The Misery of IIS 5.0 Socket Pooling.
(Listen up: This is material not included in our book. So if you have the book, print this out and stick it in the book! -Tom)
Do you sometimes feel that ISA Server was designed to drive you crazy? If so, when were those times? I bet you felt like you were going nuts when you tried to do one of the following things:
Notice something that all of these things have in common? That right! They all have the service in question running on the ISA Server itself. It makes you think they should have called it Server Punishing rather than Publishing.
What is maddening about this situation is that the Help File says that it's no problem to publish services running on the ISA Server. Just make a couple of changes to the listening IP address for the particular service, then publish the service using that IP address. And away you go! The problem is that it doesn't work.
The Misery of Socket Pooling
All of these problems are related to a little known issue with IIS 5.0. The current version of IIS uses something called Socket Pooling which, if I understand the issue correctly, putatively improves performance. While it may improve performance, it completely whacks your ability to publish services on the ISA Server itself.
What Socket Pooling does is allow a particular service to listen on all IP addresses on a particular computer. For example, if you have one internal IP address bound to the internal interface and two IP addresses bound to the external interface, then Socket Pooling will allow the service, such as the IIS 5.0 FTP Service, to listen on all three IP addresses.
Let's take a closer look at this example.
Open the Internet Information Services console from the Administrative Tools menu.
What do you think will happen if I have packet filtering enabled and try to publish the FTP service on 192.168.1.186? It won't work! I could enable a packet filter to allow inbound TCP 21, but then we're not publishing the server. Is just listening on the interface that is directly connected to the Internet, and if I tried to put the server, the publishing rule would still not work.
Fixing the Socket Pooling Problem
In order to get the IIS W3SVC, FTPSVC and NNTPSVC to play nice with Web and Server Publishing Rules, we have to disable Socket Pooling. To do this, perform the following steps:
This same procedure will work for the WWW and NNTP services. Just replace msftpsvc with w3svc or nntpsvc. However, this procedure will not work with the SMTP service.
How to Disable SMTP Service Socket Pooling
To disable Socket Pooling for the SMTP service, you have to use a utility called Mdutil.exe. You can download this utility from the 'Tools' section of the 'Learning Zone'
mdutil set -path smtpsvc/1 -value 1 -dtype 1 -prop 1029 -attrib 1
For more information on Socket Pooling and the SMTP service, check out:
IIS 5.0 Socket Pooling has caused a great deal pain for budding ISA Server administrators. It would have been nice to have this issue mentioned in the Help File. But then if they did that, I wouldn't have had a good reason to write this article.
After disabling Socket Pooling using the methods described, you will be able to publish services located on the ISA Server itself. Although it is always preferable to remove all unnecessary services on the ISA Server, sometimes you can't get around the problem because of financial limitations. In that case, you have to run extra services on the ISA Server.
A special note for you Outlook Web Access admins. This solution will fix the problem you have had with publishing Outlook Web Access when it is located on the ISA Server itself. If you are trying to do this, I highly recommend that you read Martin Grasdal's article - "OWA and ISA Server" on this subject.
I hope this article was interesting and/or helpful to you. If you have any comments or suggestions related to this article, please post them on the www.isaserver.org message boards. You can also send me email at [email protected]; be sure to put the title of this article in the subject line. Thanks! -Tom.