Поделиться через

Firewall Client is Unable to Connect to ISA Server 2006

  • Статья

1. Introduction

 

This scenario is based on a real experience that we were able to reproduce in lab. When Microsoft firewall client tries to connect to ISA 2006 server, it fails with an error: Operation failed as result of a network error. This happens with both automatic and manual detection of the ISA server from the client.

 

Figure 1 – Firewall Client Error message and red mark in the firewall client icon in taskbar.

Although the error message says “Operation failed as result of a network error” we didn’t have any network problem reaching the ISA Server 2006 from this workstation, as you can see in the netmon trace below:

TCP Three Way Handshake successfully happening:

10.20.20.201 10.20.20.1 TCP TCP:Flags=......S., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340194, Ack=0, Win=65535 (scale factor 0) = 65535

10.20.20.1 10.20.20.201 TCP TCP:Flags=...A..S., SrcPort=1745, DstPort=1173, PayloadLen=0, Seq=576250929, Ack=2944340195, Win=16384 (scale factor 0) = 16384

10.20.20.201 10.20.20.1 TCP TCP:Flags=...A...., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340195, Ack=576250930, Win=65535 (scale factor 0) = 65535

Client configuration request:

10.20.20.201 10.20.20.1 TCP TCP:Flags=...AP..., SrcPort=1173, DstPort=1745, PayloadLen=1, Seq=2944340195 - 2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

Client sending a TCP FIN to close the connection:

10.20.20.201 10.20.20.1 TCP TCP:Flags=...A...F, SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

2. Using File Monitor to Troubleshoot Firewall Client

To better understand what the Firewall Client application was doing during the time of the issue, we used File Monitor from Sysinternals. When we launched Filemon and clicked on “Test Server” button, the log shows that the FwcAgent.exe process (Microsoft Firewall client) gets an “Access Denied” in the context of Local Service when trying to create a file under %systemdrive%\Documents and Settings\LocalService\Local Settings\Temp.

Note: LocalService and sub folders are hidden by default in Windows XP and Windows Server 2003.

Figure 2 – Filemon Log trying to create a file in the temp folder.

After accessing the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings, we see that Local Service does not have any permission on it as shown in Figure 3.

Figure 3 – ACL for Temp Folder.

3. Conclusion

This issue can be resolved by giving Local Service “Full Control” over the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings. This particular problem was happening because Local Service didn’t have "Full Control" over Temp folder. Firewall Client needs this permission to temporarily store the configuration received from ISA Server. When Firewall Client connects to the ISA server it sends a configuration request and the ISA server responds with the configuration response. Firewall client then tries to create a temp file where it stores the Internal Network definition (Configuration response).

This particular case was very interesting because this problem happened after a hardening template was applied on all Windows workstations which had Microsoft Firewall client installed. This again, is a real proof that before you deploy a hardening template you should test all the applications that need to run on a system and see if they behave as designed.

Authors

Mohit Kumar

Security Support Engineer

Microsoft CSS Forefront Edge Team

Yuri Diogenes

Security Support Engineer

Microsoft CSS Forefront Edge Team

Comments

  • Anonymous
    January 01, 2003
    News Security The Challenge of Information Security Management, Part 1 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11740336&s1=68628015-2ccc-cbc7-31b9-0e76c3415474

  • Anonymous
    January 01, 2003
    Introduction Sysinternals tools are just amazing to troubleshoot a huge amount type of issues: networking,

  • Anonymous
    January 01, 2003
    This just helped me to solve a problem, but in my case it was TMG firewall client and it runs on NetworkService, and the network serice profile was changed from it original location. Restored NetworkService profile location to the original place and the issue was solved. NetworkService profile path is store in registry in this location: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileListS-1-5-20ProfileImagePath = C:WindowsServiceProfilesNetworkService

  • Anonymous
    September 13, 2010
    Hi, Thanks for your tip, I faced the problem when I migrated one system from one domain to another. Firewall Client could not connect to ISA server but changing permission for mentioned folder did the trick and saved me a lot of time.

  • Anonymous
    October 29, 2010
    Fantastic Tip! I´ve faced the same issue and I've been working during a week to find out a solution. Scenario: Win7 + IE8 + ISA 2006 Thanks a lot.

  • Anonymous
    June 10, 2011
    Fantastic!!! You save me at 04:30AM!! Many Thanks!!!

  • Anonymous
    February 17, 2012
    Hi, I've a different problem, when i'm testing the ISA server it is ok, but after that it doesn't connect. this happened when i installed the client on Win7 home Premium, i think this is related to the problem that Win 7 home Premium doesn't support the domain option. is there a solution for this issue?

    • Anonymous
      August 05, 2016
      The comment has been removed