UDP Updates Exception List Script for ISA Server and Forefront TMG (Updated for MS09-016)


Why do I need this?

< UPDATE May 12 2009 > 
Since the release of Security update MS09-016, some ISA and TMG administrators have observed the same behavior as seen when they installed the UDP Update package. Tihs happened because all ISA and TMG updates are cumulative, that is; they all are built on the updates that have been issued before them. As a result, some ISA and TMG administrators that chose not to apply the UDP Updates patch (or removed it after installing it) have found that services that create listeners within the dynamic port range used by the UDP Update are unavailable. You can use the script in this blog to alleviate these port reserviation conflicts.
</Update>


Last month, we released a collection of updates to help mitigate the problem caused when DNS traffic crosses a NAT relationship.  MSKB 956190 and this ISABlog article discussed these in great detail.  As a reminder, the updates for ISA and TMG can be obtained here:


·         ISA 2000 (requires SP2): http://support.microsoft.com/kb/956637


·         ISA 2004 (requires SP3): http://support.microsoft.com/kb/958024


·         ISA 2006 (requires SP1): http://support.microsoft.com/kb/956570


·         TMG MBE: http://support.microsoft.com/kb/957298


As with the MS08-037 update on some SBS deployments, these updates may cause conflicts between ISA Server and other network services operating on the same server, such as IPSec NAT-T.  Unlike the MS08-037 update, you cannot use the TCP/IP ReservedPorts list to resolve these conflicts.  The reason this method cannot work for ISA and TMG servers is due to dependencies which are not guaranteed to exist on the server where ISA Server operates.  ISA Server cannot use the exact same process for allocating sockets as used by the DNS server service.  Although this functionality is available on Windows 2008 Server, we deemed it better to use the same mechanisms for ISA and TMG to make for more consistent behavior.  Since the socket allocation process is different, the methodology for defining exceptions must also be different.


The Script

This script will create, modify or delete the ports which should not be allocated for the UDP NAT pool.  The script will execute on ISA Server 2004, 2006 and Forefront TMG.  Specific instructions are provided in the following section.



””””””””””””””””””””””””””””””””””””””””



‘ Copyright (c) Microsoft Corporation. All rights reserved.


‘ THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE


‘ RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE


‘ USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS


‘ HEREBY PERMITTED.


””””””””””””””””””””””””””””””””””””””””


 


Const SE_VPS_GUID = “{143F5698-103B-12D4-FF34-1F34767DEabc}”


Const SE_VPS_NAME = “UserReservedPorts”


Const SE_VPS_VALUE = “12000-12100;64000-64050;”


 


‘ see below, need to uncomment the proper line to add or remove the VPS.


 


Sub  SetUserReservedPorts()


 


    ‘ Create the root obect.


    Dim root  ‘ The FPCLib.FPC root object


    Set root = CreateObject(“FPC.Root”)


 


    ‘Declare the other objects needed.


    Dim array         ‘ An FPCArray object


 


    ‘ Get references to the array object


    ‘ and the protocols collection.


    Set array = root.GetContainingArray


    CheckError


 


    On Error Resume Next


    Dim VendorSets  ‘ An FPCVendorParametersSets collection


    Dim VendorSet   ‘ An FPCVendorParametersSet object


 


    Set VendorSets = array.VendorParametersSets


    CheckError


 


    On Error Resume Next


    Set VendorSet = VendorSets.Item( SE_VPS_GUID )


 


    If Err.Number <> 0 Then


        Err.Clear


 


        ‘ Add the item


        Set VendorSet = VendorSets.Add( SE_VPS_GUID )


        CheckError


        WScript.Echo “New VendorSet added… ” & VendorSet.Name


 


    Else


        WScript.Echo “Existing VendorSet found… value- ” & VendorSet.Value(SE_VPS_NAME)


    End If


 


    Err.Clear


 


    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE


 


  uncomment the following line to delete the VPS.



    VendorSet.RemoveValue(SE_VPS_NAME)


 


    If Err.Number <> 0 Then


        CheckError


    End If


 


    array.Save false, true


    WScript.Echo “Done saving…”


 


End Sub


 


Sub CheckError()


 


    If Err.Number <> 0 Then


        WScript.Echo “An error occurred: 0x” & Hex(Err.Number) & ” ” & Err.Description


        Err.Clear


    End If


 


End Sub


 


 


SetUserReservedPorts


 


How do I Use it?

To add or update the port exclusion list, you would edit the script at the line where it reads:



Const SE_VPS_VALUE = “12000-12100;64000-64050;”


The ports you enter should be listed in much the same way as provided for the port list in MSKB 821873, except that for the ISA/TMG exclusion list, each port range (even the last entry) is terminated by a semicolon (;).  For instance, if you need to exclude ports for IPSec NAT-T, you should have an entry as shown below (IPSec NAT-T operates on UDP:4500):



Const SE_VPS_VALUE = “4500-4500;”


You do not need to include any ports:
– below 1024 as ISA and TMG allocate UDP sockets using ports starting above 1024.
– for TCP listeners as this update only affects UDP socket allocations.


Once you’ve completed listing the ports you wish to exclude from the socket pool allocation, you would save the updated script to the ISA or TMG server local drive as “UserReservedPorts.vbs” and execute it from a command prompt using the command line below:



cscript <Drive>:\<Path>\UserReservedPorts.vbs


To delete the port exclusions, you would change the script as follows:


1.       Comment out (add a single quote at the beginning of) the following line



VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE


2.       Remove the comment (single quote) from the beginning of following line



      VendorSet.RemoveValue(SE_VPS_NAME)


Save the file and run it using the following command line:



cscript <Drive>:\<Path>\UserReservedPorts.vbs


You will have to restart the firewall service in order to affect the changes created by the script, so it’s best to make these changes when your SLA allows downtime.


In Summary

As always, if you experience any problems with the updates or this script, you can post comments and complaints here and of course, CSS engineers are more than happy to assist you.


HTH,


Jim Harrison
Program Manager, Forefront Edge CS


If We Can’t Fix It – It Ain’t Broke!


 


Technical Reviewers


Doron Juster


Senior Developer – Forefront Edge CS


Yuri Diogenes


Security Support Engineer – Microsoft CSS Forefront Edge Team


Mohit Sexana


Tech Lead – Microsoft CSS Forefront Edge Team


 

Comments (1)