ISA Server 2000 Updates

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : March 30, 2004

On This Page

Overview
Releases after Feature Pack 1
Feature Pack 1 Updates
Service Pack 1 Updates
Updates by Date

Overview

This document contains information about all updates, hotfixes, security patches, feature packs, and service packs issued since Microsoft® Internet Security and Acceleration (ISA) Server 2000 was released. Many of the fixes and updates are included in ISA Server 2000 Service Pack 1 (SP1) and ISA Server 2000 Feature Pack 1, and most are available individually from the Microsoft Download Center. For more information on downloads, see the Downloads page on the ISA Server Web site.

Last Updated: 1 January, 2004

Releases after Feature Pack 1

These are the security patches that were released after the feature pack release in January 2003.

Article

Date

Title

MS03-028

816456

July 16, 2003

Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack

331062

April 24, 2003

Running ISA Server on Windows Server 2003

MS03-012

331066

April 9, 2003

Flaw in Winsock Proxy Service Can Cause Denial of Service

MS03-009

331065

March 19, 2003

A Problem in the ISA Server DNS Intrusion Detection Filter May Cause Denial of Service

Feature Pack 1 Updates

ISA Server Feature Pack 1 was released inJanuary 2003 and includes a number of new features and fixes.

New features deliver enhanced security and ease of use for e-mail server, Web server, and Exchange Outlook® Web Access deployments.

E-mail server security is enhanced by the improved ability to filter out unwanted e-mail messages. Feature Pack 1 provides protection for remote Outlook users accessing Exchange Server over untrusted networks, without a virtual private network (VPN). Improved authentication and protection enables ISA Server to better secure Web and Outlook Web Access servers. New wizards, scenario walk-throughs, and technical documentation make configuration easier, and provide answers to commonly asked questions.

The following features are new and improved in ISA Server Feature Pack 1, and some of the items are available as separate component downloads:

  • Enhanced Simple Mail Transfer Protocol (SMTP) filter

  • Enhanced Exchange remote procedure call (RPC) filter (RPC encryption and Outbound RPC)

  • URLScan 2.5 for ISA Server

  • Rivest-Shamir-Adleman (RSA) SecurID authentication

  • Basic authentication delegation

  • Outlook Web Access Wizard

  • RPC Filter Configuration Wizard

  • Link translator

  • Scenario walk-throughs and technical documentation

The following updates and hotfixes are included in Feature Pack 1.

Date

Title

November 25, 2002

Macintosh Outlook Clients Cannot Connect to Exchange Server Through Internet Security and Acceleration Server

October 24, 2002

Cannot Renew DHCP Assigned IP Address on External ISA Server Interface

October 24, 2002

Server Publish May Fail on Dial-up Links

October 24, 2002

ISA Server Blocks Incoming Traffic Although a Valid Server Publishing Rule Exists

June 17, 2002

Heavy NTLM Authentication Traffic Occurs Between Internet Explorer and the Proxy Server

June 14, 2002

ISA Server 2000 Security Patch for Unchecked Buffer in Gopher Protocol Handler

June 11, 2002

The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA Server

June 11, 2002

How to Automatically Authenticate a User Against All Trusted Domains in ISA Server

April 26, 2002

ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service Crash

March 27, 2002

Access Violations Occur in the Web Proxy Service If an Impersonation Failure Occurs

February 28, 2002

ISA Server Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter (from PSS only)

February 27, 2002

Web Proxy Sends TCP Reset Instead of Only Closing Session (from PSS only)

February 27, 2002

Problems with Web Browser if ISA Server 2000 is Chained to an Upstream Web Proxy

Service Pack 1 Updates

ISA Server 2000 Service Pack 1 (SP1) (English) was published in February 2002. It includes all the ISA Server updates released prior to the service pack, as well as fixes released concurrently with SP1. Microsoft Knowledge Base (KB) article 313249 details all the updates and KB articles that were addressed in SP1. This information is also included, together with installation instructions, in the ISA Server 2000 SP1 Release Notes (English). Note the following:

  • If you are running ISA Server 2000 SP1 on a Windows® 2000 Server or Windows 2000 Advanced Server computer, Windows 2000 SP2 or later is required.

  • ISA Server 2000 SP1 is not compatible with the ISA Server 120-day trial software.

The following fixes are included in SP1.

Date

Title

September 23, 2001

Server Publishing Rules Intermittently Fail

August 26, 2001

Clients That Use an Automatic Configuration Script May Not Work Because of Proxy Authentication

August 26, 2001

The ISA Server Response to Client Options Requests Is Limited to a Predefined Set

August 15, 2001

ISA Server 2000 Security Patch for Web Proxy Service and H.323 ASN DLL

July 10, 2001

Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems

July 1, 2001

"STOP 0x000000D1" When Passing Fragmented Packets Without NAT

July 1, 2001

Access Violation Occurs in Your Firewall Client When It Is Under a High Load and Is Using WSPAD

July 1, 2001

Some Server Variables Are Not Fully Implemented in ISA Server

July 1, 2001

Proxy Error 502 is Returned by ISA Server Under Heavy Stress

June 12, 2001

ISA Server Does Not Cache Responses That Contain the Location Header

June 12, 2001

Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control

June 12, 2001

Invalid Content-Length Header May Cause Requests to Fail Through ISA Server

May 6, 2001

Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy

April 4, 2001

Multiple Overdue Tasks Are Run and Alerts Are Issued for a Short Period

April 3, 2001

Web Proxy Service Crashes If URL Requests a Specifically Malformed Argument

March 21, 2001

Slow Response from Downstream ISA Server Using Web Proxy Chaining

March 19, 2001

Firewall Service (Wspsrv.exe) Problems with High S-NAT Client Load

March 19, 2001

External MAPI Clients Cannot Connect with RPC

March 13, 2001

Deleting Disabled SMTP Filter Attachment Rule Leaves Corrupted Rule

March 13, 2001

Cannot Configure or Use the SMTP Filter If the Decimal Symbol Is Not a Period

March 13, 2001

High Memory Consumption by SMTP Message Screener Under Stress

March 13, 2001

Unregistered Fltrsnk1.dll Starts with Inetinfo.exe

March 11, 2001

Access Violation in Mspadmin.exe with ISA Server with Multiple IP Addresses on an External Interface

January 25, 2001

ISA Server 2000 fix for UDP Log

January 25, 2001

ISA Server 2000 Fix for Packet Filter Log

Updates by Date

This section lists all the ISA Server 2000 updates in date order. To view individual articles, search for an article by number.

ISA Server 2000 Security Update for Error Pages

Date Published: July 16, 2003

File Name: ISA2000-KB816456-x86.exe

Download Size: 111 kilobytes (KB)

Version: 3.0.1200.277

Related Knowledge Base (KB) Article: 816456

Security Bulletin: MS03-028

In Service Pack 1 (SP1): No

In Feature Pack 1: No

Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack. This update fixes a security issue that could allow an attacker to execute a cross-site scripting (XSS) attack. This type of attack causes a Web browser to execute code from a domain that is different from what the domain users believe they are accessing. Potentially, an attack can be run in the user's browser with the security settings appropriate to the original Web site, thus providing access to any data that resides on the original site. This problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage() function may have this problem.

ISA Server 2000 Required Updates for Windows Server 2003

Date Published: April 24, 2003

File Name: isahf255.exe

Download Size: 1476 KB

Version: 3.0

Related KB Article: 331062

In SP1: No

In Feature Pack 1: No

This update package is required for ISA Server to function properly on computers running Windows Server 2003. For installation instructions and known issues, see the linked article.

ISA Server 2000 Security Patch for Winsock Proxy Service

Date Published: April 9, 2003

File Name: isahf257.exe

Download Size: 440 KB

Version: 3.0.1200.257

Related KB Article: 331066

Security Bulletin: MS03-012

In SP1: No

In Feature Pack 1: No

This security patch addresses a flaw in the Winsock proxy service that may permit an attacker on the Internal network to send a specially crafted packet that results in 100% CPU utilization of the computer that is running ISA Server, causing the computer to stop responding to internal and external requests. This could potentially result in a denial of service.

ISA Server 2000 Security Patch for DNS Intrusion Detection Filter

Date Published: March 19, 2003

File Name: isahf256.exe

Download Size: 100 KB

Version: 3.0.1200.256

Related KB Article: 331065

Security Bulletin: MS03-009

In SP1: No

In Feature Pack 1: No

This security patch fixes a problem that might occur during the processing of an incoming DNS request that is sent to a published internal DNS server. An attacker might exploit the vulnerability by sending a specially formed malicious DNS request to an ISA Server computer, causing a denial of service. In such a case, ISA Server would stop sending further DNS requests to the DNS server. All other ISA Server functionality would not be affected.

Macintosh Outlook Clients Cannot Connect to Exchange Server Through Internet Security and Acceleration Server

Date Available: November 25, 2002

File Name: Rpcfltr.dll

Download Size: 47 KB

Version: 3.0.1200.181

Related KB Article: 331063

In Feature Pack 1: Yes

This fix solves an issue that prevents Macintosh Outlook clients from connecting to a published Exchange server. This is because the RPC filter included with ISA Server cannot convert the big-endian format of a Macintosh UUID to little-endian format.

Cannot Renew DHCP Assigned IP Address on External ISA Server Interface

Server Publish May Fail on Dial-up Links

ISA Server Blocks Incoming Traffic Although a Valid Server Publishing Rule Exists

Date Available: October 24, 2002

File Name: Mspadmin.exe, W3proxy.exe, Wspsrv.exe, Msphlpr.dll

Download Size: 176 KB (Mspadmin.exe), 388 KB (W3proxy.exe),

297 KB (Wspsrv.exe), 99 KB(Msphlpr.dll)

Version: 3.0.1200.179

Related KB Article: 326116, 321219, 319337

In Feature Pack 1: Yes

This fix addresses the following issues:

  • An ISA Server computer that has its external interface configured to have an IP address dynamically assigned by DHCP, or that has the DHCP Client Static packet filter turned on in ISA Server may not be able to renew the IP address on the interface. Also, you may not be able to turn the external adapter on and off.

  • If you use the server publishing feature of ISA Server to publish a dial-up adapter link, the publish operation may fail, even if you use a fixed IP address on the dial-up interface.

  • ISA Server may temporarily block incoming traffic that is destined for a protocol that has a valid server publishing rule defined. This blockage typically does not occur for more than a few minutes. This problem occurs because some Winsock error messages are not handled correctly. When a connection enters a specified state, all traffic that is destined for the server publishing rule is blocked by ISA Server for a brief time.

Heavy NTLM Authentication Traffic Occurs Between Internet Explorer and the Proxy Server

Date Available: June 17, 2002

File Name: W3proxy.exe

Download Size: 383 KB

Version: 3.0.1200.170

Related KB Article: 312176

In Feature Pack 1: Yes

This fix addresses an issue that occurs when you use NTLM authentication, and extraneous NTLM authorization requests, resulting in "407 proxy authentication required" HTTP requests generated by the proxy. This can cause symptoms such as incomplete HTML pages and random authentication prompts.

ISA Server 2000 Security Patch for Unchecked Buffer in Gopher Protocol Handler

Date Published: June 14, 2002

File Name: isahf177.exe

Download Size: 70 KB

Version: 3.0.1200.177

Related KB Article: 323889

Security Bulletin: MS02-027

In Feature Pack 1: Yes

This patch fixes a problem that may occur on an ISA Server computer during the processing of Internet Gopher protocol requests. The vulnerability occurs because of an unchecked buffer in the code that handles information returned from a server using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker could attempt to overflow the buffer and load code on the computer.

The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA Server

Date Published: June 11, 2003

File Name: W3proxy.exe

Download Size: 386 KB

Version: 3.0.1200.178

Related KB Article: 319375

In Feature Pack 1: Yes

This fix resolves an issue that occurs when you try to write a Web filter for ISA Server that does client certification certificate revocation list (CRL) validation. You cannot use the CertVerifyRevocation application programming interface (API) because no CERT_CONTEXT structure server variable is available.

How to Automatically Authenticate a User Against All Trusted Domains in ISA Server

Date Published: June 11, 2003

File Name: W3proxy.exe

Download Size: 386 KB

Version: 3.0.1200.178

Related KB Article: 319376

In Feature Pack 1: Yes

This fix is useful when you use basic authentication, when a user is not familiar with the domainname\username syntax, and when a user account is in a different domain than the ISA Server computer. The fix enables the following behavior:

  • If a user specifies domainname\username instead of only username when prompted for credentials in the browser, the user is immediately authenticated against the correct domain for the user account.

  • If the user account is in the same domain as the ISA Server computer, the username syntax is enough to authenticate the user. The domainname\username is not required. This fix is only useful when you use basic authentication, when the user is not familiar with the domainname\username syntax, and when the account is in a different domain than the ISA Server computer.

ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service Crash

Date Published: April 26, 2002

File Name: isahf174.exe

Download Size: 214 KB

Version: hf174

Related KB Article: 319374 and 321846

In Feature Pack 1: Yes

This fix addresses an issue that might cause the ISA Server Web proxy service to fail when an ISA Server-based computer that is using Web publishing to publish a Secure Sockets Layer (SSL) Web site receives an invalid SSL packet. The ISA Server Web proxy service may fail, generate an access violation error message, and stop providing services. This only occurs when all of the following conditions exist:

  • SSL packets are sent to an ISA Server-based computer that is using Web publishing to publish a Web site that is configured to use SSL bridging.

  • A Web publishing rule exists and is selected for the SSL Web site.

  • An Incoming Web Requests listener exists for the SSL Web site.

  • The Enable SSL listeners check box on the Incoming Web Requests tab is selected.

  • On the ISA Server-based computer, a server certificate is installed and selected. The server certificate is selected in the Incoming Web Requests listener properties in the Use a server certificate to authenticate to web clients check box.

This fix also addresses the issue in KB article 321846, where some specific URLs are not blocked by the rules engine even if there is a Site and Content rule that does this. In such a situation, if access is denied to www.example.com, a user can get to that site by typing www.example.com. (note the period, also known as the root in DNS). This is caused by incorrect canonicalization, where ISA Server does not match a requested domain name that specifies the root (.), unless the domain in the destination set used in the Site and Content rule also contains the root.

Access Violations Occur in the Web Proxy Service If an Impersonation Failure Occurs

Date Available: March 27, 2002

File Name: W3proxy.exe

Download Size: 383 KB

Version: 3.0.1200.170

Related KB Article: 318319

In Feature Pack 1: Yes

This fix addresses an issue that occurs when users try to access resources in an outgoing Web proxy or in a Web publishing scenario. In these circumstances, the Web proxy service might generate an access violation error and stop responding if proxy authentication is required globally (where Ask unauthenticated users for identification is enabled on the Outgoing Web Requests tab in ISA Server Management), or if it is enabled specifically by access rules.

ISA Server Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter

Date Available: February 28, 2002

File Name: Wspsrv.exe

Download Size: 294 KB

Version: 3.0.1200.171

Related KB Article: 318005

In Feature Pack 1: Yes

This fix addresses a problem that might cause the Microsoft Firewall service not to start if you add more than 85 IP addresses to the external network adapter. If you do add more than 85, you may see an event similar to the following:

Event type: Error

Event Source: Service Control Manager

Event ID: 7031

Description: The Microsoft Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Web Proxy Sends TCP Reset Instead of Only Closing Session

Date Available: February 27, 2002

File Name: W3proxy.exe

Download Size: 383 KB

Version: 3.0.1200.170

Related KB Article: 317122

In Feature Pack 1: Yes

This fix addresses the error message "The connection was reset by the server" that appears in your Web browser when you are posting data to a Web site. Subsequent attempts to repost the data may succeed. This is caused by the Web proxy service sending a TCP Reset to the client browser immediately after the Web proxy sends the expected TCP AckFin. The Web browser recognizes the reset, and generates the error.

Problems with Web Browser if ISA Server 2000 is Chained to an Upstream Web Proxy

Date Available: February 27, 2002

File Name: W3proxy.exe

Download Size: 383 KB

Version: 3.0.1200.170

Related KB Article: 317822

In SP1: No

This fix addresses issues that might cause unexpected delays and incomplete pages during Web browsing when ISA Server is chained to an upstream Web proxy server. Note that this behavior does not occur if the upstream proxy server requires NTLM authentication and the routing rule on the downstream server is configured to provide integrated authentication to the upstream Web proxy server. It occurs in the following circumstances:

  • The downstream ISA Server computer is configured to require integrated authentication (NTLM).

  • The upstream Web proxy server is not configured to require authentication (anonymous).

  • You are using Internet Explorer as your client browser.

Server Publishing Rules Intermittently Fail

Date Published: September 23, 2001

File Name: Wspsrv.exe

Download Size: 292 KB

Version: 3.0.1200.70

Related KB Article: 307784

In SP1: Yes

This fix repairs a problem that stops server publishing rules from working as expected. If this issue occurs, ISA Server may intermittently stop listening on various TCP ports that are configured for server publishing.

Clients That Use an Automatic Configuration Script May Not Work Because of Proxy Authentication

Date Published: August 26, 2001

File Name: W3proxy.exe

Download Size: 381 KB

Version: 3.0.1200.69

Related KB Article: 305204

In SP1: Yes

This fix solves an issue that might prevent Web browser clients that are configured to use the automatic configuration script in ISA Server from getting Web site access through the Web proxy service if it is configured to require proxy authentication. In such a case, the client requests the default automatic configuration script or the Wpad.data file on the port specified for outgoing Web requests, but ISA Server incorrectly prompts the client for proxy authentication instead of the correct WWW authentication. Because the client request is for a local resource on the ISA Server computer, the client computer fails proxy authentication.

The ISA Server Response to Client Options Requests Is Limited to a Predefined Set

Date Published: August 26, 2001

File Name: W3proxy.exe

Download Size: 381 KB

Version: 3.0.1200.69

Related KB Article: 304340

In SP1: Yes

This fix addresses an issue that stops external clients from gaining access to a Web Distributed Authoring and Versioning (WebDAV) folder that you publish using Web publishing. This fix allows ISA Server to respond correctly to the Web browser by sending the actual options that are sent by the WebDAV server.

ISA Server 2000 Security Patch for Web Proxy Service and H.323 ASN DLL

Date Published: August 15, 2001

File Name: isahf68.exe

Download Size: 267 KB

Version: Q295389-Q289503

Related KB Article: 289503 and 295389

MS Security Bulletin: MS01-045

In SP1: Yes

This security patch fixes a potential memory leak in the H323 ASN DLL, which is used by the Microsoft Firewall service and the Gatekeeper service. This memory leak could be exploited to deplete resources on the server, making the server slow and services unresponsive. There is no memory leak if the Gatekeeper service is not started. The Gatekeeper service loads the H323asn1.dll file when it starts.

A fix to prevent scripting in the error return pages is also included (article 295389). If you click a link (or URL) to a page that includes script code that for any reason generates an error, the error message from ISA Server contains the original script from the link and it runs in your Web browser. This is a cross-site scripting vulnerability that affects the error page that ISA Server generates in response to a request for a nonexistent page or an unsuccessful connection attempt to a page. As with all cross-site scripting vulnerabilities, this vulnerability could enable an attacker to either run a script in the security domain of another, presumably trusted, Web site, or to access cookies that a site had written to your computer.

Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems

Date Available: July 10, 2001

File Name: Stpext32.dll

Download Size: 126 KB

Version: 3.0.1200.67

Related KB Article: 303379

In SP1: Yes

This fix solves some network connectivity compatibility issues experienced with ISA Server after installing some third-party programs such as the NewDot and Babylon clients. Issues include network connectivity problems, slow loading of the operating system, blue screen error messages, or STOP error messages. The same problem may also occur if the ISA Server Firewall Client component is installed after the third-party client or provider.

In addition to this fix, the related KB article includes instructions on how to work around this problem if the third-party clients are not required.

"STOP 0x000000D1" When Passing Fragmented Packets Without NAT

Date Available: July 1, 2001

File Name: Mspfltex.sys

Download Size: 41 KB

Version: 3.0.1200.61

Related KB Article: 293161

Included in SP1: Yes

This fix solves a problem that can occur when the network address translation (NAT) driver on the ISA Server computer is stopped, and outbound data is larger than the MTU setting. In such a case, fragmented packets pass through the ISA Server computer. A blue screen error and an event log entry may be generated.

Access Violation Occurs in Your Firewall Client When It Is Under a High Load and Is Using WSPAD

Date Available: July 1, 2001

File Name: Wspwsp.dll

Download Size: 94 KB

Version: 3.0.1200.67

Related KB Article: 295388

In SP1: Yes

This fix solves an access violation error that might occur when the Firewall client is set for automatic discovery, and two or more simultaneous requests to create sockets are generated by the client computer.

Some Server Variables Are Not Fully Implemented in ISA Server

Proxy Error 502 is Returned by ISA Server Under Heavy Stress

Date Available: July 1, 2001

File Name: W3proxy.exe

Download Size: 381 KB

Version: 3.0.1200.66

Related KB Article: 301380 and 294722

In SP1: Yes

This fix solves the following problems:

  • A Web filter uses a particular variable, which works incorrectly. See the KB article 301380 for a complete list of variables.

  • Occasional 502 error responses are returned to client computers.

ISA Server Does Not Cache Responses That Contain the Location Header

Date Published: June 12, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0.1200.65

Related KB Article: 301425

In SP1: Yes

This fix addresses an issue that causes ISA Server not to cache responses that contain the location header. This occurs if caching options are set to cache all content including dynamic content, and a schedule content download job is set to download and cache such a site. In this situation, the links that return location headers are not cached, even though the sites returned by the links are.

Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control

Date Published: June 12, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0.1200.65

Related KB Article: 297324

Included in SP1: Yes

This fix solves an HTTP 407 error that appears for each domain that is restricted when a destination set is configured. As a result, the client browser is prompted for authentication. If the destination that is set is restricted to a domain that contains multiple links to other domains, an authentication dialog box appears for each unauthorized link.

Invalid Content-Length Header May Cause Requests to Fail Through ISA Server

Date Published: June 12, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0.1200.65

Related KB Article: 300707

In SP1: Yes

This fix addresses a "bad request" error that might occur when you send an HTTP POST request from a Web browser through ISA Server. This problem occurs because some Web browsers send two extra bytes at the end of the message body of an HTTP POST request. This causes the message body to contain two more bytes than the content-length header indicates.

Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy

Date Published: May 6, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0.1200.64

Related KB Article: 297080

In SP1: Yes

This fix prevents a problem that occurs if a downstream ISA Server computer is configured to require integrated authentication, and the upstream Web proxy server is also configured to require proxy authentication. In addition, the routing rule on the downstream ISA Server computer is configured to provide basic authentication credentials to the upstream Web proxy server.

Multiple Overdue Tasks Are Run and Alerts Are Issued for a Short Period

Date Published: April 4, 2001

File Name: Msfpc.dll

Download Size: 211 KB

Version: 3.0.1200.62

Related KB Article: 293863

In SP1: Yes

This fix prevents a problem that may occur when an ISA Server computer has been running for more that 49 days:

  • Some alerts may be triggered repeatedly.

  • Hundreds of LDAP queries each second may be sent to the Microsoft Active Directory® directory service.

  • The creation of ISA Server log files might stop.

  • Some event log entries, detailed in the KB article, may occur.

Web Proxy Service Crashes If URL Requests a Specifically Malformed Argument

Date Published: April 3, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0

Related KB Article: 295279

MS Security Bulletin: MS01-021

In SP1: Yes

This fix prevents an access violation that might cause the Web proxy service to stop when a specific invalid Web request is made to an ISA Server computer that is using Web publishing to bridge HTTP traffic to a Web server.

This problem occurs because of a heap corruption, not a buffer overrun, and does not compromise access to ISA Server from the Internet in any way. The Web proxy service, Web proxy clients, and sites that are made available by Web publishing are affected by this problem. If you do not have listeners configured under Incoming Web Requests (these listeners are not configured by default), this problem does not affect ISA Server in any way.

Slow Response from Downstream ISA Server Using Web Proxy Chaining

Date Available: March 21, 2001

File Name: W3proxy.exe

Download Size: 373 KB

Version: 3.0.1200.57

Related KB Article: 292018

In SP1: Yes

This fix addresses an issue that causes Web proxy client requests from a downstream ISA Server computer to take a long time to respond if:

  • A downstream ISA Server service is configured to chain Web proxy requests to the upstream server, and the DNS server that ISA Server is configured to use is unable to resolve all possible name requests (internal and external).

  • There is a site and content rule (or a Web publishing rule) that applies to any destination except "All Destinations."

Firewall Service (Wspsrv.exe) Problems with High S-NAT Client Load

Date Available: March 19, 2001

File Name: Wspsrv.exe

Download Size: 292 KB

Version: 3.0.1200.58

Related KB Article: 290731

In SP1: Yes

This fix addresses an issue caused by a race condition in a double deletion of an S-NAT socket mapping.

External MAPI Clients Cannot Connect with RPC

Date Available: March 19, 2001

File Name: Rpcfltr.dll

Download Size: 432 KB

Version: 3.0.1200.59

Related KB Article: 291000

In SP1: Yes

This fix addresses an issue when you are using ISA Server to publish an RPC server, and external Windows 2000-based clients can connect to the RPC server behind the ISA Server 2000 computer, but clients that are running Windows NT® 4.0, Windows® 98, Windows 95, or Windows Millennium Edition cannot connect.

Deleting Disabled SMTP Filter Attachment Rule Leaves Corrupted Rule

Date Available: March 13, 2001

File Name: Smtpfadm.dll

Download Size: 216 KB

Version: 3.0.1200.56

Related KB Article: 292014

In SP1: Yes

This fix addresses an issue that happens if you disable and then later delete an SMTP Filter Attachment rule. In such a case, the rule might not be removed but instead becomes corrupted, so that you cannot edit or remove the rule.

Cannot Configure or Use the SMTP Filter If the Decimal Symbol Is Not a Period

Date Available: March 13, 2001

File Name: Smtpfltr.dll

Download Size: 92 KB

Version: 3.0.1200.56

Related KB Article: 285812

In SP1: Yes

This fix addresses a problem that can occur if the decimal symbol is configured to be anything other than a period (.). In such a case, you cannot configure or use the SMTP filter. This can occur when ISA Server is installed on a localized operating system in which the decimal is usually a period but the user changes it to some other symbol (for example a comma).

High Memory Consumption by SMTP Message Screener Under Stress

Unregistered Fltrsnk1.dll Starts with Inetinfo.exe

Date Available: March 13, 2001

File Name: Flkrsnk1.dll

Download Size: 591 KB

Version: 3.0.1200.56

Related KB Article: 292010 and 292013

In SP1: Yes

This fix addresses the issues outlined in the KB articles:

  • KB article 292010 addresses an issue in which in medium-stress situations, messages with attachments being screened by the message screener can cause memory consumption by Inetinfo.exe to rise quickly and potentially cause the system to run out of memory.

  • KB article 292013 addresses an issue caused by a problem in the code that unregisters Fltrsnk1.dll.

Access Violation in Mspadmin.exe with ISA Server with Multiple IP Addresses on an External Interface

Date Available: March 11, 2001

File Name: Bwserver.dll

Download Size: 299 KB

Version: 3.0.1200.55

Related KB Article: 288247

In SP1: Yes

This fix addresses an issue where ISA Server services may not start, depending on the configuration.

ISA Server 2000 fix for UDP log

Date Published: January 25, 2001

File Name: isahf54.exe

Download Size: 194 KB

Version: 1.0

KB Article: 285807

In SP1: Yes

This fix resolves a bug in ISA Server firewall logging that prevents the logging of the "Rule#1" and "Rule#2" fields for certain UDP traffic, even if those fields are selected in the logging configuration dialog box. This fix adds the two fields.

ISA Server 2000 Fix for Packet Filter Log

Date Published: January 25, 2001

File Name: isahf51.exe

Download Size: 91 KB

Version: 1.0

Related KB Article: 283213

In SP1: Yes

This fix can be applied to unconditionally block and log all outbound ICMP traffic that is sent from the Internal network to the External network. Apply this download on each ISA Server 2000 computer.