Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2004 TCP & UDP Timeout Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2004 TCP & UDP Timeout Configuration - 18.Jul.2007 6:43:41 AM
|
|
|
chris10
Posts: 10
Joined: 12.Aug.2005
Status: offline
|
Hi,
Does anyone know how to change the WebProxy, TCP, UDP & other protocol timeout values before the ISA drops the packet, specifically with refernce to SecureNAT clients. Most NAT firewalls allow you to change these values for TCP and UDP. Some even have settings that vary depending on whether the session is still in setup stage or has been established.
I am interested in how long the sessions stay alive in the NAT table before they are cleared out. This obviously has an effect on 'Connection limit per client (TCP and non-TCP)' in Commection Limits.
With the growth of P2P, we see large numbers of attempted connections from impolite P2P clients which can cause Client Connection Limit Alterts to trigger.
The settings I have found are:
1) A 'usual' (TCP?/UDP?/Other?) Timeout of 2 Minutes is alluded to in the following article..."Generally, if no traffic is received from either end of the connection within two minutes, ISA Server closes the connection and forgets it. This behavior can be changed, but it involves some scripting and ISA COM skills and that’s not part of today’s discussion."
Anyone have any experience of looking at and editing these Timeouts? Are there different values for TCP and UDP and for established / non-established TCP sessions. What about other protocols such as GRE and ICMP?
2) Web Proxy Filter Timeout.
Networks > Internal > WebProxy > Advanced > Connection Timeout...
"Connection timeout...Provides a space to enter the number of seconds before the server disconnects an inactive user."
This is for the WebProxy Filter rather than other TCP & UDP traffic.
3) DNS Filter Timeout. It looks like certain protocol filters (DNS Filter) can override the above 2 minute timeout. It looks like 'ISA Server DNS intrusion detection filter' has a default timeout of 30 seconds, but again I can't monitor or edit this.
4) TCP KeepaliveTime & KeepAliveInterval. I have seen references to this setting in discussions relating to ISA, but I assume this is really for TCP connections initiated by applications or served on the host OS rather than the ISA Firewall.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
I have not seen any settings that confirm (or can alter) the TCP and UDP timeouts of the firewall.
Does anyone know how this is can be configured?
Thanks
Chris10
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
