How to repair Error Code 10061 in ISA: Connection
There are times when you might come across a ‘Connection Refused’ error
while using Microsoft’s ISA 2006 or Forefront TMG 2010 server. Fixing this
depends on what the root cause is – which isn’t always easy to determine. In
this brief post, we shall assess how this can be done.
Let’s start by examining what Error 10061 is saying. The client may be
presented with an error message in the browser that looks something like
Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web)
server, the connection was refused. This usually results from trying to
connect to a service that is inactive on the upstream server
While the server activity log will show this:
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine
actively refused it.
In both cases, let’s focus on the key word ‘refused’. Your ISA or TMG
server was able to reach the destination server, but that server responded
with a message that tells the ISA/TMG server that it cannot have the
requested data. There are a few things that could cause this, and how to
address them depends on the direction in which the proxying is happening.
If you are using ISA/TMG as a client proxy, then you may run into this
problem when your clients try to access some external website. Remember how
TCP works. The client sends a SYN packet to the server targeting the port
(80 for HTTP). A server that is running a service on port 80 will respond
with a SYN ACK, but if it is not, it will respond with a RST ACK. Your
ISA/TMG reaches the server, but not the intended service. This is one way a
server could “actively refuse” a connection attempt.
The other way is for a firewall to block the connection, rather than drop
it. A dropped connection would eventually time out, with the error message
10060, which we may look at in another post. But if a firewall is configured
to block a connection, it will usually respond with a RST ACK to TCP
connections that it is configured to block, just as a server that would not
be running a requested service. A RST ACK is the TCP response that equates
to a “go away” . Your ISA/TMG is telling you that the name was resolved, but
when it was asked to make a connection, something said “no.”
If you are publishing an internal resource and your external clients are
encountering this error, the most likely cause is that your internal web
server operating system is running, but the web service has stopped. Again,
your ISA/TMG is communicating with your internal server, but with the IIS
stopped, the server responds with a RST ACK since nothing is listening on
TCP 80. If you are running a web service on an internal server on a
non-standard port, ISA/TMG can bridge that connection, but you need to make
sure you specified the correct port. Specifying the wrong port in the
bridging will result in this same error.
The repair here is as simple as a quick restart of IIS, or specifying the
correct port in the bridging configuration. You’ll be back in business in no
time. While this covers the most common 10061 errors you may encounter, feel
free to ask about any other situations in the comments, and I will get back
to you promptly with some advice.
This guest post was provided by Ed Fischer on behalf of GFI Software Ltd.
GFI is a leading software developer that provides a single source for
network administrators to address their network security, content security
and messaging needs. More information: GFI
web filtering solution
All product and company names herein may be trademarks of their respective
Post your questions, comments, feedbacks and suggestions
Contact a consultant