Release Notes

Microsoft Internet Security and Acceleration Server 2000 with Service Pack 2 (SP2) Release Notes

1.0 Introduction	5.0 Running ISA Server on Windows Server 2003
2.0 Installation	6.0 H.323 Application Filter
3.0 Uninstalling ISA Server SP2	7.0 ISA Server SP2 Bug Fixes
4.0 Firewall Client for ISA Server SP2

1.0 Introduction

Microsoft® Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 (SP2) includes all the hotfixes and security bulletins released for ISA Server 2000, including all those that were released as part of ISA Server Service Pack 1 (SP1). It also includes several additional fixes, available only as part of ISA Server SP2.

The following sections describe ISA Server SP2, also described in Microsoft Knowledge Base (KB) article 816460.

Back to Contents

2.0 Installation

We recommend that you install ISA Server SP2 on every ISA Server computer deployed in your organization, including computers running only ISA Management or the Message Screener.

Before installing ISA Server SP2, make sure the computer is disconnected from the Internet. The computer should remain disconnected from the Internet until the ISA Server SP2 installation is completed successfully. After installation, the computer can be safely connected to the Internet.

To install ISA Server SP2 on ISA Server 2000 Enterprise Edition, you must be logged on with an account that has Domain Administrator privileges.

Follow these instructions to install ISA Server SP2:

Download the ISA Server SP2 self-extracting file from the Web, in the appropriate language as listed in the following table.

Language File Name

English ISASP2-ENU.exe

French ISASP2-FRA.exe

German ISASP2-DEU.exe

Japanese ISASP2-JPN.exe

Spanish ISASP2-ESN.exe
Review the ISA Server SP2 Release Notes.
Run the ISA Server SP2 executable file to begin the installation.
On the Welcome screen, click Next.
In the ISA Server SP2 End-User License Agreement, click I Agree to accept the licensing terms and execute the installation. Then, click Next.
ISA Server will inform you if it must restart any running services. Click Continue.

Language	File Name
English	ISASP2-ENU.exe
French	ISASP2-FRA.exe
German	ISASP2-DEU.exe
Japanese	ISASP2-JPN.exe
Spanish	ISASP2-ESN.exe

Note the following installation issues:

ISA Server SP2 features a new installation tool. You can read more about the installation tool at "Inside Update.exe - The Package Installer for Windows and Windows Components" (http://www.microsoft.com/).
The installation process updates the relevant files and saves the original files in a folder called $ISA2000UninstallServicePack2$, located in the Microsoft Windows folder.
You cannot install ISA Server SP2 on the evaluation version of ISA Server.
You must reinstall ISA Server SP2 after you do any of the following:
- Add or remove ISA Server components
- Install ISA Server Feature Pack 1
- Change ISA Server installation mode
When you install ISA Server SP2 on a computer running Microsoft Windows Server™ 2003, without having previously installed ISA Server SP1, you must manually restart the ISA Server services subsequent to the ISA Server SP2 installation.
If you abort the ISA Server SP2 installation, you must restart the computer before starting another ISA Server SP2 installation.
You should remove ISA Server updates in the reverse order to which they were installed. Otherwise, the uninstallation process will fail.
When installing ISA Server SP2 on a computer running Windows® 2000 Server, you must first install Service Pack 4 (SP4) for Windows 2000 Server.

Back to Contents

3.0 Uninstalling ISA Server SP2

To uninstall ISA Server SP2:

In Control Panel, double-click Add/Remove Programs.
Select Microsoft ISA Server 2000 Service Pack 2 (KB 816460) and click Change/Remove.
Click Next.

Note the following issues when you uninstall ISA Server SP2:

If you uninstall ISA Server SP2 from a computer running Windows Server 2003, be sure to install ISA Server SP1 and hotfix 255, described in Microsoft Knowledge Base (KB) article 331062, "Running ISA Server on Windows Server 2003."
The following files are not removed as part of the ISA Server SP2 uninstallation process: 2r.htm and pathmappingeditor.hta.
When uninstalling ISA Server SP2, a warning message may indicate that some applications may not work properly after uninstalling ISA Server SP2. You can safely ignore the message.

Back to Contents

4.0 Firewall Client for ISA Server SP2

ISA Server SP2 enhances the stability of the Firewall Client software. We recommend that Firewall Client computers be updated with the ISA Server SP2 client fixes.

Firewall Client setup should be run directly from the mspclnt share. If you install from any other location (including using the Add/Remove Control Panel applet), the fixes included in ISA Server SP2 for the Firewall Client will not be installed.

To upgrade Firewall Client to include the ISA Server SP2 fixes:

Install ISA Server SP2 on the ISA Server computer.
On the client machine, run Setup.exe from the client share directory <\\isaserver\mspclnt\setup.exe> and choose Repair.

Back to Contents

5.0 Running ISA Server on Windows Server 2003

The following are known issues when running ISA Server on Windows Server 2003:

ISA Server can be installed on computers running Windows Server 2003. However, the packet filter extension driver in the release version of ISA Server (Mspfltex.sys) is incompatible with computers running a Windows Server 2003 operating system and is blocked from loading during installation. Because ISA Server SP1 includes a compatibility fix for the driver, all error messages related to this issue displayed during installation can be safely ignored. After ISA Server installation, some services will not start. Installing SP1 or ISA Server SP2 implements the driver fix.
SP1 or ISA Server SP2 must be installed prior to upgrading an ISA Server computer running Windows 2000 Server or Windows 2000 Advanced Server to Windows Server 2003.
ISA Server 120-Day Evaluation is only supported on Windows 2000 Server or Windows 2000 Advanced Server at this time. ISA Server 120-Day Evaluation must be uninstalled from any computer running Windows 2000 Server or Windows 2000 Advanced Server prior to upgrading to Windows Server 2003.
If you plan to run ISA Server on computers running Windows Server 2003, ensure that the Internet Connection Firewall (ICF) is disabled when installing ISA Server. The Firewall service cannot start if ICF is enabled. If this condition occurs, an event from the Firewall service indicates that ICF being enabled is a possible reason for the failure of the Firewall service to start. Follow the instructions in the event log to start the Firewall service.
Performance alerts in the ISA Server Performance Monitor snap-in must run in an account which belongs to the Administrators group. By default, Windows Server 2003 performance alerts are configured to run under the Network Service account, which lacks adequate permissions. This can be resolved as follows:
1. Run the ISA Server Performance Monitor.
2. Expand Performance Logs and Alerts, and then click Alerts.
3. In the right pane, right-click an alert, and then click Properties.
4. In the Properties dialog box, click the General tab.
5. In the Run As text box, type the user name of an account which belongs to the Administrators group of the computer, then click the Set Password button.
6. In the Set Password dialog box, type the password, and then click OK.
7. In the Properties dialog box, click OK.

Note:

ISA Server SP2 includes the updates mentioned in ISA Server 2000 Required Updates for Windows Server 2003 (http://www.microsoft.com/). If you install ISA Server SP2, you do not need to install ISA Server hotfix 255, described in Microsoft Knowledge Base (KB) article 331062, "Running ISA Server on Windows Server 2003".

Back to Contents

6.0 H.323 Application Filter

For security reasons, ISA Server SP2 configures the H.323 application filter to stop listening for incoming and outgoing calls. In this way, you minimize the risk of introducing potential vulnerabilities such as those described in Microsoft Security Bulletin MS04-001 (http://www.microsoft.com/). The updates described in the bulletin are included in ISA Server SP2.
You can configure the H.323 application filter settings after you install ISA Server SP2. Perform the following steps:

In ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the name of the applicable array, click Extensions, and then click Application Filters.
In the details pane, right-click H.323 Filter, and then click Properties.
On the Call Control tab, select one or both of the following options, as applicable: Allow incoming calls and Allow outgoing calls.

Back to Contents

7.0 ISA Server SP2 Bug Fixes

ISA Server SP2 includes all ISA Server SP1 bug fixes, as well as bug fixes released subsequent to ISA Server SP1. Fixes included in ISA Server SP1 are listed in ISA Server SP1 Release Notes (http://www.microsoft.com/).

The following table lists the Microsoft Knowledge Base (KB) numbers associated with some of the fixes included in ISA Server SP2:

KB Article	Description
317822	Problems with Web Browser if ISA Server 2000 Is Chained to an Upstream Web Proxy Server
318005	ISA Firewall Service Cannot Start with More Than 85 IP Addresses on the External Network Adapter
319374	Web Proxy Service Stops Responding
321846	Incorrect Canonicalization in Rules Engine
321844	ISA Server May Cause Non-Paged Pool Memory Peaks
323889	Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice
319375	The CERT_CONTEXT Structure Variable Is Not Available for Web Filters in ISA
319376	How to Automatically Authenticate a User Against All Trusted Domains in ISA
326116	Cannot Renew DHCP Assigned IP Address on External ISA Interface
321219	Server Publish May Fail on Dial-up Links
319377	FIX: ISA Server Blocks Incoming Traffic Although a Valid Server Publishing Rule Exists
313318	Cannot Relay Mail Through ISA Server If Authentication Is Required
324642	Macintosh Clients Who Use MAPI Cannot Connect to Exchange 2000 with ISA Server
331064	ISA Reports May Span Unexpected Date Range or Show Incomplete Data
319381	Server-Side Playlists Do Not Work with ISA Server
331062	Running ISA Server on Windows Server 2003
331065	MS03-009: A Problem in the ISA Server DNS Intrusion Detection Filter May Cause Denial of Service
331066	MS03-012: Flaw in Winsock Proxy Service Can Cause Denial of Service
331067	ISA Reports May Contain Negative Numbers in the 'All Others' Row
331068	ISA Firewall Causes Handle Leak in LSASS
331069	Permit URL Path Redirection in Web Publishing Rules
331070	Authentication Does Not Succeed When the User Name Contains a Space
331073	Problems with HTTPS Requests When an ISA Server Computer Is Chained to an Upstream ISA Server Array
816621	Message Screener Causes Handle Leak in Lsass.exe
810559	Slow Responses and Failures When You Use Server Publishing UDP Protocols
810561	RemoveAllProxyAuthorization Not Applied to SSL Tunneling (CONNECT) Requests
810493	Update Rollup for ISA Server Services
813865	Multiple Registered Web Filters in Active Directory Are Handled Incorrectly
813864	Site and Content Rules Do Not Filter Based on File Name Extensions
815051	The Firewall Client Does Not Support the ConnectEx and WSARecvMsg APIs
816454	Proxy Service Logs an Event ID 14146 Message After Link Translation Rules Are Enabled
816456	Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack
816458	MS04-001: A vulnerability in an Internet Security and Acceleration Server 2000 H.323 filter could allow remote code execution
816459	ISA Server 2000 hotfix for invalid FTP PORT command
816828	"Permission Denied" Error Message When You Use Rlogin to Log On to a Server on the Internet
817829	Passive Mode FTP May Break with Multiple IP Addresses on External Interface
818136	Web Proxy Service May Crash When It Processes a Redirect Action
818621	No Links to Navigate Up Through Directory Levels in FTP Sites When Accessed Through Internet Explorer
818821	ISA Firewall Service Stops Responding on DNS Resolution
819962	"414 Request-URI Too Large" Error Message from ISA Server
821098	Content Cache Issues on Downstream ISA Server Computer
821935	ISA Server Web Proxy Service Stops Responding When the CacheConnectSize Registry Value Is Set to 0
822241	ISA Server Web Proxy Service Maintains a Connection After a Client Session Is Closed
821724	Basic Credentials May Be Sent over an External HTTP Connection When SSL Is Required
822970	Cannot Read ISA Server Performance Data by Using an SNMP Program
823261	Web Proxy Service Returns "The User Name Was Not Allowed" Error Message After the FTP Server Returns the "User Logged In" Message
823646	ISA Server Forces CERN FTP Connections to the Root Directory
823359	ISA Server Web Proxy Does Not Append the Domain Name Suffix to the Credentials That Are Passed to an FTP Server
824246	Response That Contains the Cache-Control: s-maxage=0 Header Does Not Expire Immediately
828044	ISA Server Intermittently Stops Responding to Web Proxy Client Requests
829892	You Cannot Connect to External FTP Sites by Using a WRQ Reflection FTP Client through ISA Server 2000
829893	RSA SecurID Cookie Expires Frequently, and Clients Are Repeatedly Prompted to Authenticate
831140	Web content does not appear, or clients receive an "HTTP 502 Proxy Error" message when they try to access external Web sites with ISA Server 2000
831531	Outbound PPTP connections may disconnect after 60 seconds if the ISA Firewall Service is running
832168	SecurID doesn't redirect to the requested page after successful SecurID logon

Back to Contents

Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

Back to Contents