It has probably already been posted somewhere, but I thought that the following two settings on the ISA 2004 are worth reiterating…

1. Tired of the ISA sending NetBT broadcasts when DNS lookups fail?

By setting the key HKLM\System\CurrentControlSet\Services\NetBT\Parameters\NodeType to a value of 2 (DWORD) you are telling Windows to limit its name lookup efforts to the defined DNS and WINS servers (P-node). As a result, Windows will no longer wait for NetBT broadcasts to fail before reporting a name lookup failure.

This setting require a machine reboot to take effect.

It should be obvious that you can configure every internal host as a P-node, at least if you have a proper DNS/WINS infrastructure. For non-DHCP clients you’ll have to set the above registry key. For DHCP clients you can use the DHCP Server or Scope Option 046 WINS/NBT Node Type to set this parameter as shown in the figure below.

Note: do you see the DHCP Server or Scope Option 019 IP Layer Forwarding in the above figure? Clients shouldn’t be routers (hint…)!

2. MS05-019 fixed an ICMP MTU vulnerability that existed in Windows 2003.

Because the ISA team was aware of this issue before ISA 2004 shipped, they opted to give you a “safe by default” configuration since they had no idea if or when the Windows issue might be fixed. Unfortunately, it also has the side effect of limiting Windows to 576-byte packets on all interfaces, reducing network efficiency.

By setting the key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery to a value of 1 (DWORD) you will remove this protection, or you can just delete the EnablePMTUDiscovery value, and regain the normal network efficiency. However, before removing this protection, make sure you got MS05-019 installed first or even better Windows 2003 SP1. Take note that ISA 2004 SP1 resets the EnablePMTUDiscovery value to 0, so you’ll have to change it back after installing ISA 2004 SP1.

This setting require a machine reboot to take effect.

HTH,
Stefaan