Geeks With Blogs
Hornet's Nest A few of Mike Hoerner's Favorite Topics

We noticed some very odd, random behavior in our environment specifically with Exchange 2010 ActiveSync and Outlook Web App.

Some of our mobile devices had trouble synchronizing email (problems with connecting, direct push wasn’t working properly).  Some of our users had trouble connecting to Outlook Web App.  Some of our users using Outlook Web App externally were inadvertently connecting to other user mailboxes that they did not have permission to and, not to mention, a serious security breach (I didn’t think it was possible but I saw it with my own eyes).

In addition, I noticed that we were having intermittent problems connecting to our external Office Communications 2007 Server web portal.

We spent a significant amount of time troubleshooting our Exchange 2010 environment and we could not find any Exchange infrastructure issues that were contributing to the issues above.  Also, we could not find any problems with Exchange 2010 ActiveSync and Outlook Web App.

These issues were happening very randomly which made it very difficult to troubleshoot.  However, there was one common denominator.  The ISA 2004 Servers.

The first thing we did was to start capturing some logging data on the ISA Servers.  Shortly thereafter, we noticed some connection failures in the logs from a F5 floating IP address as we use F5 devices to load-balance external traffic (ActiveSync/OWA) to our ISA 2004 Servers.  So, we contacted our F5 engineers and asked them to start capturing some data on the F5 devices.  They were able to determine quickly that they were seeing quite a few number of connection refused or failures along with many successful connections to our ISA Servers in their logs.  Using this information, we started researching connection limits on an ISA 2004 Server.

There is a very good TechNet article, Deployment Recommendations for Connection Limits in ISA Server 2004, that explains in detail how to configure connection limits for ISA 2004.

After reading the article, we modified the Connection limit per client from 160 to 400 on all of our ISA Servers following the steps under Appendix A: Configuring Connection Limits in the article.


We noticed a somewhat small improvement after making the change but some users were still reporting issues.  After some more research, we created a new entry for our F5 floating IP address on the ISA Servers and added it to the Custom connection limit as shown below.


After we made the change, we no longer had any more issues including the security breach issue with accessing another person’s mailbox.  Something to keep in mind if you use one or more ISA 2004 Servers in your Exchange 2010 environment and your environment grows over time. 

In case, anyone was wondering, we have plans to upgrade to Microsoft Forefront Threat Management Gateway later this year :-)

Posted on Saturday, March 26, 2011 7:29 PM | Back to top

Comments on this post: Exchange 2010 Deployment Notes – ISA 2004 Server Connection Limits issue

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © BWCA | Powered by: