< UPDATE May 12 2009 >
Since the release of Security update MS09-016, some ISA and TMG administrators have observed the same behavior as seen when they installed the UDP Update package. Tihs happened because all ISA and TMG updates are cumulative, that is; they all are built on the updates that have been issued before them. As a result, some ISA and TMG administrators that chose not to apply the UDP Updates patch (or removed it after installing it) have found that services that create listeners within the dynamic port range used by the UDP Update are unavailable. You can use the script in this blog to alleviate these port reserviation conflicts.
Last month, we released a collection of updates to help mitigate the problem caused when DNS traffic crosses a NAT relationship. MSKB 956190 and this ISABlog article discussed these in great detail. As a reminder, the updates for ISA and TMG can be obtained here:
· ISA 2000 (requires SP2): http://support.microsoft.com/kb/956637
· ISA 2004 (requires SP3): http://support.microsoft.com/kb/958024
· ISA 2006 (requires SP1): http://support.microsoft.com/kb/956570
· TMG MBE: http://support.microsoft.com/kb/957298
As with the MS08-037 update on some SBS deployments, these updates may cause conflicts between ISA Server and other network services operating on the same server, such as IPSec NAT-T. Unlike the MS08-037 update, you cannot use the TCP/IP ReservedPorts list to resolve these conflicts. The reason this method cannot work for ISA and TMG servers is due to dependencies which are not guaranteed to exist on the server where ISA Server operates. ISA Server cannot use the exact same process for allocating sockets as used by the DNS server service. Although this functionality is available on Windows 2008 Server, we deemed it better to use the same mechanisms for ISA and TMG to make for more consistent behavior. Since the socket allocation process is different, the methodology for defining exceptions must also be different.
This script will create, modify or delete the ports which should not be allocated for the UDP NAT pool. The script will execute on ISA Server 2004, 2006 and Forefront TMG. Specific instructions are provided in the following section.
To add or update the port exclusion list, you would edit the script at the line where it reads:
The ports you enter should be listed in much the same way as provided for the port list in MSKB 821873, except that for the ISA/TMG exclusion list, each port range (even the last entry) is terminated by a semicolon (;). For instance, if you need to exclude ports for IPSec NAT-T, you should have an entry as shown below (IPSec NAT-T operates on UDP:4500):
You do not need to include any ports:
– below 1024 as ISA and TMG allocate UDP sockets using ports starting above 1024.
– for TCP listeners as this update only affects UDP socket allocations.
Once you’ve completed listing the ports you wish to exclude from the socket pool allocation, you would save the updated script to the ISA or TMG server local drive as “UserReservedPorts.vbs” and execute it from a command prompt using the command line below:
To delete the port exclusions, you would change the script as follows:
1. Comment out (add a single quote at the beginning of) the following line
2. Remove the comment (single quote) from the beginning of following line
Save the file and run it using the following command line:
You will have to restart the firewall service in order to affect the changes created by the script, so it’s best to make these changes when your SLA allows downtime.
As always, if you experience any problems with the updates or this script, you can post comments and complaints here and of course, CSS engineers are more than happy to assist you.
Program Manager, Forefront Edge CS
If We Can’t Fix It – It Ain’t Broke!
Senior Developer – Forefront Edge CS
Security Support Engineer – Microsoft CSS Forefront Edge Team
Tech Lead – Microsoft CSS Forefront Edge Team