Valid secondary MMSU streaming sessions may be closed by ISA Server 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 14 Jul 2005 20:36:06 -0500
OK, who gets the WTF award for this KB article:
Valid secondary MMSU streaming sessions may be closed by ISA Server
2004:
http://support.microsoft.com/default.aspx?scid=kb;en-us;895135&sd=rss&sp
id=2108
SYMPTOMS
Microsoft Internet Security and Acceleration (ISA) Server 2004 may close
valid secondary Multimedia Server Universal Datagram Protocol (MMSU)
streaming sessions.
TOM: WTF is a MMSU streaming session? I don't see a MMSU protocol in the
default list of Protocol Definitions, so I could create a MMSU protocol
def of my own that doesn't have secondary connections. Maybe this is a
mind reading trick?
CAUSE
This problem may occur because of the following scenario. One published
network uses the Requests appear to come from the ISA Server computer
option as the server publishing rule. Other published networks do not
use this option. Secondary outgoing traffic from the networks arrives at
the published server from the same IP address and port. Therefore, ISA
Server 2004 may disconnect all the networks when you close your
connection to one of the networks.
TOM: I don't publish Networks, I publish servers. What's a "published
Network"? What are the "other published Networks" I didn't know I had
the option to publish an entire Network. Is this a Web or Server
Publishing Rule? Probably server, since I don't see how secondary
connections would be involved with a Web Publishing Rule. Of course, I
could make may own simple MMSU protocol, which apparently can use any
port for the primary "connection", since its not defined. What's this
"Secondary outgoing traffic from the networks (plural) mean? I didn't
realize that not only can I publish an entire Network, but I can publish
multiple Networks. However, if I do a MMSU streaming something or
another, then all the published Networks will get whacked when the
mysterious secondary connection is established, or if something else
happens.
RESOLUTION
To resolve this problem, use one of the following methods:
* Change the network relationship to Network Address Translation
(NAT).
TOM: If I publish an entire Network, do I have to NAT the entire IPv4
space to the Networks published by the ISA firewall? Of course, I would
be careful to remove the addresses on the ISA firewall Protected
Networks and the Local Host Network from the IPv4 address space,
otherwise I would end up with spoofing issue and event log entries
regarding invalid addresses.
* Change the server publishing rule so that the traffic appears
to come from the clients.
TOM: What clients? Firewall, Web proxy or SecureNAT clients? Remote
clients? Clients of what? MMSU protocol servers?
Note For networks where the traffic appears to come from the server, use
one IP address in the server publishing. For other networks, use a
different IP address for each network.
TOM: WHAT NETWORKS???? This guy needs to be whipped with a cat o' nine
tails.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed in the "Applies to" section.
________________________________
Other related posts:
- » Valid secondary MMSU streaming sessions may be closed by ISA Server 2004
