in kernel mode. This driver does not look at the metabase configuration for socket pooling and will just ignore any modifications you make there.
To make things worse Microsoft issued two KB articles about socket pooling with IIS 6.0 of which only one will work when you plan to publish Exchange 2003 OWA on your ISA box. For a starts the terminology in the product changed a bit. There is no disablesocketpooling property in IIS 6.0. You just bind the http.sys driver to an IP address on the system. According to Microsoft KB article 813368 you can bind the driver by port. When I tried this, I was not able to start the default website on my boxes with OWA installed. Microsoft KB article 331062 shows that you can just bind the driver to an IP address without specifying ports. This method worked flawlessly for me.
To configure http.sys you will need httpcfg.exe from the Windows Server 2003 Support Tools. Enter the following to bind http.sys to the desired IP address:
| net stop http /y
httpcfg set iplisten –i <address internal interface> net start w3svc |
Use httpcfg query to see what ip address http.sys is listening on.
