UDP Updates Exception List Script for ISA Server and Forefront TMG (Updated for MS09-016)

  • Article

Why do I need this?

< UPDATE May 12 2009 >
Since the release of Security update MS09-016, some ISA and TMG administrators have observed the same behavior as seen when they installed the UDP Update package. Tihs happened because all ISA and TMG updates are cumulative, that is; they all are built on the updates that have been issued before them. As a result, some ISA and TMG administrators that chose not to apply the UDP Updates patch (or removed it after installing it) have found that services that create listeners within the dynamic port range used by the UDP Update are unavailable. You can use the script in this blog to alleviate these port reserviation conflicts.
</Update>

Last month, we released a collection of updates to help mitigate the problem caused when DNS traffic crosses a NAT relationship. MSKB 956190 and this ISABlog article discussed these in great detail. As a reminder, the updates for ISA and TMG can be obtained here:

· ISA 2000 (requires SP2): http://support.microsoft.com/kb/956637

· ISA 2004 (requires SP3): http://support.microsoft.com/kb/958024

· ISA 2006 (requires SP1): http://support.microsoft.com/kb/956570

· TMG MBE: http://support.microsoft.com/kb/957298

As with the MS08-037 update on some SBS deployments, these updates may cause conflicts between ISA Server and other network services operating on the same server, such as IPSec NAT-T. Unlike the MS08-037 update, you cannot use the TCP/IP ReservedPorts list to resolve these conflicts. The reason this method cannot work for ISA and TMG servers is due to dependencies which are not guaranteed to exist on the server where ISA Server operates. ISA Server cannot use the exact same process for allocating sockets as used by the DNS server service. Although this functionality is available on Windows 2008 Server, we deemed it better to use the same mechanisms for ISA and TMG to make for more consistent behavior. Since the socket allocation process is different, the methodology for defining exceptions must also be different.

The Script

This script will create, modify or delete the ports which should not be allocated for the UDP NAT pool. The script will execute on ISA Server 2004, 2006 and Forefront TMG. Specific instructions are provided in the following section.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"

Const SE_VPS_NAME = "UserReservedPorts"

Const SE_VPS_VALUE = "12000-12100;64000-64050;"

' see below, need to uncomment the proper line to add or remove the VPS.

Sub SetUserReservedPorts()

    ' Create the root obect.

    Dim root ' The FPCLib.FPC root object

    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.

    Dim array ' An FPCArray object

    ' Get references to the array object

    ' and the protocols collection.

    Set array = root.GetContainingArray

    CheckError

    On Error Resume Next

    Dim VendorSets ' An FPCVendorParametersSets collection

    Dim VendorSet ' An FPCVendorParametersSet object

    Set VendorSets = array.VendorParametersSets

    CheckError

    On Error Resume Next

    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then

        Err.Clear

        ' Add the item

      Set VendorSet = VendorSets.Add( SE_VPS_GUID )

        CheckError

        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else

        WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)

    End If

    Err.Clear

    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

' uncomment the following line to delete the VPS.

'

' VendorSet.RemoveValue(SE_VPS_NAME)

    If Err.Number <> 0 Then

        CheckError

    End If

    array.Save false, true

    WScript.Echo "Done saving..."

End Sub

Sub CheckError()

    If Err.Number <> 0 Then

        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description

        Err.Clear

    End If

End Sub

SetUserReservedPorts

How do I Use it?

To add or update the port exclusion list, you would edit the script at the line where it reads:

Const SE_VPS_VALUE = "12000-12100;64000-64050;"

The ports you enter should be listed in much the same way as provided for the port list in MSKB 821873, except that for the ISA/TMG exclusion list, each port range (even the last entry) is terminated by a semicolon (;). For instance, if you need to exclude ports for IPSec NAT-T, you should have an entry as shown below (IPSec NAT-T operates on UDP:4500):

Const SE_VPS_VALUE = "4500-4500;"

You do not need to include any ports:
- below 1024 as ISA and TMG allocate UDP sockets using ports starting above 1024.
- for TCP listeners as this update only affects UDP socket allocations.

Once you’ve completed listing the ports you wish to exclude from the socket pool allocation, you would save the updated script to the ISA or TMG server local drive as “UserReservedPorts.vbs” and execute it from a command prompt using the command line below:

cscript <Drive>:\<Path>\UserReservedPorts.vbs

To delete the port exclusions, you would change the script as follows:

1. Comment out (add a single quote at the beginning of) the following line

VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

2. Remove the comment (single quote) from the beginning of following line

' VendorSet.RemoveValue(SE_VPS_NAME)

Save the file and run it using the following command line:

cscript <Drive>:\<Path>\UserReservedPorts.vbs

You will have to restart the firewall service in order to affect the changes created by the script, so it’s best to make these changes when your SLA allows downtime.

In Summary

As always, if you experience any problems with the updates or this script, you can post comments and complaints here and of course, CSS engineers are more than happy to assist you.

HTH,

Jim Harrison
Program Manager, Forefront Edge CS

If We Can't Fix It - It Ain't Broke!

 

Technical Reviewers

Doron Juster

Senior Developer – Forefront Edge CS

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront Edge Team

Mohit Sexana

Tech Lead – Microsoft CSS Forefront Edge Team