ISA Server 2000 Updates
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Updated : March 30, 2004
On This Page
Overview
Releases after Feature Pack 1
Feature Pack 1 Updates
Service Pack 1 Updates
Updates by Date
Overview
This document contains information about all updates, hotfixes, security patches, feature packs, and service packs issued since Microsoft® Internet Security and Acceleration (ISA) Server 2000 was released. Many of the fixes and updates are included in ISA Server 2000 Service Pack 1 (SP1) and ISA Server 2000 Feature Pack 1, and most are available individually from the Microsoft Download Center. For more information on downloads, see the Downloads page on the ISA Server Web site.
Last Updated: 1 January, 2004
Releases after Feature Pack 1
These are the security patches that were released after the feature pack release in January 2003.
Article |
Date |
Title |
---|---|---|
July 16, 2003 |
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack |
|
April 24, 2003 |
Running ISA Server on Windows Server 2003 |
|
April 9, 2003 |
Flaw in Winsock Proxy Service Can Cause Denial of Service |
|
March 19, 2003 |
A Problem in the ISA Server DNS Intrusion Detection Filter May Cause Denial of Service |
Feature Pack 1 Updates
ISA Server Feature Pack 1 was released inJanuary 2003 and includes a number of new features and fixes.
New features deliver enhanced security and ease of use for e-mail server, Web server, and Exchange Outlook® Web Access deployments.
E-mail server security is enhanced by the improved ability to filter out unwanted e-mail messages. Feature Pack 1 provides protection for remote Outlook users accessing Exchange Server over untrusted networks, without a virtual private network (VPN). Improved authentication and protection enables ISA Server to better secure Web and Outlook Web Access servers. New wizards, scenario walk-throughs, and technical documentation make configuration easier, and provide answers to commonly asked questions.
The following features are new and improved in ISA Server Feature Pack 1, and some of the items are available as separate component downloads:
Enhanced Simple Mail Transfer Protocol (SMTP) filter
Enhanced Exchange remote procedure call (RPC) filter (RPC encryption and Outbound RPC)
URLScan 2.5 for ISA Server
Rivest-Shamir-Adleman (RSA) SecurID authentication
Basic authentication delegation
Outlook Web Access Wizard
RPC Filter Configuration Wizard
Link translator
Scenario walk-throughs and technical documentation
The following updates and hotfixes are included in Feature Pack 1.
Date |
Title |
---|---|
November 25, 2002 |
Macintosh Outlook Clients Cannot Connect to Exchange Server Through Internet Security and Acceleration Server |
October 24, 2002 |
Cannot Renew DHCP Assigned IP Address on External ISA Server Interface |
October 24, 2002 |
Server Publish May Fail on Dial-up Links |
October 24, 2002 |
ISA Server Blocks Incoming Traffic Although a Valid Server Publishing Rule Exists |
June 17, 2002 |
Heavy NTLM Authentication Traffic Occurs Between Internet Explorer and the Proxy Server |
June 14, 2002 |
ISA Server 2000 Security Patch for Unchecked Buffer in Gopher Protocol Handler |
June 11, 2002 |
The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA Server |
June 11, 2002 |
How to Automatically Authenticate a User Against All Trusted Domains in ISA Server |
April 26, 2002 |
ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service Crash |
March 27, 2002 |
Access Violations Occur in the Web Proxy Service If an Impersonation Failure Occurs |
February 28, 2002 |
ISA Server Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter (from PSS only) |
February 27, 2002 |
Web Proxy Sends TCP Reset Instead of Only Closing Session (from PSS only) |
February 27, 2002 |
Problems with Web Browser if ISA Server 2000 is Chained to an Upstream Web Proxy |
Service Pack 1 Updates
ISA Server 2000 Service Pack 1 (SP1) (English) was published in February 2002. It includes all the ISA Server updates released prior to the service pack, as well as fixes released concurrently with SP1. Microsoft Knowledge Base (KB) article 313249 details all the updates and KB articles that were addressed in SP1. This information is also included, together with installation instructions, in the ISA Server 2000 SP1 Release Notes (English). Note the following:
If you are running ISA Server 2000 SP1 on a Windows® 2000 Server or Windows 2000 Advanced Server computer, Windows 2000 SP2 or later is required.
ISA Server 2000 SP1 is not compatible with the ISA Server 120-day trial software.
The following fixes are included in SP1.
Date |
Title |
---|---|
September 23, 2001 |
Server Publishing Rules Intermittently Fail |
August 26, 2001 |
Clients That Use an Automatic Configuration Script May Not Work Because of Proxy Authentication |
August 26, 2001 |
The ISA Server Response to Client Options Requests Is Limited to a Predefined Set |
August 15, 2001 |
ISA Server 2000 Security Patch for Web Proxy Service and H.323 ASN DLL |
July 10, 2001 |
Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems |
July 1, 2001 |
"STOP 0x000000D1" When Passing Fragmented Packets Without NAT |
July 1, 2001 |
Access Violation Occurs in Your Firewall Client When It Is Under a High Load and Is Using WSPAD |
July 1, 2001 |
Some Server Variables Are Not Fully Implemented in ISA Server |
July 1, 2001 |
Proxy Error 502 is Returned by ISA Server Under Heavy Stress |
June 12, 2001 |
ISA Server Does Not Cache Responses That Contain the Location Header |
June 12, 2001 |
Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control |
June 12, 2001 |
Invalid Content-Length Header May Cause Requests to Fail Through ISA Server |
May 6, 2001 |
Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy |
April 4, 2001 |
Multiple Overdue Tasks Are Run and Alerts Are Issued for a Short Period |
April 3, 2001 |
Web Proxy Service Crashes If URL Requests a Specifically Malformed Argument |
March 21, 2001 |
Slow Response from Downstream ISA Server Using Web Proxy Chaining |
March 19, 2001 |
Firewall Service (Wspsrv.exe) Problems with High S-NAT Client Load |
March 19, 2001 |
External MAPI Clients Cannot Connect with RPC |
March 13, 2001 |
Deleting Disabled SMTP Filter Attachment Rule Leaves Corrupted Rule |
March 13, 2001 |
Cannot Configure or Use the SMTP Filter If the Decimal Symbol Is Not a Period |
March 13, 2001 |
High Memory Consumption by SMTP Message Screener Under Stress |
March 13, 2001 |
Unregistered Fltrsnk1.dll Starts with Inetinfo.exe |
March 11, 2001 |
Access Violation in Mspadmin.exe with ISA Server with Multiple IP Addresses on an External Interface |
January 25, 2001 |
ISA Server 2000 fix for UDP Log |
January 25, 2001 |
ISA Server 2000 Fix for Packet Filter Log |
Updates by Date
This section lists all the ISA Server 2000 updates in date order. To view individual articles, search for an article by number.
ISA Server 2000 Security Update for Error Pages
Date Published: July 16, 2003
File Name: ISA2000-KB816456-x86.exe
Download Size: 111 kilobytes (KB)
Version: 3.0.1200.277
Related Knowledge Base (KB) Article: 816456
Security Bulletin: MS03-028
In Service Pack 1 (SP1): No
In Feature Pack 1: No
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack. This update fixes a security issue that could allow an attacker to execute a cross-site scripting (XSS) attack. This type of attack causes a Web browser to execute code from a domain that is different from what the domain users believe they are accessing. Potentially, an attack can be run in the user's browser with the security settings appropriate to the original Web site, thus providing access to any data that resides on the original site. This problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage() function may have this problem.
ISA Server 2000 Required Updates for Windows Server 2003
Date Published: April 24, 2003
File Name: isahf255.exe
Download Size: 1476 KB
Version: 3.0
Related KB Article: 331062
In SP1: No
In Feature Pack 1: No
This update package is required for ISA Server to function properly on computers running Windows Server 2003. For installation instructions and known issues, see the linked article.
ISA Server 2000 Security Patch for Winsock Proxy Service
Date Published: April 9, 2003
File Name: isahf257.exe
Download Size: 440 KB
Version: 3.0.1200.257
Related KB Article: 331066
Security Bulletin: MS03-012
In SP1: No
In Feature Pack 1: No
This security patch addresses a flaw in the Winsock proxy service that may permit an attacker on the Internal network to send a specially crafted packet that results in 100% CPU utilization of the computer that is running ISA Server, causing the computer to stop responding to internal and external requests. This could potentially result in a denial of service.
ISA Server 2000 Security Patch for DNS Intrusion Detection Filter
Date Published: March 19, 2003
File Name: isahf256.exe
Download Size: 100 KB
Version: 3.0.1200.256
Related KB Article: 331065
Security Bulletin: MS03-009
In SP1: No
In Feature Pack 1: No
This security patch fixes a problem that might occur during the processing of an incoming DNS request that is sent to a published internal DNS server. An attacker might exploit the vulnerability by sending a specially formed malicious DNS request to an ISA Server computer, causing a denial of service. In such a case, ISA Server would stop sending further DNS requests to the DNS server. All other ISA Server functionality would not be affected.
Macintosh Outlook Clients Cannot Connect to Exchange Server Through Internet Security and Acceleration Server
Date Available: November 25, 2002
File Name: Rpcfltr.dll
Download Size: 47 KB
Version: 3.0.1200.181
Related KB Article: 331063
In Feature Pack 1: Yes
This fix solves an issue that prevents Macintosh Outlook clients from connecting to a published Exchange server. This is because the RPC filter included with ISA Server cannot convert the big-endian format of a Macintosh UUID to little-endian format.
Cannot Renew DHCP Assigned IP Address on External ISA Server Interface
Server Publish May Fail on Dial-up Links
ISA Server Blocks Incoming Traffic Although a Valid Server Publishing Rule Exists
Date Available: October 24, 2002
File Name: Mspadmin.exe, W3proxy.exe, Wspsrv.exe, Msphlpr.dll
Download Size: 176 KB (Mspadmin.exe), 388 KB (W3proxy.exe),
297 KB (Wspsrv.exe), 99 KB(Msphlpr.dll)
Version: 3.0.1200.179
Related KB Article: 326116, 321219, 319337
In Feature Pack 1: Yes
This fix addresses the following issues:
An ISA Server computer that has its external interface configured to have an IP address dynamically assigned by DHCP, or that has the DHCP Client Static packet filter turned on in ISA Server may not be able to renew the IP address on the interface. Also, you may not be able to turn the external adapter on and off.
If you use the server publishing feature of ISA Server to publish a dial-up adapter link, the publish operation may fail, even if you use a fixed IP address on the dial-up interface.
ISA Server may temporarily block incoming traffic that is destined for a protocol that has a valid server publishing rule defined. This blockage typically does not occur for more than a few minutes. This problem occurs because some Winsock error messages are not handled correctly. When a connection enters a specified state, all traffic that is destined for the server publishing rule is blocked by ISA Server for a brief time.
Heavy NTLM Authentication Traffic Occurs Between Internet Explorer and the Proxy Server
Date Available: June 17, 2002
File Name: W3proxy.exe
Download Size: 383 KB
Version: 3.0.1200.170
Related KB Article: 312176
In Feature Pack 1: Yes
This fix addresses an issue that occurs when you use NTLM authentication, and extraneous NTLM authorization requests, resulting in "407 proxy authentication required" HTTP requests generated by the proxy. This can cause symptoms such as incomplete HTML pages and random authentication prompts.
ISA Server 2000 Security Patch for Unchecked Buffer in Gopher Protocol Handler
Date Published: June 14, 2002
File Name: isahf177.exe
Download Size: 70 KB
Version: 3.0.1200.177
Related KB Article: 323889
Security Bulletin: MS02-027
In Feature Pack 1: Yes
This patch fixes a problem that may occur on an ISA Server computer during the processing of Internet Gopher protocol requests. The vulnerability occurs because of an unchecked buffer in the code that handles information returned from a server using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker could attempt to overflow the buffer and load code on the computer.
The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA Server
Date Published: June 11, 2003
File Name: W3proxy.exe
Download Size: 386 KB
Version: 3.0.1200.178
Related KB Article: 319375
In Feature Pack 1: Yes
This fix resolves an issue that occurs when you try to write a Web filter for ISA Server that does client certification certificate revocation list (CRL) validation. You cannot use the CertVerifyRevocation application programming interface (API) because no CERT_CONTEXT structure server variable is available.
How to Automatically Authenticate a User Against All Trusted Domains in ISA Server
Date Published: June 11, 2003
File Name: W3proxy.exe
Download Size: 386 KB
Version: 3.0.1200.178
Related KB Article: 319376
In Feature Pack 1: Yes
This fix is useful when you use basic authentication, when a user is not familiar with the domainname\username syntax, and when a user account is in a different domain than the ISA Server computer. The fix enables the following behavior:
If a user specifies domainname\username instead of only username when prompted for credentials in the browser, the user is immediately authenticated against the correct domain for the user account.
If the user account is in the same domain as the ISA Server computer, the username syntax is enough to authenticate the user. The domainname\username is not required. This fix is only useful when you use basic authentication, when the user is not familiar with the domainname\username syntax, and when the account is in a different domain than the ISA Server computer.
ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service Crash
Date Published: April 26, 2002
File Name: isahf174.exe
Download Size: 214 KB
Version: hf174
Related KB Article: 319374 and 321846
In Feature Pack 1: Yes
This fix addresses an issue that might cause the ISA Server Web proxy service to fail when an ISA Server-based computer that is using Web publishing to publish a Secure Sockets Layer (SSL) Web site receives an invalid SSL packet. The ISA Server Web proxy service may fail, generate an access violation error message, and stop providing services. This only occurs when all of the following conditions exist:
SSL packets are sent to an ISA Server-based computer that is using Web publishing to publish a Web site that is configured to use SSL bridging.
A Web publishing rule exists and is selected for the SSL Web site.
An Incoming Web Requests listener exists for the SSL Web site.
The Enable SSL listeners check box on the Incoming Web Requests tab is selected.
On the ISA Server-based computer, a server certificate is installed and selected. The server certificate is selected in the Incoming Web Requests listener properties in the Use a server certificate to authenticate to web clients check box.
This fix also addresses the issue in KB article 321846, where some specific URLs are not blocked by the rules engine even if there is a Site and Content rule that does this. In such a situation, if access is denied to www.example.com, a user can get to that site by typing www.example.com. (note the period, also known as the root in DNS). This is caused by incorrect canonicalization, where ISA Server does not match a requested domain name that specifies the root (.), unless the domain in the destination set used in the Site and Content rule also contains the root.
Access Violations Occur in the Web Proxy Service If an Impersonation Failure Occurs
Date Available: March 27, 2002
File Name: W3proxy.exe
Download Size: 383 KB
Version: 3.0.1200.170
Related KB Article: 318319
In Feature Pack 1: Yes
This fix addresses an issue that occurs when users try to access resources in an outgoing Web proxy or in a Web publishing scenario. In these circumstances, the Web proxy service might generate an access violation error and stop responding if proxy authentication is required globally (where Ask unauthenticated users for identification is enabled on the Outgoing Web Requests tab in ISA Server Management), or if it is enabled specifically by access rules.
ISA Server Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter
Date Available: February 28, 2002
File Name: Wspsrv.exe
Download Size: 294 KB
Version: 3.0.1200.171
Related KB Article: 318005
In Feature Pack 1: Yes
This fix addresses a problem that might cause the Microsoft Firewall service not to start if you add more than 85 IP addresses to the external network adapter. If you do add more than 85, you may see an event similar to the following:
Event type: Error
Event Source: Service Control Manager
Event ID: 7031
Description: The Microsoft Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.
Web Proxy Sends TCP Reset Instead of Only Closing Session
Date Available: February 27, 2002
File Name: W3proxy.exe
Download Size: 383 KB
Version: 3.0.1200.170
Related KB Article: 317122
In Feature Pack 1: Yes
This fix addresses the error message "The connection was reset by the server" that appears in your Web browser when you are posting data to a Web site. Subsequent attempts to repost the data may succeed. This is caused by the Web proxy service sending a TCP Reset to the client browser immediately after the Web proxy sends the expected TCP AckFin. The Web browser recognizes the reset, and generates the error.
Problems with Web Browser if ISA Server 2000 is Chained to an Upstream Web Proxy
Date Available: February 27, 2002
File Name: W3proxy.exe
Download Size: 383 KB
Version: 3.0.1200.170
Related KB Article: 317822
In SP1: No
This fix addresses issues that might cause unexpected delays and incomplete pages during Web browsing when ISA Server is chained to an upstream Web proxy server. Note that this behavior does not occur if the upstream proxy server requires NTLM authentication and the routing rule on the downstream server is configured to provide integrated authentication to the upstream Web proxy server. It occurs in the following circumstances:
The downstream ISA Server computer is configured to require integrated authentication (NTLM).
The upstream Web proxy server is not configured to require authentication (anonymous).
You are using Internet Explorer as your client browser.
Server Publishing Rules Intermittently Fail
Date Published: September 23, 2001
File Name: Wspsrv.exe
Download Size: 292 KB
Version: 3.0.1200.70
Related KB Article: 307784
In SP1: Yes
This fix repairs a problem that stops server publishing rules from working as expected. If this issue occurs, ISA Server may intermittently stop listening on various TCP ports that are configured for server publishing.
Clients That Use an Automatic Configuration Script May Not Work Because of Proxy Authentication
Date Published: August 26, 2001
File Name: W3proxy.exe
Download Size: 381 KB
Version: 3.0.1200.69
Related KB Article: 305204
In SP1: Yes
This fix solves an issue that might prevent Web browser clients that are configured to use the automatic configuration script in ISA Server from getting Web site access through the Web proxy service if it is configured to require proxy authentication. In such a case, the client requests the default automatic configuration script or the Wpad.data file on the port specified for outgoing Web requests, but ISA Server incorrectly prompts the client for proxy authentication instead of the correct WWW authentication. Because the client request is for a local resource on the ISA Server computer, the client computer fails proxy authentication.
The ISA Server Response to Client Options Requests Is Limited to a Predefined Set
Date Published: August 26, 2001
File Name: W3proxy.exe
Download Size: 381 KB
Version: 3.0.1200.69
Related KB Article: 304340
In SP1: Yes
This fix addresses an issue that stops external clients from gaining access to a Web Distributed Authoring and Versioning (WebDAV) folder that you publish using Web publishing. This fix allows ISA Server to respond correctly to the Web browser by sending the actual options that are sent by the WebDAV server.
ISA Server 2000 Security Patch for Web Proxy Service and H.323 ASN DLL
Date Published: August 15, 2001
File Name: isahf68.exe
Download Size: 267 KB
Version: Q295389-Q289503
Related KB Article: 289503 and 295389
MS Security Bulletin: MS01-045
In SP1: Yes
This security patch fixes a potential memory leak in the H323 ASN DLL, which is used by the Microsoft Firewall service and the Gatekeeper service. This memory leak could be exploited to deplete resources on the server, making the server slow and services unresponsive. There is no memory leak if the Gatekeeper service is not started. The Gatekeeper service loads the H323asn1.dll file when it starts.
A fix to prevent scripting in the error return pages is also included (article 295389). If you click a link (or URL) to a page that includes script code that for any reason generates an error, the error message from ISA Server contains the original script from the link and it runs in your Web browser. This is a cross-site scripting vulnerability that affects the error page that ISA Server generates in response to a request for a nonexistent page or an unsuccessful connection attempt to a page. As with all cross-site scripting vulnerabilities, this vulnerability could enable an attacker to either run a script in the security domain of another, presumably trusted, Web site, or to access cookies that a site had written to your computer.
Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems
Date Available: July 10, 2001
File Name: Stpext32.dll
Download Size: 126 KB
Version: 3.0.1200.67
Related KB Article: 303379
In SP1: Yes
This fix solves some network connectivity compatibility issues experienced with ISA Server after installing some third-party programs such as the NewDot and Babylon clients. Issues include network connectivity problems, slow loading of the operating system, blue screen error messages, or STOP error messages. The same problem may also occur if the ISA Server Firewall Client component is installed after the third-party client or provider.
In addition to this fix, the related KB article includes instructions on how to work around this problem if the third-party clients are not required.
"STOP 0x000000D1" When Passing Fragmented Packets Without NAT
Date Available: July 1, 2001
File Name: Mspfltex.sys
Download Size: 41 KB
Version: 3.0.1200.61
Related KB Article: 293161
Included in SP1: Yes
This fix solves a problem that can occur when the network address translation (NAT) driver on the ISA Server computer is stopped, and outbound data is larger than the MTU setting. In such a case, fragmented packets pass through the ISA Server computer. A blue screen error and an event log entry may be generated.
Access Violation Occurs in Your Firewall Client When It Is Under a High Load and Is Using WSPAD
Date Available: July 1, 2001
File Name: Wspwsp.dll
Download Size: 94 KB
Version: 3.0.1200.67
Related KB Article: 295388
In SP1: Yes
This fix solves an access violation error that might occur when the Firewall client is set for automatic discovery, and two or more simultaneous requests to create sockets are generated by the client computer.
Some Server Variables Are Not Fully Implemented in ISA Server
Proxy Error 502 is Returned by ISA Server Under Heavy Stress
Date Available: July 1, 2001
File Name: W3proxy.exe
Download Size: 381 KB
Version: 3.0.1200.66
Related KB Article: 301380 and 294722
In SP1: Yes
This fix solves the following problems:
A Web filter uses a particular variable, which works incorrectly. See the KB article 301380 for a complete list of variables.
Occasional 502 error responses are returned to client computers.
ISA Server Does Not Cache Responses That Contain the Location Header
Date Published: June 12, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0.1200.65
Related KB Article: 301425
In SP1: Yes
This fix addresses an issue that causes ISA Server not to cache responses that contain the location header. This occurs if caching options are set to cache all content including dynamic content, and a schedule content download job is set to download and cache such a site. In this situation, the links that return location headers are not cached, even though the sites returned by the links are.
Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control
Date Published: June 12, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0.1200.65
Related KB Article: 297324
Included in SP1: Yes
This fix solves an HTTP 407 error that appears for each domain that is restricted when a destination set is configured. As a result, the client browser is prompted for authentication. If the destination that is set is restricted to a domain that contains multiple links to other domains, an authentication dialog box appears for each unauthorized link.
Invalid Content-Length Header May Cause Requests to Fail Through ISA Server
Date Published: June 12, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0.1200.65
Related KB Article: 300707
In SP1: Yes
This fix addresses a "bad request" error that might occur when you send an HTTP POST request from a Web browser through ISA Server. This problem occurs because some Web browsers send two extra bytes at the end of the message body of an HTTP POST request. This causes the message body to contain two more bytes than the content-length header indicates.
Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy
Date Published: May 6, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0.1200.64
Related KB Article: 297080
In SP1: Yes
This fix prevents a problem that occurs if a downstream ISA Server computer is configured to require integrated authentication, and the upstream Web proxy server is also configured to require proxy authentication. In addition, the routing rule on the downstream ISA Server computer is configured to provide basic authentication credentials to the upstream Web proxy server.
Multiple Overdue Tasks Are Run and Alerts Are Issued for a Short Period
Date Published: April 4, 2001
File Name: Msfpc.dll
Download Size: 211 KB
Version: 3.0.1200.62
Related KB Article: 293863
In SP1: Yes
This fix prevents a problem that may occur when an ISA Server computer has been running for more that 49 days:
Some alerts may be triggered repeatedly.
Hundreds of LDAP queries each second may be sent to the Microsoft Active Directory® directory service.
The creation of ISA Server log files might stop.
Some event log entries, detailed in the KB article, may occur.
Web Proxy Service Crashes If URL Requests a Specifically Malformed Argument
Date Published: April 3, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0
Related KB Article: 295279
MS Security Bulletin: MS01-021
In SP1: Yes
This fix prevents an access violation that might cause the Web proxy service to stop when a specific invalid Web request is made to an ISA Server computer that is using Web publishing to bridge HTTP traffic to a Web server.
This problem occurs because of a heap corruption, not a buffer overrun, and does not compromise access to ISA Server from the Internet in any way. The Web proxy service, Web proxy clients, and sites that are made available by Web publishing are affected by this problem. If you do not have listeners configured under Incoming Web Requests (these listeners are not configured by default), this problem does not affect ISA Server in any way.
Slow Response from Downstream ISA Server Using Web Proxy Chaining
Date Available: March 21, 2001
File Name: W3proxy.exe
Download Size: 373 KB
Version: 3.0.1200.57
Related KB Article: 292018
In SP1: Yes
This fix addresses an issue that causes Web proxy client requests from a downstream ISA Server computer to take a long time to respond if:
A downstream ISA Server service is configured to chain Web proxy requests to the upstream server, and the DNS server that ISA Server is configured to use is unable to resolve all possible name requests (internal and external).
There is a site and content rule (or a Web publishing rule) that applies to any destination except "All Destinations."
Firewall Service (Wspsrv.exe) Problems with High S-NAT Client Load
Date Available: March 19, 2001
File Name: Wspsrv.exe
Download Size: 292 KB
Version: 3.0.1200.58
Related KB Article: 290731
In SP1: Yes
This fix addresses an issue caused by a race condition in a double deletion of an S-NAT socket mapping.
External MAPI Clients Cannot Connect with RPC
Date Available: March 19, 2001
File Name: Rpcfltr.dll
Download Size: 432 KB
Version: 3.0.1200.59
Related KB Article: 291000
In SP1: Yes
This fix addresses an issue when you are using ISA Server to publish an RPC server, and external Windows 2000-based clients can connect to the RPC server behind the ISA Server 2000 computer, but clients that are running Windows NT® 4.0, Windows® 98, Windows 95, or Windows Millennium Edition cannot connect.
Deleting Disabled SMTP Filter Attachment Rule Leaves Corrupted Rule
Date Available: March 13, 2001
File Name: Smtpfadm.dll
Download Size: 216 KB
Version: 3.0.1200.56
Related KB Article: 292014
In SP1: Yes
This fix addresses an issue that happens if you disable and then later delete an SMTP Filter Attachment rule. In such a case, the rule might not be removed but instead becomes corrupted, so that you cannot edit or remove the rule.
Cannot Configure or Use the SMTP Filter If the Decimal Symbol Is Not a Period
Date Available: March 13, 2001
File Name: Smtpfltr.dll
Download Size: 92 KB
Version: 3.0.1200.56
Related KB Article: 285812
In SP1: Yes
This fix addresses a problem that can occur if the decimal symbol is configured to be anything other than a period (.). In such a case, you cannot configure or use the SMTP filter. This can occur when ISA Server is installed on a localized operating system in which the decimal is usually a period but the user changes it to some other symbol (for example a comma).
High Memory Consumption by SMTP Message Screener Under Stress
Unregistered Fltrsnk1.dll Starts with Inetinfo.exe
Date Available: March 13, 2001
File Name: Flkrsnk1.dll
Download Size: 591 KB
Version: 3.0.1200.56
Related KB Article: 292010 and 292013
In SP1: Yes
This fix addresses the issues outlined in the KB articles:
KB article 292010 addresses an issue in which in medium-stress situations, messages with attachments being screened by the message screener can cause memory consumption by Inetinfo.exe to rise quickly and potentially cause the system to run out of memory.
KB article 292013 addresses an issue caused by a problem in the code that unregisters Fltrsnk1.dll.
Access Violation in Mspadmin.exe with ISA Server with Multiple IP Addresses on an External Interface
Date Available: March 11, 2001
File Name: Bwserver.dll
Download Size: 299 KB
Version: 3.0.1200.55
Related KB Article: 288247
In SP1: Yes
This fix addresses an issue where ISA Server services may not start, depending on the configuration.
ISA Server 2000 fix for UDP log
Date Published: January 25, 2001
File Name: isahf54.exe
Download Size: 194 KB
Version: 1.0
KB Article: 285807
In SP1: Yes
This fix resolves a bug in ISA Server firewall logging that prevents the logging of the "Rule#1" and "Rule#2" fields for certain UDP traffic, even if those fields are selected in the logging configuration dialog box. This fix adds the two fields.
ISA Server 2000 Fix for Packet Filter Log
Date Published: January 25, 2001
File Name: isahf51.exe
Download Size: 91 KB
Version: 1.0
Related KB Article: 283213
In SP1: Yes
This fix can be applied to unconditionally block and log all outbound ICMP traffic that is sent from the Internal network to the External network. Apply this download on each ISA Server 2000 computer.