ISA Server 2006 Service Pack 1 Features

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Service Pack (SP) 1 introduces new features and improved functionality to ISA Server 2006 Enterprise and Standard Editions. The new features focus on change management and enhanced troubleshooting designed to help you identify and resolve ISA Server configuration issues within ISA Server Management.

This document describes the features and improved functionality introduced in ISA Server 2006 SP1.

This document includes the following topics:

• Service Pack 1 new and improved features
• Configuration Change Tracking
  • Viewing configuration change tracking output
  • Configuring the change tracking feature
  • Entering a change description
  • Filtering and searching configuration changes
• Test rule
  • Running the test
• Traffic simulator
  • Configuring traffic simulator
  • Simulating traffic scenarios
• Diagnostic logging
  • Configuring diagnostic logging
  • Filtering the diagnostic log
• Improvements to existing features
  • Multicast support for integrated NLB
  • Kerberos constrained delegation (KCD) authentication allowed in a cross domain environment
  • Secondary client certificate validation without mapping to Active Directory
  • Support for use of server certificates containing multiple Subject Alternative Name (SAN) entries
  • RSA SecurID supports public timeout
  • Improve Web publishing load balancing cookie handling
  • Filtering RPC traffic by UUID
  • Alert Improvements
  • New performance counter

Service Pack 1 new and improved features

ISA Server 2006 SP1 includes the following new features:

• Configuration change tracking—Registers all configuration changes applied to ISA Server configuration in order to help you assess issues that may occur as a result of these changes.
• Test rule—Verifies that the configuration settings of the Web publishing rule correspond with the settings on the Web server.
• Traffic simulator—Simulates network traffic in accordance with specified request parameters and provides information about firewall policy rules that are evaluated for the request.
• Diagnostic logging—Integrated as a tab into the ISA Server Management console, this feature displays detailed events about how rules are evaluated.

ISA Server 2006 SP1 also includes feature improvements including:

• Support for Network Load Balancing (NLB) multicast operations
• Support for certificates with multiple Subject Alternative Name (SAN) entries
• Kerberos Constrained Delegation (KCD) authentication allowed in a cross- domain environment

For additional feature improvements, see "Improvements to existing features" later in this document.

The following sections of this document describe new ISA Server 2006 SP1 features.

Configuration change tracking

When enabled, configuration change tracking registers all configuration changes that are made either in ISA Server Management or programmatically using scripts. You can use configuration change tracking as a support tool in order to determine the cause of an issue that results from a configuration change. Change tracking is disabled by default.

Output of configuration change tracking can be viewed in the Change Tracking tab of the Monitoring node in the ISA Server Management console. In ISA Server 2006 Enterprise Edition, you can configure configuration change tracking at the enterprise level. Enabling configuration change tracking on the enterprise enables tracking on all arrays in the enterprise. Enterprise settings override array-level settings.

When applying changes at the array and enterprise level together, you get two entries in the output: One entry shows the configuration change at the enterprise level and another entry shows the change at the array level.

Viewing configuration change tracking output

Each configuration change tracking output entry represents a single configuration change. Entries are sorted by date and time, the most recent first.

The following details are provided in the results pane of the Change Tracking tab:

• Time—Displays the date and time of the configuration change.
• User—Displays the user name of the person who made the configuration change.
• Change Summary—Displays a system-generated description of the configuration change in ISA Server.
• Description—Displays the change description that the user entered for the configuration change.
• Array-Displays the name of the array where the configuration change was made or the name of the enterprise if the change was made on the enterprise level (Enterprise Edition only).

Each entry can be expanded to display more details. A sample output is shown below.

Configuring the change tracking feature

You can configure the following for the change tracking feature:

• Enable change tracking
• Specify a maximum number of entries in the change tracking log
• Require users making configuration changes in the ISA Server Management, to specify a description that appears in the configuration change tracking output

To enable and configure change tracking

1. In the ISA Server Management console, click the Monitoring node, and then click the Change Tracking tab.

2. On the Tasks tab, click Configure Change Tracking.

3. To turn on change tracking, select Enable change tracking.

   Note

   To configure change tracking at the enterprise level, right-click the enterprise node, click Properties, and then click the Change Tracking tab from the Enterprise Properties dialog box.

4. Selected by default, Prompt for a change description when applying configuration changes enables users to add an optional change description when making configuration changes in ISA Server Management. Clear this check box in order to disable the change description prompt.

5. To specify a maximum number of entries for the change tracking log, in the Limit number of entries to box, enter the number. It is recommended that you do not configure a limit of more than 10,000. A larger limit may affect performance.

   Note

   When the maximum number of entries is reached, the earliest entries are overwritten.

6. To view the entry in the configuration change tracking output click Apply.

   

   

Entering a change description

If configuration change tracking is enabled, users making configuration changes in ISA Server Management can enter an optional description for that change. This description appears in the configuration change tracking output.

To export the current configuration and a change description

1. After you make the configuration changes in ISA Server Management, when you click Apply, the Configuration Change Description prompt appears. Type the description of the change.

2. Before applying the change and change description, you can create a backup of the existing configuration. To open the Export Wizard click Export. For Enterprise Edition, export backs up the entire enterprise.

3. Click Apply. When you click apply, the required configuration change is saved, and the description is applied to the change.

4. When Saving Configuration Changes status dialog box is completed, click OK. Configuration changes are recorded to the change tracking output.

   

Filtering and searching configuration changes

Filter options are accessible at the top of the Change Tracking tab. You can filter the entries by user name and by content. You can also use the short key CTRL+F in order to search for entries.

To search for an entry

1. In the User name contains box, enter the name of the user who performed the configuration change.

2. In the Entry contains box, enter a keyword for the search.

   Note

   You can filter by one or both options.

3. Click the Apply Filter button. The system executes a search, and then in the Monitoring node on the Change Tracking tab, the results appear.

4. Each entry in the output can be expanded to display more details.

   

Test rule

The test rule feature verifies that the configuration settings of the Web publishing rule correspond with the settings on the Web server. In addition, you can use the test rule feature for troubleshooting when a rule is not working as expected. The test results description can help you to identify and resolve an issue that is detected by the test.

The test rule can be activated from the following wizards and types of rules:

• Exchange Web Client Access Publishing Wizard

• SharePoint® Site Publishing Rule Wizard

• Web Site Publishing Wizard

• A rule that publishes a single Web server, Web site, or server farm over HTTP.

• A rule that publishes a single Web server, Web site, or server farm over Secure Sockets Layer (SSL).

  Note

  Even if the published rule is disabled, you can still run the test.

  

When you click the Test Rule button, ISA Server first attempts to perform name resolution. After a name is resolved to an IP address, ISA Server then tries to establish a TCP/IP connection with the published server. For a publishing rule over Secure Sockets Layer (SSL), test rule also attempts to establish an SSL connection to the published server and tests the validity of the certificate. ISA Server sends an HTTP GET request to the published server and waits for a response. After a response is received, ISA Server compares its authentication requirements and methods to that of the configuration settings in the rule. Note the following:

• When running the test on a publishing rule that applies to all requests (no public name is specified) and Forward the original host header instead of the actual one (specified in the internal site name field) is selected, the test uses the fully qualified domain name (FQDN) of the ISA Server computer as the host header. The test might fail if the published Web server rejects the host header of the ISA Server computer. However traffic may be allowed when the actual rule runs if the host header is accepted by the published Web server. The opposite situation can also happen: The test passes because the published Web server accepts the host header of the ISA Server computer, while actual client traffic is denied if the host header is rejected by the published Web server.
• The test does not check the authentication type on specific files within the folder unless a specific file is published by the rule, by using the path.
• If no authentication delegation is configured on the published server, the test checks that the folder specified in the publishing rule exists.
• If authentication delegation is configured, the test cannot check that the folder exists because the test does not pass the required authentication credentials. In this case, the test rule is successful if the authentication method configured for the rule matches one of the authentication methods required by the folder specified in the rule. Success does not indicate that the folder exists.

Running the test

To run the test

1. In the selected publishing wizard, or on the Properties page of the rule, click the Test Rule button.

2. To view status details for each of the items in the tree, click the item. The corresponding status description can be viewed in the description frame.

3. Click Close to close test results dialog box for the Web publishing rule.

Test rule error messages

Each of the error messages that appear in the description frame of the test results dialog box is categorized into one of the following four types of error types:

• Published server certificate-Errors are triggered when validation of the published server certificate fails.
• Name resolution-Errors are triggered from unresolved name resolution of the published server to its IP address.
• Connectivity-Errors are triggered when ISA Server fails to establish a session with the published server.
• General-Errors are triggered for all other types of issues.

The following tables show the list of the most common error codes that may appear when running the test rule and an explanation of each of the errors.

Published server certificate errors:

Error codes	Error description	Description
0x80090308	The token supplied to the function is invalid.	This happens when the published port is not used for listening to SSL.
0x80090322	The target principal name is incorrect.	Usually this happens when accessing HTTPS sites and the certificate name on the server doesn’t match the URL with which it’s being accessed. Recommendation: Check the certificate of the published Web site, and then update the name of the published site on the To tab.
0x80090325	The certificate chain was issued by an authority that is not trusted.	ISA Server doesn’t have the root certificate from the certification authority (CA) installed. Recommendation: Import the CA certificate.
0x80090328	The received certificate has expired.	The certificate on the published server has expired. Recommendation: Replace or renew the certificate on the published server.

Name resolution errors:

Error codes	Error description	Description
11004	The requested name is valid, but no data of the requested type was found.	This occurs when the name resolution to the published server (that is published by its NetBIOS name) fails. Recommendation: Check whether the name on the To tab of the published rule is resolvable.
11001	Host not found.	This occurs when the name resolution to the published server (that is published by its FQDN name) fails. Recommendation: Check whether the name on the To tab of the published rule is resolvable.

Connectivity errors:

Error codes	Error description	Description
10061	No connection could be made because the target computer actively refused it.	The published server does not have a Web server listening on the published port, or Internet Information Services (IIS) 6.0 has not started and is not listening to any port.

For more information about the error codes, see System Error Codes.

Traffic simulator

The traffic simulator simulates network traffic in accordance with specified request parameters and provides information about firewall policy rules that are evaluated for the request. This feature can help troubleshoot communication issues that users may have with the destination server. For example, when a user from the internal corporate network tries to access an Internet Web server but is denied access. The traffic simulator scans through all of the published rules correlating with the scenario. The administrator can then check the results in order to determine how to resolve the issue. In addition, this feature can verify the functionality of a new policy rule by testing traffic that is handled by the new rule.

The traffic simulator can be run from a remote management computer. The traffic simulator is run per array. You select the server within the array on which you want to run the traffic simulator.

Configuring the traffic simulator

The following list contains the different firewall policy scenarios that can be simulated:

• Web access—Simulates traffic handled by an access rule by allowing or denying Web access for clients making Web proxy requests.
• Non-Web access—Simulates traffic handled by access rules by allowing or denying internal client requests for non-Web resources in other networks.
• Web publishing—Simulates traffic from clients making requests to published Web servers located on corporate networks (requests that are handled by Web publishing rules in ISA Server).
• Server publishing—Simulates traffic between clients and non-HTTP published servers located on corporate networks (requests that are handled by server publishing rules in ISA Server).

The results of the simulation for the configuration properties of the policy rules appear at the bottom of the screen. You can check any of the setting details in the following list in order to evaluate the cause of any network issues.

Setting	Description
Rule Name	Displays the name of the policy rule used by the request.
Rule Order	Displays the order number of the rule. Rule ordering numbers are displayed in the details pane of the Firewall Policy node in ISA Server Management.
From	Displays the source network from which the traffic is initiated.
To	Displays the destination network where the traffic is being sent.
Network Rule Name	Specifies the name of the network rule used.
Network Relationship	Specifies the network relationship in the policy rule as either network address translation (NAT) or Route.
Protocol	Specifies the protocol used to establish the connection (for example, HTTP).
Rule Application Filters	Used by the application filter types defined in the published rule.

Simulating traffic scenarios

To run the traffic simulation, first configure the traffic scenario settings, as follows.

To simulate traffic for Web proxy access to the Internet

1. In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2. In Simulation Scenarios, click Web access.

3. In Source Parameters, configure the source request settings.

4. Select if traffic is to be sent from an anonymous or authenticated user. For authenticated users, in Namespace, select Windows or RADIUS.

5. In Destination Parameters, in the URL box, type the URL address of the target site. If the rule is configured to apply to any domain, you can specify an IP address or a URL.

6. In Server, select the server from which you are running the traffic simulator.

7. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

8. Click Start.

9. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

   

To simulate traffic for non-HTTP access connection

1. In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2. In Simulation Scenarios, click Non-Web access.

3. In the IP address box, enter the network IP address of the source server.

4. In Destination/Source Parameters, configure the request settings.

5. In Server, select the server from which you are running the traffic simulator.

6. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

7. Click Start.

8. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

   

To simulate traffic to a published Web server

1. In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2. In Simulation Scenarios, click Web publishing.

3. In Source Parameters, configure the source request settings.

4. In Destination Parameters, in the URL box, type the URL address of the target site. If the rule is configured to apply to any domain, you can specify an IP address or a URL.

   Note

   The URL is the one published by ISA Server. The URL is specified on the Public Name tab. ISA Server must be able to resolve it to its external IP, otherwise the simulation fails.

5. In Server, select the server from which you are running the traffic simulator.

6. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

7. Click Start.

8. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

   

To simulate traffic to a non-HTTP published server

1. In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2. In Simulation Scenarios, click Server Publishing.

3. In the Destination/Source Parameters box, configure the request settings.

4. In Server, select the server from which you are running the traffic simulator.

5. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

6. Click Start.

7. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

   

Diagnostic logging

Diagnostic logging tracks the behavior of policy components in ISA Server. It enhances traditional log information by tracing the flow of a specific packet. It reports on packet progress and provides information about traffic handling and rule matching. Diagnostic logging can be configured and viewed on the Diagnostic Logging tab of the Troubleshooting node in ISA Server Management. When diagnostic logging is enabled, it automatically logs events for firewall policy access and authentication issues.

For more information about diagnostic logging, see Using diagnostic logging.

Configuring diagnostic logging

You can use diagnostic logging as follows:

• Enable diagnostic logging to capture information about all traffic packets processed. Information is captured until diagnostic logging is turned off or size limits are reached. You can configure log limit and timeout values, and you can delete events in the log.
• To run diagnostic logging remotely, you must add the remote computer to the array-level system policy rule “Allow remote management from selected computers using MMC”. Errors may appear if this is not done.

To enable and disable diagnostic logging

1. In the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

2. On the Tasks tab, click Enable Diagnostic Logging To turn logging on.

3. After you click Enable Diagnostic Logging, click Disable Diagnostic Logging to turn logging off.

   Note

   Disable diagnostic logging when not required. If enabled for an extended period, ISA Server performance might be affected.

The following limits are imposed in diagnostic logging:

• The default maximum number of entries for a query is 10,000.
• There is a maximum timeout of 30 seconds for the query execution. If the query did not complete before the timeout, an error is displayed. Before you rerun the query, modify the filter.

Limits can be modified by using the registry as follows.

To configure diagnostic logging limits

1. Click Start and then Run. In the Run dialog box, type regedit.

2. Navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

3. Right-click Microsoft, and then create the following key if it does not exist: RAT\Stingray\Debug\UI

4. To specify the maximum number of entries that the query should handle and the timeout value, do the following:

   1. Right-click UI, click New, and then click DWORD (32-bit).
   2. Create the following value: DIALOG_QUERY_MAX_RECORDS
   3. In DIALOG_QUERY_MAX_RECORDS, specify a maximum value for the number of entries that can be handled by the query.
   4. Create the following value: DIAGLOG_DLVIEWER_TIMEOUT
   5. In DIAGLOG_DLVIEWER_TIMEOUT, specify the query timeout value.

   Important

   This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see 256986 (https://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry.

Delete events from the diagnostic log as follows.

To delete diagnostic logging events

1. In the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

2. On the Tasks tab, click Delete Diagnostic Log. Events are deleted from the diagnostic log and no longer appear in the event viewer or the output pane.

To run diagnostic logging remotely, add the remote management computer to the required system policy rule in ISA Server as follows.

To add a remote management computer to the remote management system policy rule

1. In the ISA Server Management console, in the Firewall Policy node, double- click the system policy rule Allow remote manage from selected computers using MMC.

2. On the From tab, select Remote Managers Computers, and then click Edit.

3. Verify that the name of the remote management computer is included in the computer set. If not included, add the remote management computer.

4. Click OK.

Filtering the diagnostic log

Diagnostic logging events can be filtered and searched for specific information. You can filter for a specific request and query the results of traffic simulator output.

A context ID is a random 8-digit hex number that represents an ISA Server operation such as: a TCP or UDP connection, an HTTP session or request, or a virtual private network (VPN) client connection. When you run the traffic simulator and select to view the diagnostic logging, the context ID is displayed automatically in the diagnostic logging results pane. If you need to identify a context ID manually, do the following:

To identify a context ID

1. In the ISA Server Management console, click the Monitoring node.

2. Click Start Query to start logging without filtering on specific criteria.

3. To filter using specific criteria click Edit Filter to specify that the query should run with specific parameters such as Rule or Destination IP. Then click Start Query to start logging based on filter criteria.

4. By default, the unique ID of a request is not displayed in the ISA Server Management. To display, right-click one of the column headings for the log entries, and then click Add/Remove Columns.

5. In the Available Columns list, select Filter Information, and then click Add.

6. When Filter Information appears in the Displayed Columns list, click OK to close the Add/Remove Columns dialog box.

7. In the Filter Information properties displayed for the rule, make a note of the Req ID property for the required rule. This is the context ID.

To filter for diagnostic logging events

1. In the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

2. To filter by message string, in the Message contains box, enter the message string that is contained in the message of the event log.

   Note

   The query run on the message string is on the whole phrase, even if there are spaces between words. For example if the string in Message contains is "Hello World", the query searches for the whole string "Hello World" and not "Hello" and "World".

3. To filter by context, in the Context contains box, enter the context ID of the event log you are searching. The Context IDs that are generated from the traffic simulator have the prefix FFF.

   Note

    You can filter by one or both options.

4. Select the server for which you would like to view the events from which they originated.

   

Improvements to existing features

Several ISA Server 2006 features have been modified in ISA Server 2006 SP1. The changes in these features are described in this section.

Multicast support for integrated NLB

Previous versions of ISA Server supported integrated NLB in unicast mode only. Multicast was only available without integrated NLB mode. However, in non-integrated mode bi-directional affinity (BDA) was not available.

In unicast mode ISA Server designates a single virtual IP address to computers in an NLB cluster. The NLB driver assigns a new unicast MAC address to all computers to be used by the virtual IP. When traffic arrives, the switch that controls which computer packets are sent to, cannot differentiate between ports; therefore because all computers in the cluster share the same virtual address, traffic is sent to all ports in the switch. This causes switch flooding. In multicast mode, NLB designates a multicast MAC address to all computers in the cluster. Multicast combined with Internet Group Management Protocol (IGMP) prevents all ports being flooded.

ISA Server 2006 SP1 adds support for unicast, multicast, and multicast with IGMP modes.

For configuration steps and more information, see An update enables multicast operations for ISA Server integrated NLB (https://support.microsoft.com/kb/938550/en-us).

Kerberos constrained delegation (KCD) authentication allowed in a cross domain environment

Credentials from users located in a different domain than the ISA Server, but in the same forest can now be delegated to an internal published Web site when using KCD.

For more information, see A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer (https://support.microsoft.com/kb/942637/en-us).

Secondary client certificate validation without mapping to Active Directory

Client certificates used as the secondary authentication method to Forms-based Authentication (FBA) in ISA Server do not need to be validated against an Active Directory® user account. Previously in this scenario, ISA Server was required to be a domain member. The administrator would have to ensure that each client certificate was mapped to a user account in Active Directory. Such authentication was available only for ISA Server in the domain and when FBA with Active Directory was configured as the primary authentication method. With the new option, ISA Server in the workgroup can accept client certificates issued from any Certificate Authority for which a certificate is included on the local machine Trusted Root store. If you limit the trusted roots only to your enterprise CA, then ISA Server will accept only users who were granted a client certification by your organization.

Support for use of server certificates containing multiple Subject Alternative Name (SAN) entries

Certificates with multiple SAN entries are now supported.

Previously, ISA Server was able to use only either the subject name (common name) of a server certificate, or the first entry in the SAN list. For more information about this limitation, see blog on Certificates with Multiple SAN Entries May Break ISA Server Web Publishing.

RSA SecurID supports public timeout

For RSA SecurID authentication, a new form has been introduced that gives the user the option to select a public or private session timeout. Previously SecurID authentication only had a public session timeout option.

Improve Web publishing load balancing cookie handling

In the cookie, ISA Server now saves the domain of the server to which the user is connected. Even if there are two separate rules for the same server farm, the user is not redirected to another server within the farm. A fix for this issue was previously included in a private hotfix. . For more information, see ISA Server 2006 may forward requests to an incorrect Web server when a client computer accesses Web sites that have different public names in the same session (945224).

Filtering RPC traffic by UUID

You can now filter remote procedure call (RPC) traffic based on universally unique identifier (UUID) for an access rule. Previously, an access rule to RPC traffic would not be restricted by a UUID.

The RPC-filtered protocol can be added to the protocols list by selecting New RPC protocol in the Protocols option in Toolbox. You can now add the UUIDs for restricting clients.

A fix for this issue was previously included in a private hotfix. For more information, see You cannot filter the RPC traffic based on universally unique identifiers (UUID) by using an access rule in ISA Server 2006 (943212).

Alert improvements

Alert improvements include the following.

New alert for logging failure

A new alert, Long Write Time Excessive, indicates when ISA Server logging fails. By default, if the logging process takes longer than 15 seconds, this alert is generated.

New alert for exceeding virtual memory threshold of the Microsoft Firewall service

A new alert has been created that monitors the amount of virtual memory consumed by the WSPSRV process (the Microsoft firewall service). By default, the monitoring is off. To enable it, configure the threshold of virtual memory through the registry. When the virtual memory used by the WSPSRV process exceeds the specified threshold, an alert is activated. On the Actions tab of the Alert Actions dialog box, you can configure the alert to stop and then start the service.

For more information, see An ISA Server 2006 computer may stop responding under a heavy load (941296).

New performance counter

A performance counter has been added to measure the kilobytes per second for an HTTP/HTTPS requests and responses. This feature serves as an indicator in order to help administrators determine how to improve performance of a process for HTTP and HTTPS requests and responses. The counter filters out noise, such as a remote or weak Web server that responds too slowly or extremely large responses such as large files or RPC over HTTP.

The following script shows how the performance counter is configured. 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE
' ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE
' REMAINS WITH THE USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR
' WITHOUT MODIFICATION, IS HEREBY PERMITTED.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"

SetValue "RequestProcessingTimeLowBoundary", 5 ' milliseconds
SetValue "RequestProcessingTimeHighBoundary", 200 ' milliseconds
SetValue "RequestSizeLowBoundary", 0 ' bytes
SetValue "RequestSizeHighBoundary", 5000 ' bytes

Sub SetValue(paramName, newValue)

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim isaArray    ' An FPCArray object
    Dim vendorSets  ' An FPCVendorParametersSets collection
    Dim vendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the vendor parameters set of the array object.
    Set isaArray = root.GetContainingArray()
    Set vendorSets = isaArray.VendorParametersSets

    On Error Resume Next
    Set vendorSet = vendorSets.Item(SE_VPS_GUID)
    If Err.Number <> 0 Then
        Err.Clear

        ' Add the vendor parameters set.
        Set vendorSet = vendorSets.Add(SE_VPS_GUID)
        CheckError
        WScript.Echo "The vendor parameters set " & vendorSet.Name _
            & " was added."
    Else
        WScript.Echo "The value " & paramName & " = " _
            & vendorSet.Value(paramName) & " was found."
    End If

    If vendorSet.Value(paramName) <> newValue Then
        Err.Clear
        vendorSet.Value(paramName) = newValue
        If Err.Number <> 0 Then
            CheckError
        Else
            vendorSets.Save False, True
            CheckError
            If Err.Number = 0 Then
                WScript.Echo "The new value for " & paramName _
                    & " was saved."
            End If
        End If
    Else
        WScript.Echo "No change is needed for " & paramName & "."
    End If
End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " "_
            & Err.Description
        Err.Clear
    End If
End Sub