Unable to download files larger than 4GB through ISA 200x – works fine in TMG

  • Article

Recently we’ve seen some cases where users were unable to download files larger than 4GB when they were using ISA 200x as a forward proxy server. When the user tried to download a large file, e.g. an ISO image, they would see the download stop after the client had downloaded only a small chunk of data.

When we analyzed the problem we found that the issue was related to the Content-Length HTTP header. Due to a design limitation, ISA 200x is unable to correctly parse the large Content-Length header and convert it to an Unsigned Integer 32-Bit value. For those of you, not too familiar with coding, the maximum value for UInt32 is 4.294.967.295. If the parsed Content-Length header exceeds 4.294.967.295, then the download will stop after the client has downloaded the remainder of the overflowed integer. E.g. If the file size is less than 8GB the amount of data downloaded would be Filesize-~4GB.

These are the HTTP response headers you might see in a repro. As you can see we sent the client the full content length.

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 4313199008
Via: 1.1 ISA2006EE1
Date: Tue, 24 Mar 2009 17:11:05 GMT
Content-Type: *
ETag: "f5f31f26a0acc91:688"
Server: Microsoft-IIS/6.0
Cache-Control: max-age=2592000
Last-Modified: Tue, 24 Mar 2009 16:46:59 GMT
Accept-Ranges: bytes
X-Powered-By: ASP.NET

In this case the download will stop after getting ~18,223,284 bytes (4,313,199,008 bytes - 4,294,967,296 bytes = ~18.xxx.xxx bytes)

Microsoft has accepted that this is a limitation in the following products running on 32-bit operating systems:

  • Microsoft Internet Security & Acceleration Server 2000
  • Microsoft Internet Security & Acceleration Server 2004
  • Microsoft Internet Security & Acceleration Server 2006

To avoid facing this problem, please consider using one of the following workarounds:

1. Upgrade to Forefront Threat Management Gateway 2010 – As TMG will only run on 64-bit Windows operating systems, the limitation of a 32-bit variable is no longer an issue.

2. Use FTPoverHTTP to download big files in ISA 200x – As FTPoverHTTP uses different mechanisms to download big files, the issue doesn’t occur when you’re using FTPoverHTTP.

3. Use Download Managers – Most download managers will split downloads into multiple streams using byte-ranges, avoiding the big content length headers.

Also, please be aware that Internet Explorer 7 only supports downloading of files up to 4GB.

Author

Philipp Sand

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Lars Bentzen

Escalation Engineer - Microsoft CSS Forefront Security Edge Team