Cannot connect to a service from a particular client computer in ISA Server 2004, in ISA Server 2006, or in Forefront Threat Management Gateway

A program that is running on a client computer may not be able to connect to a service through Microsoft Internet Security and Acceleration (ISA) Server 2004, ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition. In this scenario, the client program may crash or may stop responding (hang). Additionally, the following event may be logged in the Application log in Event Viewer on the ISA Server computer:

Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15113
Date: date
Time: time
Type: Warning
User: N/A
Computer: computername
Description: ISA Server disconnected the following client: IP address because its connection limit was exceeded.

Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15112
Description: The client 10.93.1.108 exceeded its connection limit. The new connection was rejected.

For Forefront Threat Management Gateway, Medium Business Edition, the following event may be logged:

Log Name: Application
Source: Microsoft Firewall
Date: Date and Time
Event ID: 21284
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computername
Description:
The number of denied connections from the source IP address 192.168.1.49 exceeded the configured limit. This may indicate that the host is infected or is attempting an attack on the Forefront Threat Management Gateway, Medium Business Edition, computer.

This behavior may occur if the computer that the client program is running on has exceeded the number of concurrent connections that ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, allows. ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, implements a connection limit (also known as a quota) mechanism. By default, the number of concurrent connections is limited to 160 for each client computer (IP Address). If a client computer reaches this connection limit, ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, implements one of the following connection limit mechanisms:

• For User Datagram Protocol (UDP) connections, if a client program reaches this connection limit, any additional UDP connections cause a previous UDP connection to be dropped.
• For Transmission Control Protocol (TCP) connections, if a client program reaches this connection limit, no additional connections are permitted.

This functionality is included in ISA Server 2004, in ISA Server 2006, and in Forefront Threat Management Gateway, Medium Business Edition, to help prevent one particular computer from overloading the ISA Server or Forefront Threat Management Gateway, Medium Business Edition computer with connections.

For information about setting connection limits and about how to troubleshoot this issue, visit the following Microsoft Web site: For more information about connection limits on Microsoft Forefront Threat Management Gateway, Medium Business Edition, visit the following Microsoft Web Site:

This behavior occurs on SecureNAT clients and on Microsoft Firewall clients (Web proxy clients appear as SecureNAT client TCP connections to ISA in this respect). This behavior is particularly noticeable if you use a perimeter network (also known as a DMZ, a demilitarized zone, and a screened subnet) with back-to-back ISA Server computers.

If you run your ISA Server computers back-to-back to create a perimeter network, you are more likely to experience this behavior. The internal ISA Server computer translates all the internal clients by using the NAT protocol. The frames are sent to the external ISA Server computer, and this computer uses the NAT protocol to translate all the internal clients again. To the external ISA Server computer, all the connections look similar to one client. The connections use the perimeter network IP address of the internal ISA Server computer. Therefore, to the external ISA Server computer, 40 internal clients look similar to 1 client that has 40 different connections.