RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS)
Microsoft Windows Server 2003
Microsoft Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003
|Issue||RSA ClearTrust AServer sockets are exhausted when using multiple Microsoft Internet Information Services (IIS) application pools and many IIS web servers|
|Cause||Each RSA ClearTrust Agent instance established a connection to the authentication server on port 5615. The AServer configuration setting cleartrust.aserver.max_connections (default 200) establishes a limit to the number of connections each authentication server allows from all sources, including runtime API applications and web servers. The Microsoft Internet Information Services (IIS) 6.0 web server may be configured to use multiple application pools per server; in this case, each IIS application pool instance will start its own separate instance of the ClearTrust Agent and its own connection to the authentication server. If multiple IIS servers are configured for multiple application pools, it is possible to exceed the default limit for incoming AServer connections.|
Also, if IIS worker process recycling is enabled, each application pool may temporarily establish 2 connections to the AServer as the recycling process builds the new application pool and tears down the old one. In the case where worker process recycling is enabled, you should allow for approximately 50% more connections than the number of pools configured for each we server.
|Resolution||Ensure that the value of cleartrust.aserver.max_connections is sufficient for all of your incoming connections. The number of connections should be greater than the total number of application pools on all your Microsoft Internet Information Services (IIS) web servers plus 50% to allow for application pool recycling. Allow additional sockets for each runtime API application and any other non-IIS web servers in your environment.|
|Legacy Article ID||a26526|