David Grey's Blog

Friends of Redgate logo

WSUS, ISA Server and IIS Socket Pooling

One of the things I've done recently is set up ISA Server 2004 as a firewall to a network. The machine I used for ISA Server 2004 has two NIC's installed, one for the LAN and one for the WAN, and also had Windows Server Update Services (WSUS) release candidate installed. Everything seemed to work sweetly until I tried publishing a Web server from the network using ISA's web server publishing rules. ISA Server kept telling me it couldn't start the Web listener for the rule I had created because something else was already using port 80 on the WAN (external) address. This didn't make much sense to me. I knew IIS was installed to support WSUS and was configured to listen on the internal address, not the external one. Using netstat -na I could see that something was bound to port 80 on address 0:0:0:0 (i.e. all the address on the box). If I stopped the WWW Publishing Service, ISA Server could then bind the listener correctly to port 80 on the external address and everything worked, so the easy solution was to move WSUS to another server and remove IIS from the ISA Server box. This worked but I wasn't happy with the solution.

Eventually after a bit of digging around I came across an article on ISAserver.org relating to co-location which explained what was going on. IIS rather cleverly uses socket pooling presumably for performance reasons. By default this is turned on and causes IIS to bind to port 80 on all addresses as I had observed, hence causing the conflict with ISA Server. Fortunately it's possible to turn this behaviour off and force IIS to bind a socket to port 80 only on the interface(s) it's actually using the httpcfg command as follows:

httpcfg set iplisten –i 10.0.0.1

where 10.0.0.1 is the address of my internal interface. The httpcfg tool isn't installed as standard but can be found in the \SUPPORT\TOOLS directory of the Windows 2003 Server installation CD. This disables socket pooling for the WWW Publishing Service, but IIS uses a similar socket pooling approach for it's FTP and SMTP services. You can disable socket pooling for these services using the adsutil script from the \Inetpub\Adminscripts directory as follows:

To disable socket pooling for the IIS FTP service:

  1. At the command prompt, enter net stop msftpsvc
  2. At the command prompt, navigate to the \InetPub\Adminscripts folder. Enter cscript adsutil.vbs set /msftpsvc/1/DisableSocketPooling 1
  3. At the command prompt, restart the FTP service by entering net start msftpsvc

To disable socket pooling for the IIS SMTP service:

  1. At the command prompt, enter net stop smtpsvc 
  2. At the command prompt, navigate to the \InetPub\Adminscripts folder. Enter cscript adsutil.vbs set /smtpsvc/1/DisableSocketPooling 1
  3. At the command prompt, restart the SMTP service by entering net start smtpsvc 

This isn't documented in the IIS Resource Kit, but I tried it out and turning off socket pooling worked for me. If you experience the same problem give it a go.

David

del.ico.us del.ico.us | Digg It Digg It | Technorati Technorati | StumbleUpon StumbleUpon | Furl Furl | reddit reddit

Posted: Apr 28 2005, 05:02 PM by David | with 1 comment(s)
Filed under:

Comments

No Comments