Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. DNS queries that are passed through ISA Server 2004 NAT do not use random source ports

DNS queries that are passed through ISA Server 2004 NAT do not use random source ports

View products that this article applies to.

Symptoms

You use Microsoft ISA Server 2004 as a network address translation (NAT) gateway, and an internal client sends Domain Name System (DNS) queries across ISA Server 2004. However, after you install security update 953230 (MS08-037) on the client, DNS queries that are passed through ISA Server 2004 NAT do not use random source ports.

↑ Back to the top

Cause

This problem occurs because NAT-based firewalls may change the source port that is used by an internal client.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Apply the ISA Server 2004 update available from Microsoft Download Center:
    ISA Server 2004 Standard Edition:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=0AB83F12-653B-4BE1-BEFE-594C4EF62BAA
    ISA Server 2004 Enterprise Edition:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=55CE3623-2F7B-4900-9A2F-7E2AA2FE9C50
    Note After you install this update, ISA Server allocates a set of random UDP ports and then selects a port from this set for use in new outgoing UDP sessions.
  2. Click Start, click Run, type cmd, and then click OK. At the command prompt, paste the following command, and then press ENTER: 
    reg add HKLM\System\CurrentControlSet\Services\Fweng\Parameters /v ReservedPortThreshold /t REG_DWORD /d 1250 /f
  3. Restart the ISA Server computer.

↑ Back to the top

Workaround

To work around this problem, use the methods that are mentioned in the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

Modify the size of the socket pool

After you install the update, you can modify the registry to configure the size of the socket pool that ISA Server will build on startup. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry key:
    HKLM\System\CurrentControlSet\Services\Fweng\Parameters
  3. Point to New, and then click DWORD Value.
  4. Name the newly created entry as ReservedPortThreshold.
  5. Double-click the ReservedPortThreshold entry. You can set the size of the socket pool by typing a number in the Value data box.
  6. Restart the ISA Server computer.
Note The value of the ReservedPortThreshold entry ranges from 1 to 1250. This value defines one-half of the number of ports that will be allocated on startup and as required during the operation. If this entry does not exist, ISA Server assumes that the value is 50. Changing this value to less than 1250 increases the predictability of source port usage within the pool and is not recommended.

To set this registry entry to a recommended value, run the following command at a command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters /v ReservedPortThreshold /t REG_DWORD /d 1250 /f

Disable this update

If you encounter problems after you install this update, you can disable this update by following these steps:
  1. Save the following script as KB958024.vbs:
    '-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
'
'    This code is Copyright (c) 2008 Microsoft Corporation.  
'
'    All rights reserved.
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
'    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "BindRandomizationCount"
Const SE_VPS_VALUE = 0

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
  2. Click Start , click Run , type cmd, and then click OK. At the command prompt, type the following command, and then press ENTER: 
    cscript KB958024.vbs
  3. Restart the ISA Server computer.

↑ Back to the top

References

For more information about this problem, visit the following Microsoft Web site:
http://blogs.technet.com/isablog/archive/2008/08/28/isa-tmg-nat-behavior-and-ms08-037.aspx
For more information about the MS08-037 update, click the following article number to view the article in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: KB958024, kbqfe, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 958024
Revision : 1
Created on : 11/11/2008
Published on : 11/11/2008
Exists online : False
Views : 333