Internal firewall client computers and SecureNAT client computers cannot connect to external servers

Internal firewall client computers and secure network address translation (SecureNAT) client computers cannot connect to external servers through a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004.

This behavior occurs when the Maximum Transmission Unit (MTU) size for the Internet connection is less than 1500 bytes on the computer that is running ISA Server 2004. For example, you experience this problem when the computer that is running ISA Server 2004 computer uses a DSL connection instead of an Ethernet connection.

A network trace on the external interface of the computer that is running ISA Server 2004 may show that this computer is not using the correct TCP maximum segment size (MSS) value for the TCP connection. You may find that this computer always uses an MSS value of 1460 and not the correct MSS value for the TCP connection. When this occurs, the TCP packets are dropped by external routers.

This behavior occurs because of a problem with the MTU checking process in ISA Server 2004.

How to obtain the hotfix

This issue is fixed in the ISA Server 2004 Hotfix Package dated May 31, 2006. For more information, click the following article number to view the article in the Microsoft Knowledge Base: After you apply the hotfix that is mentioned in Microsoft Knowledge Base article 919621, run the Microsoft Visual Basic script that is described in this section. To do this, follow these steps.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Paste the following code into a new Notepad document, and then save by using a file name that has a .vbs file name extension. An example of a file name that has a .vbs file name extension is AddReadMTUregistry.vbs.

   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   '
   ' Copyright (c) Microsoft Corporation. All rights reserved.
   ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
   ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
   ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
   ' HEREBY PERMITTED.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' This script adds a new VendorParametersSets under the array root.
   ' Used to added new parameters that are needed for hotfixes or service packs.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   Sub AddReadMTUregistry()
   
       ' Create the root obect.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       'Declare the other objects needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Get references to the array object
       ' and the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item
           Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("AllowVLANandNLB")
       End If
   
       if VendorSet.Value("ReadInterfaceMTU") <> true Then
   
           Err.Clear
           VendorSet.Value("ReadInterfaceMTU") = true
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with ReadInterfaceMTU, saved!"
               End If
           End If
       Else
           WScript.Echo "Done with ReadInterfaceMTU, no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   AddReadMTUregistry
   
   

3. Run the script. To do this, double-click the .vbs file that you created.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.