Disabling Socket Pooling

Socket pooling is an IIS feature that allows IIS services to listen on all interfaces, regardless of the IP address you set the service to listen on. Socket pooling doesn't pose a problem for a unihomed server on the internal network. In fact, socket pooling helps to improve IIS performance by allowing all of the IP addresses on the server to share the same set of sockets, which can significantly reduce resource consumption by the services. The problem is that socket pooling is not a good thing when the server is connected to multiple networks and not all of those networks are trusted. This is exactly the situation we usually have with a multihomed ISA server.

The following IIS and Exchange services implement socket pooling:

• The IIS Web Publishing Service (W3SVC)

• The IIS FTP Publishing Service (MSFTPSVC)

• The IIS Simple Mail Transport Protocol (SMTP) Service (SMTPSVC)

• The IIS Network News Transport Protocol (NNTP) Service (NNTPSVC)

• The Exchange 2000 Post Office Protocol (POP3) Service (POP3SVC)

• The Exchange 2000 Internet Mail Access Protocol 4 (IMAP4) Service (IMAP4SVC)

If you run any of these services on the ISA Server machine, you should always disable socket pooling for that service and configure it to listen only on the ISA server's internal interface. Alternately, you can disable IIS services on the ISA.

How do you know if socket pooling is enabled on the ISA server? You can you the netstat –na command to list all the active listening ports. Note that just because a port is listening doesn't mean that anyone can connect to it. If you enabled packet filtering on the ISA server, none of the listeners on the external interface are available unless you explicitly create a publishing rule or packet filter allowing access to the socket (a socket is a combination of a TCP or UDP port number and an IP address).

Figure 27.1 shows the results of a netstat –na before disabling socket pooling. Notice in the Local Address column the entries for IP address 0.0.0.0. Those entries indicate that the associated port is listening on all IP addresses. A large number of services are listening on all IP addresses. We need to disable socket pooling to prevent the server from listening on TCP ports 21 (FTP), 25 (SMTP), 80 (HTTP), and 119 (NNTP) for all interfaces.

Figure 27.1: Results of netstat –na Before Disabling Socket Pooling

Note that TCP 42 (WINS) and UDP 53 (DNS Query) are also listening on all interfaces. The TCP 42 entry indicates that a WINS server is installed on this ISA server (something that we should disable before bringing the server into production), and UDP 53 indicates that a DNS server is installed on this machine. There aren't any contraindications to running a DNS server on the ISA server, but you should configure the DNS service to listen on the internal interface only. You can change the DNS service's listening address in the server's Properties dialog box in the DNS console.

Disabling Web and FTP Service Socket Pooling

W3SVC and FTP service socket pooling is disabled using the same method. The only difference is the service name you enter in the command line. Perform the following steps to disable FTP and/or Web service socket pooling:

1. Open a command prompt and navigate to the \Inetpub\Adminscripts\ folder.

2. Type net stop msftpsvc and press Enter. Type net stop w3svc and press Enter.

3. Type in the following command: cscript adsutil.vbs set msftpsvc/disablesocketpooling true (to disable FTP service socket pooling) or cscript adsutil.vbs set w3svc/disablesocketpooling true (to disable W3SVC service socket pooling), and then press Enter.

4. You should see what appears in Figure 27.2.

   
   Figure 27.2: Disabling Socket Pooling

5. Restart the W3SVC by running net start w3svc at the command prompt. Restart the FTP service by running net start MSFTPSVC at the command prompt.

If you run a netstat –na again after disabling Web and FTP socket pooling, you'll see that they are still listening on all IP addresses. The reason for this is that the default setting for the built-in FTP and Web sites is to listen on all addresses. Keep in mind that a service can still listen on all IP addresses even if socket pooling is disabled. The difference is that after you disable socket pooling, you then have the option to configure the service to listen on only one IP address. You'll see the services listen only on the address you configure in the IIS console after you go into the IIS console and configure the sites to listen on the internal interface's address.

Figure 27.3 shows what you see after disabling socket pooling for FTP and WWW services, and what happens after configuring the services to use a specific IP address on the internal interface. Notice that immediately after disabling socket pooling, the FTP and Web services continue to listen on 0.0.0.0. You then see that both the FTP and Web services listen on 10.0.0.1 after configuring them to do so in the Internet Information Services console.

Figure 27.3: Running netstat –na After Disabling Socket Pooling

Disabling SMTP and NNTP Service Socket Pooling

You have to use a technique other than the one just discussed to disable socket pooling for the SMTP and NNTP services—why is unclear. In fact, no one seems to have any idea! We won't let this lack of understanding prevent us from disabling socket pooling for these services.

The first thing you need to do is get the mdutil.exe utility. You might be able to find it somewhere on the Microsoft Web site, but you'll always be able to download it at ftp://ftp.tacteam.net/isaserver/mdutil.exe. Perform the following steps after downloading the mdutil.exe utility:

1. Put the Mdutil.exe executable in the \Inetpub\Adminscripts folder.

2. Open a command prompt window, change the focus to \Inetpub\Adminscripts, and run the following commands (Figure 27.4):

   
   Figure 27.4: Disabling SMTP and NNTP Socket Pooling

   • mdutil set -path smtpsvc/1 -value 1 -dtype 1 -prop 1029 -attrib 1 (for the SMTP service)

   • mdutil set -path nntpsvc/1 -value 1 -dtype 1 -prop 1029 -attrib 1 (for the NNTP service)

3. You will need to run these commands multiple times if you have more than one SMTP or NNTP virtual server. The difference is that you increment the value in nntpsvc/1 and smtpsvc/1 to the next higher value. If you have two SMTP and NNTP virtual servers, the second time you run the commands you would include nntpsvc/2 and smtpsvc/2.

4. Go to the Internet Information Services console, right-click on the Default SMTP Virtual Server, and click Properties. Change the listening address to the internal interface of the ISA server. Do the same for the NNTP service so that it listens only on the internal IP address.

Disabling IIS Services on the ISA Server

Disabling socket pooling handles the port contention problem, but the real solution is to disable IIS services on the ISA server. We can't emphasize strongly enough how important it is to avoid running IIS services on the ISA server. In addition to increasing your security risks by running the IIS services, one of the most common reasons why publishing rules fail is that the ISA Server administrator has failed to disable socket pooling or the IIS services entirely. Even after almost two years and several hundreds of ISA Server installations, we continue to forget to disable IIS services on the ISA server. It's only after the publishing rules fail that we realize our error!

At one time, we recommended that you uninstall IIS from the ISA Server computer. While this fixes the IIS services problems, it introduces another. There have been several reliable reports of problems installing and uninstalling ISA Server after uninstalling IIS. The only way to install or uninstall ISA Server is to reinstall IIS. There is no compelling reason to uninstall IIS; all you need to do is disable the IIS services.

Perform the following steps to disable the IIS services:

1. Open the Services console from the Administrative Tools menu.

2. Double-click on the FTP Publishing Service in the right pane of the Services console.

3. In the FTP Publishing Services Properties (Local Computer) dialog box, change the Startup type to Manual. You'll still be able to start the service without having to restart the server. If you set the Startup type to Disabled, you will have to change the Startup type to Automatic or Manual and then restart the server to start up the service.

4. Click Stop to stop the service. Click Apply, and then click OK.

5. Repeat these steps with the NNTP, SMTP, and WWW publishing services.

You do not need to restart the ISA server for these changes to take effect.