Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Changes to the firewall policy only affect new connections in ISA Server 2004


View products that this article applies to.

Introduction

When you make a configuration change to the Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy, active sessions are not affected. This behavior also affects traffic that is controlled by schedules. By design, only new sessions are impacted by the changes to the policy.

↑ Back to the top


More information

After a client initiates a request, ISA Server 2004 internally maintains an active state for the session that permits the response to return to the client. This active state also permits the client to send new requests. ISA Server removes the active state after the session is idle for one to two minutes. For example:
  • You use the Ping.exe utility to send a ping request from a client.
  • On the ISA Server computer, you apply a deny rule for Internet Control Message Protocol (ICMP) traffic. When you apply the rule, an active session on the firewall for the client that sent the ping request still exists.
  • If you immediately try to ping from the same client after you apply the deny rule, the ISA Server permits the ICMP traffic.
  • If you try to ping from a different client that is not in an active state, you experience the expected behavior. The ICMP traffic is not permitted.
Policy rules are applied immediately for new connections when you click Apply to save the changes and update the configuration. To make the changes apply to all existing connections, do either of the following:
  • Disconnect existing sessions using the session manager. To disconnect a session, start the ISA Server Management console, click Monitoring, click the Sessions tab in the middle pane, click the session that you want to disconnect, and then click Disconnect Session on the Tasks tab.
  • Restart the Microsoft Firewall service. To do this, start the ISA Server Management console, click Monitoring, click the Services tab in the middle pane, click Microsoft Firewall, click Stop Selected Service on the Tasks tab, and then click Start Selected Service on the Tasks tab.

↑ Back to the top


Keywords: KB841140, kbinfo, kbfirewall

↑ Back to the top

Article Info
Article ID : 841140
Revision : 4
Created on : 7/16/2004
Published on : 7/16/2004
Exists online : False
Views : 335