You experience a two minute delay when you access an HTTP Web site from an HTTPS Web site by using Internet Explorer configured as an ISA Server 2004 SP2 Web proxy client (920356)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004 Service Pack 2, when used with:
    • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
    • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition

SYMPTOMS

When a Microsoft Internet Security and Acceleration (ISA) Server 2004 Web proxy client computer accesses an HTTP Web site from an HTTPS Web site, the Web browser on the client computer stops responding, or "hangs," for approximately two minutes.

For example, consider the following scenario:
  • You visit a URL that resembles the following by using a version of Microsoft Internet Explorer that is configured as a Web proxy client:

    https://contoso.com/login.aspx

  • You enter the correct credentials when you are prompted.
  • The HTTPS Web site directs you to a URL that resembles the following:

    http://contoso.com/index.aspx

In this scenario, Internet Explorer may take approximately two minutes to switch from the HTTPS Web site to the HTTP Web site.

You experience this problem if you are running ISA Server 2004 with ISA Server 2004 Service Pack 2 (SP2) installed.

CAUSE

When Internet Explorer establishes a security tunnel through a Web proxy server, Internet Explorer uses the HTTP CONNECT method. Because this method is an HTTP request for a security tunnel only, ISA Server expects that the tunnel must be established until the client program closes the tunnel. Therefore, in response to the HTTP CONNECT request, ISA Server returns the HTTP Connection: Keep-Alive header and the Proxy-Connection: Keep-Alive header. This causes Internet Explorer to determine that this Keep-Alive connection for any HTTP request even though this HTTP request is only to open a security tunnel. Then, because Internet Explorer marks this connection as a Keep-Alive connection for any HTTP request, Internet Explorer uses the connection to communicate by using HTTP instead of HTTPS. If you access a Web by using HTTP, Internet Explorer first checks to determine whether a Keep-Alive connection exists that it can reuse.

In this situation, Internet Explorer tries to reuse this connection for HTTP traffic because the HTTP Connection: Keep-Alive header and the Proxy-Connection: Keep-Alive header exist in the HTTP response to the HTTP CONNECT request. However, ISA Server cannot reuse this connection for HTTP traffic. Therefore, ISA Server does not respond to the connection for HTTP from Internet Explorer. Then, Internet Explorer waits for two minutes for the connection to time out before Internet Explorer tries to connect to the HTTP Web site over a new connection.

RESOLUTION

Hotfix installation information

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To resolve this problem, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:

920716 Description of the ISA Server 2004 hotfix package: June 6, 2006

After you install this hotfix, you must run the following script to enable the functionality that this hotfix provides. 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

 

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' This script adds a new VendorParametersSets under the array root.

' Used to added new parameters that are needed for hotfixes or service packs.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

 

Sub SetDontKeepAliveCONNECTRequest()

 

    ' Create the root obect.

    Dim root  ' The FPCLib.FPC root object

    Set root = CreateObject("FPC.Root")

 

    'Declare the other objects needed.

    Dim array       ' An FPCArray object

    Dim VendorSets  ' An FPCVendorParametersSets collection

    Dim VendorSet   ' An FPCVendorParametersSet object

 

    ' Get references to the array object

    ' and the network rules collection.

    Set array = root.GetContainingArray

    Set VendorSets = array.VendorParametersSets

 

    On Error Resume Next

    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )

 

    If Err.Number <> 0 Then

        Err.Clear

 

        ' Add the item

        Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )

        CheckError

        WScript.Echo "New VendorSet added... " & VendorSet.Name

 

    Else

        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("DontKeepAliveCONNECTRequest")

    End If

 

    if VendorSet.Value("DontKeepAliveCONNECTRequest") <> true Then

 

        Err.Clear

        VendorSet.Value("DontKeepAliveCONNECTRequest") = true

 

        If Err.Number <> 0 Then

            CheckError

        Else

            VendorSets.Save false, true

            CheckError

 

            If Err.Number = 0 Then

                WScript.Echo "Done with DontKeepAliveCONNECTRequest, saved!"

            End If

        End If

    Else

        WScript.Echo "Done with DontKeepAliveCONNECTRequest, no change!"

    End If

 

End Sub

 

Sub CheckError()

 

    If Err.Number <> 0 Then

        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description

        Err.Clear

    End If

 

End Sub

 

SetDontKeepAliveCONNECTRequest

Hotfix removal information

Important Before you remove the hotfix that is mentioned in KB920716, you must first run the following script to remove the DontKeepAliveCONNECTRequest value. 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

 

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' This script removes a VendorParametersSet value.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

 

Sub RemoveDontKeepAliveCONNECTRequest()

 

    ' Create the root obect.

    Dim root  ' The FPCLib.FPC root object

    Set root = CreateObject("FPC.Root")

 

    'Declare the other objects needed.

    Dim array       ' An FPCArray object

    Dim VendorSets  ' An FPCVendorParametersSets collection

    Dim VendorSet   ' An FPCVendorParametersSet object

 

    ' Get references to the array object

    ' and the network rules collection.

    Set array = root.GetContainingArray

    Set VendorSets = array.VendorParametersSets

 

    On Error Resume Next

    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )

 

    If Err.Number <> 0 Then

        Err.Clear

 

        WScript.Echo "VendorParametersSet does not exist."

 

    Else

        Err.Clear

        VendorSet.RemoveValue("DontKeepAliveCONNECTRequest")

 

        If Err.Number <> 0 Then

            CheckError

        Else

            VendorSets.Save false, true

            CheckError

 

            If Err.Number = 0 Then

                WScript.Echo "Done removing DontKeepAliveCONNECTRequest, saved!"

            End If

        End If

    End If

 

End Sub

 

Sub CheckError()

 

    If Err.Number <> 0 Then

        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description

        Err.Clear

    End If

 

End Sub

 

RemoveDontKeepAliveCONNECTRequest

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type:MajorLast Reviewed:7/6/2006
Keywords:kbBug kbfix kbtshoot kbprb KB920356 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.