TCP connection established using Firewall client may close unexpectedly

Firewall Client software uses a control channel for communication between the Firewall client and ISA Server (UDP or TCP port 1745). If a client application wants to connect to an external computer on TCP port 23 (i.e. telnet protocol) , the control channel is used to negotiate a new dynamic port for this specific traffic (after ISA rule verification, of course). After this negotiation, telnet traffic goes through the above negotiated port. Let’s call this the data connection.

Now, what happens to the control channel TCP connection? It is left open until one of the peers closes the data connection.

To leave the control channel open, the Firewall client has to periodically send a KeepAlive packet to ISA Server. This is done by the Firewall client every 10 minutes. If a device between the client and ISA Server has an idle connection timeout configured for less than 10 Minutes, then this device will force the closing of the control channel, with the result that ISA Server and the firewall client drop the data connection shortly thereafter (depending on the third party device timeout value).

To correct this behavior always ensure that the third party device has an idle timeout greater than 10 minutes.

Franck Heilmann

Escalation Engineer EMEA ISA team