• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out


Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Alerts Page: [1]
Message << Older Topic   Newer Topic >>
Alerts - 29.Jan.2008 4:22:16 AM   


Posts: 4
Joined: 7.Jun.2007
Status: offline
I was wondering if there is anything I need to worry about - when viewing my alerts tab through the ISA2006 console I discover each day,  that there are numerous entries indicating the following: 

Alert Information

Description: The number of TCP connections per minute from the source IP address x.x.x.x exceeded the configured limit. ISA Server will not allow the creation of new TCP connections from this source IP address during a system-defined time period. By default, this time period is 1 min.

This event indicates that this IP address probably belongs to a host that is infected by a worm and attempts to propagate the worm to other vulnerable hosts.

See the product documentation for more information about ISA Server flood resiliency.

1. Is this normal?
2. Should I change the default setting?
Many Thanks,
Post #: 1
RE: Alerts - 29.Jan.2008 11:57:00 AM   


Posts: 216
Joined: 9.Mar.2004
Status: offline
Only chane the default setting if you have a problem that can be improved or resolved by doing so.

In 99% of the time on our ISA Server envrironments (both ISA 2004 & 2006) the connection limit exceeded is realted to SSL-tunneling. 

--begin rant--
And it's failry easy to reproduce, just try doing your taxes online through an ISA Server, or look through your ISAlogs filtering by the offending IP and timeframe that the excessive connection alert occured.  It's more than likely an user just going to an SSL enabled site.  This is easly reproduceable with Internet Explorer, but not so much with firefox.  Just open up https://www.microsoft.com or https://www.comcast.com or most any https:// site that will go through your ISA Sever, and hold down F5 on your keyboard for 20 to 30 seconds, by the way if your client is running as a firewall client (and not web proxy or securenat) the connections are different, because the client connection is made via a different protocol to your ISA Server.
--end rant--

Keep in mind that the connetion limits are on by default for flood resiliency.


< Message edited by abqtech -- 29.Jan.2008 1:04:02 PM >

(in reply to oconnojo)
Post #: 2
RE: Alerts - 15.Feb.2008 3:23:07 PM   


Posts: 321
Joined: 10.Oct.2006
Status: offline
I see the same issue occasionally but have not had any complaints so I just leave the settings alone.  I am using settings recommended in a number of ISA books.

(in reply to abqtech)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> Alerts Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts