ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Monday, October 03, 2005

From Jim Harrison - Add this to your ISA TO DO List

Jim Harrison posted are very useful email on several lists in which he outlines 2 quick registry changes that you'll want to make to improve the performance of your ISA 2004 Server. Here's his text unedited:

- Tired of the ISA sending NetBT broadcasts when DNS lookups fail?

This setting:

HKLM\SystemCurrentControlSet\Services\NetBT\Parameters NodeType, DWORD, 0x2

..will cure that.

By setting this to a value of 2, You’re telling Windows to limit its name lookup efforts to defined DNS and WINS servers.

As a result, Windows will no longer wait for NetBT broadcasts to fail before reporting a name lookup failure.

Can you say “faster lookup responses and therefore faster connections (or failures)”, boys and girls?



- MS05-019 fixed an ICMP MTU vulnerability that existed in Windows.

Because the ISA team was aware of this issue before ISA 2004 shipped, they opted to give you a “safe by default” configuration since they had no idea if or when the Windows issue might be fixed.

Unfortunately, it also has the unfortunate side effect of limiting Windows to 576-byte packets on all interfaces, reducing network efficiency

This setting:

HKLM\SystemCurrentControlSet\Services\Tcpip\Parameters EnablePMTUDiscovery, DWORD, 0x0

..is what the ISA installer creates.

This setting:

HKLM\SystemCurrentControlSet\Services\Tcpip\Parameters EnablePMTUDiscovery, DWORD, 0x1

..is what will remove this protection (or you can delete the “EnablePMTUDiscovery” value).



Both settings require a machine reboot to take effect.

Both settings will clean up your network traffic a bit.

2 Comments:

At 4:19 AM, Anonymous Andy said...

I don't have the first reg key on my ISA server. Do I just create it?

 
At 6:57 AM, Anonymous Clayman said...

Changing the MTU Value, disables the OWA from working on the ISA server. Had to change it back to its default.

 

Post a Comment

<< Home