Deployment Recommendations for Connection Limits in ISA Server 2004

  • Article

Microsoft Internet Security and Acceleration (ISA) Server 2004 provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic handled by the Microsoft Firewall service. This includes requests from internal client computers configured as SecureNAT clients, Firewall clients, and Web Proxy clients in forward proxy scenarios, and requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. Connection limits are designed to help administrators prevent and manage flood scenarios. The mechanism helps with the following:

  • Prevents flood attacks from specific IP addresses.
  • Helps ISA Server administrators identify IP addresses that generate excessive traffic, which may be a symptom of a worm, virus, or spyware infection.

The connection limit mechanism cannot be applied to users. For example, the mechanism cannot limit users sending packets from multiple IP addresses.

Connection Limit Overview

Connection Limit Configuration

Troubleshooting Connection Limits

Connection Limit Customization

Appendix A: Configuring Connection Limits

Connection Limit Overview

Connection limits are applied at the transport layer, per protocol, as follows:

  • Limit on concurrent TCP connections.
  • Limit on concurrent non-TCP connections, such as User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).

When counting connections, the count is incremented against the side of the connection that initially initiated the connection.

ISA Server sets a default value for connection limits, or you can define a custom connection limit for the ISA Server computer. In ISA Server 2004 Enterprise Edition, this custom limit applies to all array members. Then, you specify IP addresses to which this custom limit should apply. A typical IP address assigned a custom limit would be a Web server, which may require many connections, and therefore need an increased limit. Custom IP addresses can be defined using computer sets.

Connection limits control the following:

  • The number of connections that can be created concurrently for a single IP address. For TCP and non-TCP connections, the default limit is 160. When the TCP connection limit for a user is reached, no additional TCP connections are allowed for that user. When the UDP connection limit for a user is reached, and the user attempts to make an additional UDP connection, the oldest UDP connection made by the user is closed, and the new connection is established.
  • The number of total non-TCP session creations allowed by a single server publishing rule or access rule during one second. The default limit is 1,000 connections per second per rule. You can set a range from 100 through 9,999,999. When the number of connections created for a specific rule during the current second reaches the set limit, ISA Server will not create another connection for new traffic that has no connection associated with it, the packets will be dropped, and an event will be generated. Existing connections will not be disconnected. After the current second passes, the counter will be reset, and new connections can be created during the next second until the limit is reached again. These limits do not apply to TCP connections, and connections created for TCP traffic are not counted against the maximum number of connections that can be created for a rule during one second.

Connection Limit Configuration

There are a number of places to configure connection limits in ISA Server Management:

  • General node. To set this value globally for all types of ISA Server traffic (incoming requests to published servers and outgoing requests from Internal clients), specify connection limit settings in the General node of ISA Server Management. For instructions, see Specify connection limits in Appendix A: Configuring Connection Limits.
  • Web listener. You can specify connection limits for a specific Web listener. Web listeners are used in Web publishing rules, and one Web listener may have multiple rules. When you specify a connection limit on the Web listener, you are limiting the number of connections allowed to Web sites published using the specific listener. For instructions, see Specify connection limits for a Web listener in Appendix A: Configuring Connection Limits.
  • Web proxy on a specific network. You can specify a connection limit on the Web proxy properties of a specific network object. Web Proxy Filter handles outgoing HTTP traffic on port 80. When you specify this connection limit on a specific network, you limit the number of concurrent outgoing Web connections that are allowed on a specific network at any specific time. For instructions, see Specify Web proxy connection limits for a network in Appendix A: Configuring Connection Limits.

Troubleshooting Connection Limits

This section includes:

  • Connection limit customization. This includes an overview of scenarios in which the default connection limits may need to be increased.
  • Connection limit events, log entries, and alerts. This provides a list of events, log entries and alerts that may be triggered when connection limits are exceeded, and tips on troubleshooting connection limits.

Connection Limit Customization

We recommend that you limit the number of connections in accordance with the default connection limit settings to help prevent flood attacks. The default settings may be an issue in network address translation (NAT) scenarios where a single IP address may be hiding multiple IP addresses. Such scenarios include:

  • Back-to-back perimeter scenario. In this scenario, the internal ISA Server computer applies NAT to outgoing requests from internal clients, and requests are forwarded to the edge ISA Server computer with the address of the internal ISA Server computer. To the edge server, all connections appear to be from a single client. For example, 20 requests from different clients appear to the edge ISA Server computer as 20 requests from the same IP address. The default connection limit for this IP address may be quickly exhausted.
  • Firewall or Web chaining scenarios. Web chaining routes Web proxy requests to an upstream proxy server. Firewall chaining configures the downstream ISA Server computer as a SecureNAT client or Firewall client of the upstream proxy. In both cases, NAT is applied to client requests that are routed to an upstream server. The upstream server will see different client requests from the same network as having the same IP address. Again, the default connection limit for this IP address may be quickly exhausted.
  • Site-to-site VPN scenario. Connection limits are enforced for site-to-site virtual private network (VPN) connections. Although NAT is applied to traffic between the remote networks, the IP address that replaces the internal addresses is automatically assigned a custom limit. Therefore, an exceeded limit error does not generally occur in this scenario.

For instructions for creating a customized limit for specific IP addresses, see Appendix A: Configuring Connection Limits.

Connection Limit Events, Log Entries, and Alerts

The following table describes warning events that may be issued when connection limits are exhausted.

Event ID Message

15112

The client clientname exceeded its connection limit. The new connection was rejected.

15113

ISA Server disconnected the following client: clientname because its connection limit was exhausted.

15114

ISA Server disconnected a connection because its connection limit was exceeded.

15116

The request was denied because the number of connections per second allowed for a rule was exceeded.

15117

The request was denied because the number of connections per second allowed for the rulename rule was exceeded.

The following table shows the error code returned by the Firewall service that may appear in the Firewall log.

Result code Hex ID Details

WSA_RWS_QUOTA

0x80074E23

A connection was refused because a quota was exceeded

FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0xC0040033

A connection was rejected because the maximum number of connections created per second for this rule was exceeded.

The ISA Server events generated may trigger the ISA Server alert warnings described in the following table.

Alert warning Details

Connection limit exceeded

Connection limits were exceeded for an IP address.

Connection limit for a rule was exceeded

The number of connections per second for a rule was exceeded.

The default setting for these alerts is Only if the alert was manually reset. The alerts are only retriggered if you manually reset an alert, or if the Firewall service or computer is restarted. This ensures the following:

  • Mitigates the possibility of flooding ISA Server with alerts, and prevents the event log from filling up with instances of the alert.
  • Because the alert is only triggered once, only the first IP address to exceed the connection limits is reported. Other addresses are not reported until the alert is reset.

You can manually reset the alert by selecting it on the Alerts tab of the Monitoring node, and then selecting Reset Selected Alerts on the Tasks tab. Use the following procedure to change the alert threshold settings.

To modify the alert threshold

  1. In the console tree of ISA Server Management, click Monitoring:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Monitoring.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Monitoring.

  2. In the details pane, click the Alerts tab.

  3. On the Tasks tab, click Configure Alert Definitions.

  4. Select the alert Connection limit exceeded, and then click Edit.

  5. To specify how many events should occur per second before the alert is issued, on the Events tab, select Number of occurrences, and type a value.

  6. Select one of the following options:

    • To specify that the alert should be reissued immediately if the event recurs, click Immediately.
    • To specify that the alert should be reissued after a specified amount of time, click If time since last exception is more than, and then type the number of minutes that should elapse before the reissue.

Troubleshooting Steps for Alerts

Use the following procedure when an alert occurs.

To troubleshoot an alert

  1. Determine whether your network is being attacked, or whether there is simply a heavy load of valid traffic. Use network monitoring tools to determine this.

  2. If the limit has been exceeded due to a heavy load of non-TCP traffic, consider setting a higher per-rule connection limit. If the limit was exceeded due to malicious traffic, try the following:

    • If the malicious traffic appears to originate from the Internal network, this may indicate a virus on the Internal network. Identify the source IP address, and disconnect the computer from the network immediately.
    • If the malicious traffic appears to originate from a small range of IP addresses on an Internal or External network, create a rule denying access to a computer set that includes the source IP addresses.
    • If the traffic appears to originate from a large range of IP addresses, evaluate the overall status of your network. Consider setting a significantly smaller connection limit, so that ISA Server can better protect your network, while still providing services to clients who are not malicious.

  3. In scenarios such as those described in Connection Limit Customization, specify customized connection limits for the IP addresses of the chained server or back firewall.

  4. If you publish more than one UDP-based or raw IP-based service to the External network, you should configure smaller limits, to help keep your network secure from flood attacks.

Appendix A: Configuring Connection Limits

Use the following procedure to limit the number of connections.

To specify connection limits

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click General.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click General.

  2. In the details pane, click Define Connection Limits.

  3. On the Connection Limit tab, select Limit the number of connections. Then, do the following:

    • In Connections created per second, per rule (non-TCP), type the number of connections allowed per rule, per second.
    • In Connection limit per client (TCP and non-TCP), type the number of connections allowed per client.
    • To override the default connection limit for specific IP addresses, in Custom connection limit, type the maximum number of connections allowed for specific users.

  4. Click Add to add computer sets to which these limits apply.

  5. Click Apply to save the settings.

Use the following procedure to limit the number of connections allowed to Web sites published with a specific Web listener.

To specify connection limits for a Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. Expand Web Listeners and select the applicable Web listener.

  4. On the toolbar beneath Network Objects, click Edit.

  5. On the Preferences tab, select Advanced.

  6. In Advanced Settings, select one of the following:

    • Unlimited. To allow an unlimited number of clients to connect to Web servers published with this Web listener.
    • Maximum. To limit the maximum number of clients that can connect to Web servers published with this Web listener. Type the maximum number of connections.

  7. In Connection timeout, type the number of seconds before the server disconnects an inactive user. Then click OK.

  8. Click Apply to save the settings.

Use the following procedure to limit the number of outgoing Web proxy connections allowed from a specific network.

To specify Web proxy connection limits for a network

  1. In the console tree of ISA Server Management, click Networks:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.

  2. In the details pane, click the Networks tab, and then select the applicable network.

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Web Proxy tab, select Advanced.

  5. Select one of the following:

    • Unlimited. To allow an unlimited number of requests to Web Proxy Filter on this network.
    • Maximum. To limit the maximum number of requests to Web Proxy Filter on this network.

  6. In Connection timeout, type the number of seconds before ISA Server disconnects an inactive user. Then click OK.

  7. Click Apply to save the settings.