ISA Server UDP NetBIOS Protocol Delete Tool (816996)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2000 SP1

SYMPTOMS

A problem may occur on an Internet Security and Acceleration (ISA) Server 2000-based computer that may cause internal clients to not be able to access the Internet. The problem may occur during the processing of large numbers of outbound NetBIOS UDP packets.

Symptoms include the following:
  • Internal clients may not be able to reach the Internet.
  • The ISA Server computer may show unusually high, sustained CPU use.
  • When you run netstat.exe -an on the ISA Server computer, the results may indicate a very high number of UDP ports in use.
  • The Microsoft Firewall service (Wspsrv.exe) may show a growth in non-paged pool memory.
  • ISA Server firewall logs and network traces may show that an internal client is sending a high number of NetBIOS Adapter Status queries to hosts on the Internet.

CAUSE

This problem can be caused by malicious code that is running on an internal secure network address translation (SecureNAT) client. This code might send large amounts of NetBIOS traffic through the ISA Server. SecureNAT clients are client computers that do not have the ISA Server Firewall client program installed.

The client may be infected by a virus. Remove the virus, if it exists. You can obtain virus support from your antivirus program vendor or from Microsoft.

RESOLUTION

To resolve this issue, Microsoft recommends the following steps:
  1. Stop the internal client from sending the unnecessary NetBIOS traffic to the ISA Server computer. It is highly recommended that you do a complete virus scan on all maliciously behaving clients.

    You can use the ISA Server firewall logs to identify the offending client IP address or addresses. The firewall logs are named FW???????.log. They and are located in the C:\Program Files\Microsoft ISA Server\ISALogs folder.

    Find entries for UDP protocol that uses port 137. You can determine which are the offending clients by looking at the client source IP for entries that have the UDP protocol and port 137. Examine clients that have several repeated entries. See the following firewall log example: Failed (rejected) requests from SecureNAT client (sc-result=20001): 192.168.66.11 - - 2003-04-08 16:48:04 ISASERVER - - - 60287 - - 0 UDP Bind 20001 2 253

    Failed (rejected) requests from SecureNAT client (sc-result=20000, but sc-bytes=0 and cs-bytes=0): 192.168.66.11 - - 2003-04-08 16:48:04 ISASERVER - 192.168.137.254 137 60277 - - 137 UDP UdpMap 20000 2 253

    Successful (allowed) requests from SecureNAT client (sc-result=20000): 192.168.66.11 - - 2003-04-08 16:45:39 ISASERVER - 192.168.137.254 137 - - - 137 UDP UdpMap 0 2 253 192.168.66.11 - - 2003-04-08 16:45:53 ISASERVER - 192.168.137.254 137 13720 4 - 137 UDP UdpMap 20000 2 253

    Successful requests from FW client: 192.168.66.11 Administrator sl.exe:3:5.0 2003-04-08 16:41:58 ISASERVER - 192.168.137.254 1 - - - 1 UDP UdpMap 0 52 25401 192.168.66.11 Administrator sl.exe:3:5.0 2003-04-08 16:41:58 ISASERVER - 192.168.137.254 1 - - - 1 UDP UdpMap 20000 52 25401
  2. Use the ISA Server UDP NetBIOS Protocol Delete Tool to protect your ISA Server computer from this behavior. The tool removes the default protocol definitions for NetBIOS over UDP. Removal of these protocol definitions eliminates the potential for a problem. Typically, these protocols are not needed with ISA Server.
To obtain the Isanbdel.vbs tool, call Microsoft Product Support Services.

Note For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note Microsoft recommends that you backup your ISA Server configuration before you do the following steps.

For standalone ISA Server computers, you must follow these steps on each computer:
  1. Double-click Isanbdel.vbs.
  2. Follow the onscreen instructions.
  3. Restart the Microsoft Firewall service. For additional information about how to control ISA Server services, click the following article number to view the article in the Microsoft Knowledge Base:

    300879 HOW TO: Stop an ISA Server Service by Using a Command-Line Prompt

For computers that are running ISA Server Enterprise Edition in array mode, run the following steps only one time. Run these steps on any one array member, regardless of the number of arrays in the enterprise:
  1. Double-click Isanbdel.vbs.
  2. Follow the onscreen instructions.
  3. Initiate Active Directory replication, and then wait for the replication to be completed successfully.
  4. Restart the Microsoft Firewall service on each ISA Server computer in the enterprise. For additional information about how to control ISA Server services, click the following article number to view the article in the Microsoft Knowledge Base:

    300879 HOW TO: Stop an ISA Server Service by Using a Command-Line Prompt

MORE INFORMATION

The script works on both standalone installations of ISA Server and computers running ISA Server Enterprise Edition in array mode. It adjusts the local registry or the domain Active Directory as needed. The script removes the default protocol definitions for NetBIOS Datagram (UDP 137) and NetBIOS Name Service (UDP 138). To prevent any configuration conflicts, the tool also removes any protocol rules that use these definitions.

You can manually re-create the NetBIOS UDP protocol definitions. To do this, add the following two protocol definitions:
  • Name: NetBIOS Name Service
    Port: 137
    Protocol: UDP
    Direction: Send Receive
  • Name: NetBIOS Datagram
    Port: 138
    Protocol: UDP
    Direction: Send
Note If you add these protocol definitions again, the problem described in this article may reoccur.

Make special considerations if you have Windows Internet Name Servers (WINS) on the external side of ISA Server. If you remove the NetBIOS UDP protocols, internal SecureNAT and Firewall clients cannot perform WINS queries against external WINS servers. In the majority of configurations, WINS servers are only located on internal networks.

If a protocol rule has the All IP Traffic protocol enabled, Firewall clients can still use the deleted protocols, even after you run the ISA Server UDP NetBIOS Protocol Delete Tool. If you have Firewall clients in your environment, Microsoft recommends that you do not use this protocol rule. Instead, allow access to only the specific protocols that your users require.

Important The protocol All IP Traffic works differently on SecureNAT client and Firewall clients:
  • For SecureNAT Clients, All IP Traffic allows access to all protocols that are specifically defined in ISA Server.
  • For Firewall clients, All IP Traffic allows access to all protocols, even if they are not explicitly defined in ISA Server.
Modification Type:MinorLast Reviewed:3/15/2005
Keywords:kbpending kbbug KB816996
©2004 Microsoft Corporation. All rights reserved.