Windows 7: Disable builtin DHCP server for “Internal network” in Virtual PC

I recently installed Windows 7 and I have been waiting for the final release of XP Mode and Virtual PC which occurred last 22nd of October. I previously had (in Windows Vista and using Virtual PC 2007) a virtual domain, composed of virtual machines such as:

• server2003: a domain controller and DHCP server, with fixed IP address, connected to the “internal network” of Virtual PC.
• isa2006: with two interfaces (dual homed), one connected to the physical host network adapter (for connecting to the internet), the other one connected to the “internal network”. Both IPs are manually set.
• sql2008: the database server for the tests with this virtual domain, IP address assigned dinamically through DHCP.
• vs2008xp: a Windows XP with Visual Studio 2008, belonging to the domain for testing and developing, IP configured through DHCP (that should be handled by server2003).

With such a testing environment, all traffic that should go to/from the internet passes though isa2006. If isa2006 is not running (for instance) the virtual domain is isolated and the virtual machines can only see themselves (members of the domain).

This was the scenario that I had configured in my old Vista using Virtual PC 2007 and wanted to reuse the .vhd files so that I do not need to rebuild the playground from scratch again.

It was quite simple, I just recreated every single virtual machine using the wizard, and when asked for the hard disk, I selected ‘the existing one’ instead creating an empty one. Then, when the machine was first started, I reinstalled the Virtual Machine Additions (now called Integration Components), and after a couple of restarts everthing seemed to be working… but it only seemed.

Then I realized that sql2008 and vs2008xp (both were configured to use dynamic IPs using DHCP) cannot browse the internet, nor ping any other server in the domain. They were using the “Internal network”, but their IP addresses were not assigned by the DHCP running in server2003, since they were not in the expected range/mask.

After Gooling for a while I learned that Virtual PC has its own builtin DHCP server and it seems it is (incorrectly) enabled for the “Internal network”. Fortunately there is a fix for it:

1. Turn off or hibernate all your running Virtual Machines.
2. From the Task manager, kill vpc.exe if it does not exit on its own.
3. Edit "%localappdata%\microsoft\Windows Virtual PC\options.xml"
4. Search for the “Internal network” section, and then inside the <dhcp> section, disable it: <enabled type="boolean">false</enabled> and save the file. You can keep a backup of the original xml file just in case.
5. Turn your VMs and verify everything runs as expected.

0x80074E24 FWX_E_CONNECTION_KILLED in ISA Server 2004 / 2006

We have recently installed a Samsung SHR-5040 digital video recorder (DVR) in our remote workshop in order to monitor activities and the evolution of customers' orders. We have our branch (workshop) and central offices connected by using a VPN, maintained by two ISA Servers. We thought that making the live output of the DVR available in our central office would be straight away but it was not so simple as it seemed at first.

After having the device set up and running, we checked that the web administration page was available from the sub-net at the branch site. It was Ok. Then, we tried to access the device web page from a computer located at central offices sub-net and, even though the http content (page) was shown, the device was not available using RTSP (Real Time Streaming Protocol) and no live image was shown, only a big black screen and a message saying 'no response'.

Since we had no idea where the problem was (which one of the ISAs, at the branch or at the central site) we started to do the checks step by step, and the first step was the ISA at the branch site (workshop). We started a live log filtering by destination IP being the IP assigned to the DVR and we saw a Connection denied error for RTSP on port 554 (destination) and TCP port 58907 (at the source): 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED.

After a little research I found that error is raised whenever a new TCP session is attempted without a SYN flag that must be set on the first packet coming from the host trying to start the connection. If ISA receives a packet that does not belong to an existing connection, it must have SYN flag enabled or it will be rejected.

Right before that Connection denied error (and with the same timestamp) we had another log entry, thought not an error, it was quite interesting: Connection close for RTSP on port 554 (destination) and also TCP port 58907 (at the source) 0x80074e24 FWX_E_CONNECTION_KILLED. It was not marked with red color as being an error but it was really weird that the source port for both log entries be the same, at the same time, and first, ISA kills the connection and next ISA says that a new connection (coming from the same host and the same port) without SYN is received and, hence, rejected.

The real problem was not the 0xc0040017 error due to un-synched packed, but the previous entry, the 0x80074e24 that kills the connection unilaterally.

We even added a new access rule to ISA server allowing all protocols from internal network to local host without any luck; still the same behavior was shown: first the connection is killed and then the rest of packets are rejected since they do not belong to an existing connection and do not have sync flag set.

After several days of research and trial and errors we found a post asking for help with the same symptoms that we had: SMTP server rule breaks incoming connections then rejects packets. The only difference was that we were trying to set a DVR instead of a mail server. At the end of the entry we could read:

Unbinding the SMTP application filter from the SMTP server firewall rule changes the "connection killed" message to "abortive shutdown", but the behavior seems otherwise the same.

We also found another old post RE: RTSP - ISA 2006 were we could read:

After upgrading from ISA 2004 to ISA 2006, my streaming media server
stopped working through the firewall. I then noticed in the logs that my RTSP
Server Publishing rule was showing the code for connection killed. I then went
and removed the RTSP filter from the RTSP Server protocol definition, and my 
streaming media started working again. Since I don't see any way of configuring the RTSP filter, and since it worked fine in ISA 2004, I'm guessing that this is a bug in ISA 2006?

This last post was dated on Oct 2006 and we thought that, in case of a bug, it might have been solved already, but we wanted to give it a try.

We went to ISA Server 2006 admin console, browsed though the protocols until we found RTSP, right click, properties, parameters and simply removed RTSP filter from application filters. We then accepted and applied the changes and everything worked like a charm.

Keywords:
ISA Server 2004, ISA Server 2006, streaming, RTSP, RTSP filter, 554, 0x80074e24, FWX_E_CONNECTION_KILLED, 0xc0040017, FWX_E_TCP_NOT_SYN_PACKET_DROPPED, digital video recorder, DVR, Samsung SHR-5040.

ISA Server 2004: fwsrv stopped responding to all requests

We recently installed ISA Server 2004 Service Pack 2 and then applied the recommended update (point 3 is KB897716) Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition RPC Filter Blocks Outlook Traffic from Computers Running Windows Server 2003 Service Pack 1 (SP1) After doing it we did not have to restart the server and everything seemed to be working perfectly. I also read about BITS Caching (Background Intelligent Transfer Service, used by windowsupdate) being supported and decided to use it (you can read about how to do it searching for Creating the Microsoft Update Cache Rule in Planning, Deployment, and Integration for ISA Server 2004 Service Pack 2). Some days later, due to other reasons, we had to restart the server. After that, the Firewall Service failed to start, thus leaving us disconnected from the internet. All netwok traffic (VPNs, http, email) was blocked. As you can imagine, we were into real trouble. In our application event log there were 2 kind of error messages:

Event Type: Error
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 14079
Date:  8/2/2006
Time:  12:30:01 PM
User: N/A
Computer: SERVERNAME
Description:
Due to an unexpected error, the service fwsrv stopped responding to all
requests. Stop the service or the corresponding process if it does not
respond, and then start it again. Check the Windows event Viewer for
related error messages.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Microsoft ISA Server
Event Category: None
Event ID: 1000
Date:  8/2/2006
Time:  12:28:55 PM
User: N/A
Computer: SERVERNAME
Description:
Faulting application wspsrv.exe, version 4.0.2165.610, stamp 442d48f1,
faulting module w3filter.dll, version 4.0.2165.610, stamp 442d48dd,
debug? 0, fault address 00094cff.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

In the system event log we had:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 8/2/2006
Time: 12:29:08 PM
User: N/A
Computer: SERVERNAME
Description:
The Microsoft Firewall service terminated unexpectedly. It has done this 6
time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

With those clues, we found The Firewall service stops responding and Event IDs 14079, 1000, and 14057 are logged in the Application event log in ISA Server 2004 that suggested installing Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2. We did it but it did not solve the problem either. One of the symptoms in the latter document was:

917134 The "Background Intelligent Transfer Service" option is incorrectly available for any non-Microsoft Update cache rule that you create in ISA Server 2004

I revised the cache rules that I had configured, but the only one that had the BITS Cache enabled was the one created by the wizard. None of the rest had that option enabled. Just in case, I deleted the Microsoft Update Cache Rule that I had created some days earlier. No luck either: the service kept on stopping. And then I had another idea: since all the clues guided me towards the cache... why not to disable the cache completely, delete c:\urlcache\Dir1.cdat file manually, and then re-enable the cache again? If the problem was the data that ISA had already saved in the cache, that would be the only way to get rid of it. The idea was quite simple and seemed risk-free. We had not read a word about this self-made procedure but after doing it, the Firewall service restarted without any problem. Summing up:

1. Install ISA Server 2004 SP2.
2. Install KB897716.
3. Install KB916106.
4. Do NOT add any cache rule with BITS Caching enabled (just in case).

If you run into the same problems as I did:

1. Remove any of the rules that had BITS Caching enabled.
2. Disable caching for all drives.
3. Manually delete the cache files.
4. Re-enable the caching for the drives you had previously configured.

Links:

• The link that originally put me on the track was Jim Harrison's response on this thread
• ISA Server 2004 Standard Service Pack 2
• Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition RPC Filter Blocks Outlook Traffic from Computers Running Windows Server 2003 Service Pack 1 (SP1)
• Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition RPC Filter Blocks Outlook Traffic from Computers Running Windows Server 2003 Service Pack 1 (SP1)
• Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer
• The Firewall service stops responding and Event IDs 14079, 1000, and 14057 are logged in the Application event log in ISA Server 2004