ISA Server and Xbox Live: Not Officially Supported. But I’m interested…

It’s old news, but I thought I might as well get the conversation started, after John emailed me asking about getting ISA working with Xbox Live.

I need to state up front that last time I heard anything about anything, Xbox Live wasn’t officially supported through ISA.

Rather than “your mileage may vary”, this puts it firmly in the “any mileage you do get is purely a bonus” category.

So, don’t do it. It probably doesn’t and won’t work right. Get yourself an Xbox Live compatible router, configure your Xbox to go through it instead of ISA, and game on! Simplicity itself.

That said, I thought I’d share my experiences so others could chime in with theirs, if they found something workable, interesting or otherwise.

I tried XBL with ISA 2000 a bit over a year ago; no dice. Couldn’t do a content download through it, though I was able to play if I removed ISA, used RRAS/NAT to do the content download, then reinstalled ISA. Bit much trouble to go to for any required updates.

I tried XBL with ISA 2004 Beta 2, and it seemed to work for the most part, but with interesting caveats; I’d not be able to hear some people (I think – it’s kinda hard to tell), or conversation would dry up quickly, or there’d be fewer games available when searching than without it.  I managed to play several games, but some were more problematic than others. Circumstantial, unscientific. Never really gave it much thought, and went back to ISA 2000 until ISA 2004 RTMd.

My current working setup has my ISA 2004 box feeding into a D-link DI-624. All the PC clients point at the ISA Server as their default gateway, but I run two subnets; one is DHCP-served by the ISA Server for access-controlled clients (eg, those that sit on my domain, and use the ISA Server for internet access), and the other subnet is just for direct router clients, including… the Xbox, which sits there using a static IP, default gateway and DNS pointed at the router. Both sets of clients are on the same physical wire in their different subnets – it’s not a security setup – but if you had more hubs than I do, it could be, easily.

I have very few problems with this setup, and I get the best of both worlds. So, if in doubt, get a compatible router, plug everything into it, and point the real PCs at the ISA box, and the Xbox at the router gateway. Simple!

Some related resources around the net:


If you do want to fiddle with XBL through ISA, you’ll need unauthenticated access to a range of protocols; with ISA 2004, it’s probably a lot easier to give the Xbox a static IP, create a computer set containing just that IP, and allow that computer set to use all IP outbound (especially if you’re trying to simulate a corporate environment with authentication and other access controls with your other rules – just another way ISA 2004 rules rock!)

Thinking out loud, it’s just possible that the situation might be further improved by creating a server publishing rule that allows 3074 TCP Inbound and UDP Receive Send too, but I haven’t tried it; just assuming that if we use those protocols outbound, they might also be used inbound, and Server Publishing is How It’s Done if that’s the case. And of course, you can watch for dropped connections live in the logs, if you’re trying to work out why something is not working…

Has anyone gone further, or got other creative solutions? Love to hear them!

ISA 2004 does 502s rather than 407s if you’re already authenticated

Update: Also works for ISA 2006 and TMG.

There were a couple of newsgroup questions on ISA 2004 authentication that prompted me to go digging through the SDK.

Edit: A little more background so this makes more sense: When an HTTP request is submitted by a client (also called a “user agent”, because not all user agents are browsers), it’s submitted anonymously in the first instance. The proxy will then work out whether the client is allowed to do whatever it is asking to do anonymously, and if not, sends the client an HTTP 407 message and proxy-authenticate headers that indicate supported authentication methods (eg, “407 – Who Are You? I speak NTLM and fluent Dutch…”). Then, this connection is authenticated and the user gets whatever the user’s permissions are.

A little background: possibly as a side-effect of the way rules were processed in ISA 2000, the default behaviour for the Web Proxy was that if access were denied and the user was already authenticated, the user would be prompted for alternate credentials (because ISA 2000 responded with another “407 Proxy Authentication Required”, rather than a 502 “get bent”).

With ISA 2004, if a user has already authenticated and has been denied access by a rule, ISA 2004 returns a 502 Bad Gateway, and IE doesn’t ask again. So, we have the opposite of the old behaviour.

For ISA 2000, the behaviour was made optional with the ReturnDeniedIfAuthenticated setting (see, included in SP1 and beyond. In ISA 2004, there’s a scripty method of getting to the setting, which is in the example below.

The script sets this for ISA 2004, in a Proxy scenario – it applies to a listener associated with a Network object rather than an externally defined Web listener (an interesting distinction, but one I’m going to leave well alone for now).

As I mentioned in my newsgroup post, you might need to double-check your rule ordering assumptions after doing this.

The usual disclaimers apply – in short, don’t sue me, it’s your fault. Back up your configuration before playing.


‘ Standard Disclaimer:

‘ This script is purely for example purposes

‘ and should not be used by anyone, ever.

‘ It’s designed for use with CSCRIPT, not WSCRIPT. So don’t just double-click it unless you

‘ really enjoy being bombarded with dialog boxen.

‘ TristanK


TheOnlyOneOfInterest = “Internal”     ‘ we want to reset the internal network listener

setting = True                ‘ True = Enabled, False = Disabled (default)


found = 0


set root = CreateObject(“FPC.Root”)


set firewall = root.GetContainingArray


set networks = firewall.NetworkConfiguration.Networks


for each network in networks




      if TheOnlyOneOfInterest = then

            found = found + 1


            Wscript.echo “Found network: ” +

            network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied = setting


            ‘ this is pure bumf- feel free to comment it out if you don’t want to be prompted

            ‘ the Wscript.stdin.readline line requires the latest version of the VBScript/WSH components

            Wscript.echo “Property Set – press Enter to Save the change.”   


            Wscript.echo “Please wait…”


            ‘ Commit the configuration change


      end if



if found = 0 then

      Wscript.echo “Target network was not found.”


      Wscript.echo “Done.”

end if