DNS queries that pass through an ISA Server 2000 NAT gateway do not use random source ports

You are using Microsoft Internet Security and Acceleration (ISA) Server 2000 as a network address translation (NAT) gateway. Internal clients send Domain Name System (DNS) queries across this NAT gateway. However, after you install security update 953230 (security bulletin MS08-037) on a client, DNS queries that pass through the ISA Server 2000 NAT gateway from this client do not use random source ports.

This problem occurs because the NAT gateway may change the source port that is used by an internal client.

For more information about the cause of this problem, see the following Microsoft Knowledge Base article:

To resolve this problem, follow these steps:

1. Apply the following ISA Server 2000 update from the Microsoft Download Center:
   
   Update to Mitigate MS08-037 UDP Behavior Across NAT for Microsoft ISA Server 2000
   
   
   Download the 956637 package now.
2. Click Start, click Run, type cmd, and then click OK. At the command prompt, paste the following command, and then press ENTER.

   reg add HKLM\System\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry  /t REG_DWORD /d 10 /f

Note After you install this update, ISA Server 2000 dynamically allocates random User Datagram Protocol (UDP) ports in new outgoing UDP sessions.

You do not have to restart the ISA Server 2000 computer after you apply this hotfix. However, the update installer will restart the Microsoft Firewall Service (fwsrv) after the update is successfully installed.

To work around this problem, use the methods that are discussed in the following Microsoft Knowledge Base article:

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: After you install the update, you can modify the registry to configure the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket. To do this, follow these steps:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then right-click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters
3. Point to New, and then click DWORD Value.
4. Type RandomBindRetry.
5. Double-click RandomBindRetry, and then type a number in the Value data box.
   
   Note This value defines the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket.
6. Restart the Microsoft Firewall Service (fwsrv).

Note The value of RandomBindRetry entry ranges from 0 through 10. If you set the value of this entry to 0, the update is disabled. If this entry does not exist, ISA Server 2000 assumes that the value is 10. Do not set RandomBindRetry to a value that is greater than 10.

To set this registry entry to a recommended value, run the following command at a command prompt.

For more information about this problem, visit the following Microsoft Web site:For more information about update 953230, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: