For many ISA Firewall admins, they find that after installing Windows Server 2003 SP2 that their ISA Firewalls no longer work as they used to. Not only do ISA Firewalls get horked, but many other negative side effects take place. For example, consider this list:
- When you try to connect to the server by using a VPN connection, you receive the following error message: Error 800: Unable to establish connection.
- You cannot create a Remote Desktop Protocol (RDP) connection to the server.
- You cannot connect to shares on the server from a computer on the local area network.
- You cannot join a client computer to the domain.
- You cannot connect to the Exchange server from a computer that is running Microsoft Outlook.
- Inactive Outlook connections to the Exchange server may not be cleaned up.
- You experience slow network performance.
- You may experience slow network performance when you communicate with a Windows Vista-based computer.
- You cannot create an outgoing FTP connection from the server.
- The Dynamic Host Configuration Protocol (DHCP) server service crashes.
- You experience slow performance when you log on to the domain.
- Network Address Translation (NAT) clients that are located behind Windows Small Business Server 2003 or Internet Security and Acceleration (ISA) Server experience intermittent connection failures.
- You experience intermittent RPC communications failures.
- The server stops responding.
- The server runs low on nonpaged pool memory
These negative side effects where due to the Windows Server 2003 SP2 team deciding to enable Receive Side Scaling and TCP/IP Offloading by default. Technical problems introduced with enabling these features include:
- RSS is incompatible with NAT or with Network Load Balancing (NLB).
- TCP/IP Offload has a problem with the Window Scaling feature. This problem typically occurs when you communicate with a Windows Vista-based computer. Windows Vista uses the Window Scaling feature.
- Some TCP/IP Offload-enabled network adapters do not send TCP keep-alive messages. However, Exchange servers use TCP keep-alive messages to clean up inactive client sessions.
- The TCP/IP Offload-enabled network adapter may consume lots of nonpaged pool memory. This may cause other problems in the operating system.
- In some cases, the TCP/IP Offload-enabled network adapter may request large blocks of contiguous memory. This makes the computer stop responding when it tries to free the memory
In the past you had to make some Registry changes to fix the problem. But Microsoft has done us all a great favor by providing a downloadable fix. You can get it at:
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)