Health Checks I perform ISA Server Health Checks for Premier Support (via Premier Field Engineering) as part of my role. I’ve seen something a few times recently that I thought it might be helpful to call out, while poking around in the Performance Monitor TCPv4 counter area. The Problem In short: Lots of TCP retransmissions per second. Like, lots. More than 1% is annoying; any more than 5% and you pretty surely have a problem. Recently, I’ve been seeing 20% . That’s right, kids, according to Perfmon’s

As I possibly misspelled or misremembered it, the PL15ws2p.dll (possible sic) file was installed as a Winsock Layered Service Provider on a couple of boxes at a customer site. Coincidentally, these machines were Windows Server 2008 machines where we couldn’t get the Firewall Client to work properly. We found that there was a third party LSP using: NETSH WINSOCK SH CA > catalog.txt And then opening catalog.txt in notepad. The properties of the Pl15ws2p.dll indicated that it was a signed DLL from

Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here: Can I install ISA 2006 on 32-bit Windows Server 2008 ? No , it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man. Why not ISA Server 2006 on Windows 2008? Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible

Today, an IIS 5.0 to 6.0 security advisory was released: Vulnerability in Internet Information Services Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/advisory/971492.mspx If you’re using WebDAV on any version prior to 7.0 (where it was completely rewritten, and released as an add-on module after ), you’ll want to read the advisory, and take appropriate action. Mitigating factors are listed in the advisory.

Rambling my way to a point One of my most favourite “Favorites” (read: “he snarled”) in recent weeks has been the ISA Server Product Team’s Build Numbers post . They helpfully list the version numbers of each ISA Server, um, version, along with a link to the most recent hotfix for that version. That’s so helpful . But: In most cases, you had to use the self-service hotfix feature to get that hotfix. Which is better than calling someone, but still not quite one-click conweenyence. And there was some

There are two major classes of Anti Virus software (yes, I know I used one word above, it’s called SEO, okay?) that can be used on an ISA Server computer: ISA-integrated antivirus scanning products Regular desktop/server antivirus products The first category is the cooler of the two, and typically involves a Web Filter and/or an Application Filter. It’s been designed to work with ISA Server, and will likely scan HTTP streams while ISA is processing them. The second category is more common – a desktop

Of all the things I could be doing right now, blogging is the one that won. Feel special? Procrastination, but with a helpful bent. IAG SP2 is now a VHD for Hyper-V Your mission, Jim, is to make that into a song. The most interesting “wow” moment I had today was reading that IAG (Intelligent Application Gateway - that’s that Whale SSL thingo) is now available without accompanying hardware . Previously (as I understand it) IAG 2007 was only available on a hardware appliance of sorts. Now, at least

Before the holidays, I bought myself an early present: a new quad-core box with 4GB RAM, which I was going to use for a home Hyper-V lab, so that I could run a bunch of 64-bit VMs as well as the 32-bit staples I’ve been using for years (SBS 2003, and a separate ISA Server box). I’d had Windows Server 2008 installed on my Virtual Server host for a while, and use it with Routing and Remote Access (RRAS)’ NAT to provide a simple internet gateway for a segment of my internal network. Lesson #1: Core

While searching for memory leaking troubleshooting techniques that could be applied to 64-bit Windows (for the DHCP Server memory leak I found I had the other day ), I stumbled across the answer to my problem in an internal tool (weird that I missed it from a web search the first time, but c'est la vie). A Windows Server 2008-based DHCP server that is configured in a workgroup environment may consume too much memory http://support.microsoft.com/default.aspx/kb/949530   And that's my problem!

A word of caution to those of you that like endings: this isn't over yet. I'm running a rather sad and noisy X64 desktop as a server at home. Once a proud warrior, actually, no, wait, it was never any good. It's just a Virtual Server host (it's not quite Hyper-V capable; next one will be). SBS 2003, an IIS and an ISA Server all exist(ed) happily in there at one point. (Did I mention I virtualized my work desktop machine the other day? So liberating!) I blatted Windows Server 2008 onto it at RTM,

So, we all know that ISA 2006 doesn't work on Windows Server 2008 . Massive architectural changes to the IP stack, blah blah, etc, etc. People (uh, yeah, just "people") have been asking about what's to become of ISA Server for a while: "There's no ISA 2008 announced!" they'd scream. "This surely means the end of one of the best product lines Microsoft has produced!" might have also been heard (in a somewhat muffled way). "Won't Tristan be out of a job?" one

I've mentioned Chimney before . Now, a new Windows Update fix for TCP Offload, which turns it off . It was on by default in Windows Server 2003 SP2, so if your NIC supported Offload, or RSS, or that other thing I can never remember, it was enabled. But: we (PSS we) typically turn it off as a first troubleshooting step for any network-related issue - a) because we know from experience that several drivers seem to do interesting things with it installed (that's a nice way of saying update your drivers

This question came up today (well, actually, it was about four weeks ago I started typing this, but bear with me), and it's been a little while since I've rambled about authentication protocols, so let's enjoy a nice, calm discussion on a Monday Tuesday arvo. The request was something like: In a Web Publishing scenario, can I do NTLM at the ISA Server and NTLM at the Exchange server too? No And the answer is - well, no . There's no way for the client browser to distinguish between the ISA Server

What can we say about MaxUserPort that hasn't already been said? Not a lot, it would seem. He's a beautiful dancer, perhaps? Ahh, such gentle humour, and nary a kitten drowned anywhere. But TCP port shenanigans are fairly frequently misunderstood, so let's talk about the very basics of MaxUserPort. NB: This is all pre-Vista behaviour - applicable from NT4 through to Windows Server 2003, including all the little NT-flavoured stops on the way.   MaxUserPort controls "outbound" TCP connections

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured. I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7. ... SetSPN got revamped. We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad . (The Wiki is still down, by the way, sorry). We know that it's been a little bit iffy configuring said

You're running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you've un ticked Integrated Windows Authentication). Using a web browser, you try to access a file in that virtual directory. http://example.com/vdir/something.txt What's a web browser? Know what IE is, Leon? Yeah. Same thing. I've never seen an IE. But I know what you mean. Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn't

Yes, perhaps my friends are right. Or perhaps they're just not nice people. Oh, enough with the trying-to-suspend-the-tension thing, I'm of course talking about my desk phone (a venerable Meridian thingo) being replaced with a Catalina USB phone as part of our Sydney trial of Unified Everything (or just Unified Communications, but communications is everything, innit?). Yes, Office Communicator 2007 is now my IM client of choice, and the phone on the desk now doesn't have a dial pad . This initially

I recently encountered TCP Chimney for the first time in the wild. Short version: Chimney is an offload technology that allows the NIC to deal with up to X TCP connections, with any overflow being handled by Windows. All good: get the NIC dealing with more networky stuff, and reduce CPU use. Excellent! The reason it came up: I was staring at a small network monitor capture (should have been much bigger) that should have had a few tens of megabytes of FTP but was mostly comprised of SYN, SYN-ACK,

Hit this earlier while working with someone else on a Kerberos delegation problem. All the SPNs looked right and were registered against the right accounts; all the App Pools were Network Service; from what I'd been told, everything should have been working... but wasn't. More troublingly, it had been working at one point. But why!? We checked that Kerb was working from the client to the first tier, then grabbed a network capture from the web server while trying to reproduce the problem. The trace

For when you don't remember that you set your wireless gateway's static IP to .253, and it's not showing up in the list of leases on the DHCP server (predictably, but it's not helping your memory, and it's not in the arp cache either...), and you need to reboot it using the web interface, all through remote desktop from another suburb. Of course, if it's well 'ard and doesn't respond to pings, that won't work, but you might be able to fish the MAC address out of the ARP cache after it's run once.