Problems with HTTPS Requests When an ISA Server Computer Is Chained to an Upstream ISA Server Array

When you use a downstream Internet Security and Acceleration (ISA) Server computer that is chained to an upstream ISA Server array, Secure Sockets Layer (SSL) requests may not be successful, or authentication prompts may occur on the client. These problems appear only if all the following conditions are true:

• The upstream array includes at least two member server nodes.
• The upstream outbound access policy uses user-based or group-based protocol rules or site and content rules.
• The upstream ISA Server computer or array is configured to use NTLM authentication for outgoing Web requests.
• Ask unauthenticated users for identification is not selected on the outgoing Web request listener of the upstream ISA Server array. For more information about how to configure this setting, see the "More Information" section.
• The routing rule on the downstream ISA Server computer is configured to route to the upstream array and has Automatically poll upstream server for array information enabled. (That is, the header that is sent in a request to the server to enable the CARP protocol and to permit the correct routing is enabled. This header is "array.dll?Get.Info.v2".) For more information about how to configure this setting, see the "More Information" section.

This issue does not occur when Ask unauthenticated users for identification is set for outgoing Web requests on the upstream ISA Server computer or array. For more information about how to configure this setting, see the "More Information" section.

Note If you use the Automatically poll upstream server for array information setting as a workaround, you may experience another issue. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

When the downstream ISA Server computer forwards an HTTP request to the upstream array, it must authenticate through NTLM first. The downstream computer sends the first part of the NTLM authentication handshake to one node of the upstream ISA Server array, and the downstream computer sends the second part to the other node of the upstream ISA Server array. Because NTLM authentication must be established on a contiguous TCP (keep-alive) connection between the downstream ISA Server array and one single node of the upstream ISA Server array, authentication to the upstream ISA Server array does not succeed, and you notice the problems that are described in the "Symptoms" section.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note You must install ISA Server Service Pack 1 before you install this hotfix.
This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.

To configure Automatically poll upstream server for array information (Get.Info.V2) on the routing rule of the downstream ISA Server computer:

1. Open the ISA Server Microsoft Management Console (MMC).
2. Expand Servers and Arrays.
3. Expand your array name or your server name.
4. Expand Network Configuration.
5. Expand Routing.
6. Double-click the routing rule that is appropriate for routing to the upstream server or array.
7. Click the Action tab.
8. In the Routing them to a specified upstream server area, click Settings.
9. Click to select or click to clear the Automatically poll upstream server for array configuration check box.

To configure Ask unauthenticated users for identification:

1. Open the ISA Server MMC.
2. Right-click the server or array name, and then click Properties.
3. Click the Outgoing Web Requests tab.
4. Click to select or click to clear the Ask unauthenticated Users for identification check box.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.