Skip to content

TCP connection established using Firewall client may close unexpectedly


Firewall Client software uses a control channel for communication between the Firewall client and ISA Server (UDP or TCP port 1745). If a client application wants to connect to an external computer on TCP port 23  (i.e. telnet protocol) , the control channel is used to negotiate a new dynamic port for this specific traffic (after ISA rule verification, of course). After this negotiation, telnet traffic goes through the above negotiated port. Let’s call this the data connection.


Now, what happens to the control channel TCP connection? It is left open until one of the peers closes the data connection.


To leave the control channel open, the Firewall client has to periodically send a KeepAlive packet to ISA Server. This is done by the Firewall client every 10 minutes. If a device between the client and ISA Server has an idle connection timeout configured for less than 10 Minutes, then this device will force the closing of the control channel, with the result that ISA Server and the firewall client drop the data connection shortly thereafter (depending on the third party device timeout value).


To correct this behavior always ensure that the third party device has an idle timeout greater than 10 minutes.


Franck Heilmann

Escalation Engineer EMEA ISA team



Published Thursday, January 18, 2007 11:35 AM by isablog
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: