OK, who gets the WTF award for this KB article: Valid secondary MMSU streaming sessions may be closed by ISA Server 2004: http://support.microsoft.com/default.aspx?scid=kb;en-us;895135&sd=rss&sp id=2108 SYMPTOMS Microsoft Internet Security and Acceleration (ISA) Server 2004 may close valid secondary Multimedia Server Universal Datagram Protocol (MMSU) streaming sessions. TOM: WTF is a MMSU streaming session? I don't see a MMSU protocol in the default list of Protocol Definitions, so I could create a MMSU protocol def of my own that doesn't have secondary connections. Maybe this is a mind reading trick? CAUSE This problem may occur because of the following scenario. One published network uses the Requests appear to come from the ISA Server computer option as the server publishing rule. Other published networks do not use this option. Secondary outgoing traffic from the networks arrives at the published server from the same IP address and port. Therefore, ISA Server 2004 may disconnect all the networks when you close your connection to one of the networks. TOM: I don't publish Networks, I publish servers. What's a "published Network"? What are the "other published Networks" I didn't know I had the option to publish an entire Network. Is this a Web or Server Publishing Rule? Probably server, since I don't see how secondary connections would be involved with a Web Publishing Rule. Of course, I could make may own simple MMSU protocol, which apparently can use any port for the primary "connection", since its not defined. What's this "Secondary outgoing traffic from the networks (plural) mean? I didn't realize that not only can I publish an entire Network, but I can publish multiple Networks. However, if I do a MMSU streaming something or another, then all the published Networks will get whacked when the mysterious secondary connection is established, or if something else happens. RESOLUTION To resolve this problem, use one of the following methods: * Change the network relationship to Network Address Translation (NAT). TOM: If I publish an entire Network, do I have to NAT the entire IPv4 space to the Networks published by the ISA firewall? Of course, I would be careful to remove the addresses on the ISA firewall Protected Networks and the Local Host Network from the IPv4 address space, otherwise I would end up with spoofing issue and event log entries regarding invalid addresses. * Change the server publishing rule so that the traffic appears to come from the clients. TOM: What clients? Firewall, Web proxy or SecureNAT clients? Remote clients? Clients of what? MMSU protocol servers? Note For networks where the traffic appears to come from the server, use one IP address in the server publishing. For other networks, use a different IP address for each network. TOM: WHAT NETWORKS???? This guy needs to be whipped with a cat o' nine tails. STATUS Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. ________________________________