Troubleshooting Setup
This troubleshooting guide describes common issues encountered when installing Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition. It also details actions you can take to resolve these issues.
This document is divided into these sections:
- Common setup issues
- Issues encountered when setting up ISA Server 2004 Standard Edition
- Issues encountered when setting up ISA Server 2004 Enterprise Edition
Common Setup Issues
Setup Cannot Modify or Create the Registry Entry
Setting Up ISA Server Standard Edition
FTP Usage After Upgrade
Setting Up ISA Server Enterprise Edition
Cannot Connect to Configuration Storage Server
Additional Information
Common Setup Issues
This section describes issues that might be encountered when installing either ISA Server 2004 Standard Edition or ISA Server 2004 Enterprise Edition.
Setup Cannot Modify or Create the Registry Entry
Problem: When trying to open ISA Server Management, the ISA Server 2004 Setup program starts and then fails. An error message, indicating that Setup cannot modify or create the registry entry, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, is displayed.
Cause: This problem occurs when either of the following conditions is true:
- ISA Server Management is started using an account that does not have the required permissions.
- ISA Server Management is started using an account that is already a member of the appropriate security groups, but the user's access token does not contain the required groups.
Solution: To resolve this problem, do one of the following:
- If ISA Server Management was started using an account that does not have the required permissions, add the user to the appropriate security groups.
- If ISA Server Management was started using an account that is already a member of the appropriate security groups, but the user's access token does not contain the required groups, log the user off. Then, log the user back on.
Prompted to Insert Disc
Problem: When you try to install ISA Server 2004, you are unexpectedly prompted to insert disc 1 to continue the installation process. This symptom occurs after you have already inserted disc 1 to start the installation process.
Cause: This issue may occur if an evaluation version of ISA Server 2004 is already installed on your computer when you try to install the original release version of ISA Server 2004.
Solution: To resolve this issue, copy the contents of the ISA Server 2004 CD to a folder on your computer's hard disk. Then, run the ISA Server 2004 Setup program from your hard disk.
Components Fail to Install
Problem: When you run the ISA Server 2004 Setup program, the following components may not install correctly:
- Advanced Logging (MSDE)
- Firewall Client share
Cause: This problem may occur because the Server service is not running on your computer when you run the ISA Server 2004 Setup program.
Solution: To resolve this problem, follow these steps:
- Click Start, point to Administrative Tools, and then click Computer Management.
- Expand Services and Applications, and then click Services.
- In the right pane, view the Server service to make sure that the service has been started.
- If the Server service has been started, quit Computer Management, and then run the ISA Server 2004 Setup program.
- If the Server service has not been started, right-click Server, and then click Start.
Setup Failed While Registering Wspadmin.dll
Problem: When installing ISA Server, the following error message is displayed:
Setup failed while registering Wspadmin.dll
Details: The function My_LoadLibrary failed at the function Registrator::RegisterComControl
Cause: This may occur when ISA Server 2004 is installed on a computer where a previous installation of one of the following programs was not completely removed:
- A pre-release version of ISA Server 2004
- Microsoft ISA Server 2000
- Microsoft Proxy Server 2.0
Solution: To resolve this issue, remove the remnants of the previous ISA Server installation or the previous Proxy Server installation, and then reinstall ISA Server 2004. To do this, follow these steps:
- Start Microsoft Windows Explorer.
- Remove the following folder if it exists:
%programfiles%:\Microsoft ISA Server
- Locate the %WINDIR%\System32 folder, and then remove all the following files if they exist:
- Cachctrs.h
- Cachctrs.ini
- Latui.dll
- Mspapi.dll
- Msfpc.dll
- Msfpcui.dll
- Msphlpr.dll
- Msplog.dll
- Mspmon.dll
- Mspmsg.dll
- Mspsec.dll
- Mspui.dll
- Pfctrs.h
- Pfctrs.ini
- Ratlib.dll
- Msfpcstg.dll
- W3papi.dll
- W3pctrs.h
- W3pctrs.ini
- W3pmib.dll
- Wspapi.dll
- Run the ISA Server 2004 Setup program.
Installation on Domain Controller
Problem: ISA Server installation fails on a Microsoft Windows Server 2003 domain controller.
Cause: When ISA Server is installed, it adds the Network Service account to the Network Configuration Operators group. In some cases, when installing ISA Server on a domain controller, Setup does not find the Network Configuration Operators group, and Setup fails.
Solution: Perform the following steps:
- Demote the Windows Server 2003 domain controller to a member server.
- Install ISA Server.
- Promote the computer to a domain controller.
Firewall Service Cannot Start
At some point after installing or modifying ISA Server Setup, the Microsoft Firewall service may fail to start. This section describes the cause and recommended actions to take when the Firewall service cannot start.
After Installation
Problem: After installation, the Firewall service cannot start and the following error is displayed:
Cannot load an application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}).
FilterInit failed with code 0x80072afc.
To attempt to activate this application filter again, stop and restart the Firewall service.
Cause: This happens when ISA Server cannot resolve the name of the ISA Server computer.
Solution: Configure the Domain Name System (DNS) server so that the name of the ISA Server computer can be resolved.
After Repair or Modify
Problem: After you upgrade your computer from Microsoft Windows 2000 Server to Windows Server 2003, the Firewall service on ISA Server may not start. The Firewall service may not start after you perform one of the following actions:
- You repair ISA Server 2004.
- You install ISA Server 2004 Standard Edition with Service Pack 1 (SP1).
- You apply an ISA Server 2004 update.
Cause: This issue occurs because the Network Service account does not have permission to access Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), which is installed when you install ISA Server. Therefore, the Firewall service cannot access MSDE.
Note
When ISA Server 2004 is installed on a computer that is running Windows 2000 Server, MSDE runs under the Local System account. After you upgrade to Windows Server 2003, MSDE continues to run under the Local System account. After you install or repair ISA Server Setup, or after you install a hotfix or service pack, the Firewall service runs under the Network Service account.
Solution: Uninstall and reinstall the ISA Server Advanced Logging (MSDE) feature. Perform the following steps:
- On computers running Windows Server 2003, click Start, click Control Panel, and then double-click Add or Remove Programs.
- In Microsoft ISA Server 2004, click Change/Remove.
- On the Welcome page, click Next.
- On the Program Maintenance page, select Repair.
- On the Custom Setup page, expand Firewall Services, and then click Advanced Logging.
- Click This feature will not be available.
- Click Next, and then click Install.
- Repeat steps 1-5, and then click This feature will be installed on local hard drive.
Internal Network Configuration
Problem: During installation, the following error message appears:
None of the IP addresses of this ISA Server computer are included in the Internal Network for this array.
Cause: The ISA Server installation uses name resolution to determine the local Internet Protocol (IP) addresses required for constructing the Internal network. However, a line in the Hosts file also contains that information.
Solution: Check the Hosts file, located in the %windir%\system32\drivers\etc\hosts folder. Remove the following line:
IP ISA_Server_Name
Automatic Certificate Enrollment Failure
Problem: When joining the ISA Server computer to a domain, certificate autoenrollment fails. Automatic certificate enrollment may be required by other applications running on the ISA Server computer.
Cause: Autoenrollment uses DCOM and by default, ISA Server system policy rules prohibit DCOM traffic from the ISA Server computer to the Internal network, allowing only strict remote procedure call (RPC) traffic.
Solution: To allow DCOM traffic, perform the following steps:
- In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2004 Enterprise Edition, for array-level firewall policy, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
- For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
- On the Tasks tab, click Edit System Policy.
- From the Configuration Groups list, click Active Directory.
- On the General tab, verify that Enforce strict RPC compliance is not selected.
Changed Domain Membership
Problem: After changing the domain or workgroup membership of the computer running ISA Server services, ISA Server is no longer functional on that computer.
Cause: Domain and workgroup membership should not be changed after you install ISA Server. Otherwise, ISA Server is no longer functional.
Solution: Repair the ISA Server installation. Perform the following steps:
- On computers running Windows Server 2003, click Start, click Control Panel, and then double-click Add or Remove Programs.
- In Microsoft ISA Server 2004, click Change/Remove.
- On the Welcome page, click Next.
- On the Program Maintenance page, select Repair.
- On the Enterprise Deployment Environment page, choose the I am deploying in a workgroup or in domains without trust relationships. Then, do the following:
- In Server certificate, type the path and file name of the certificate.
- In Certificate password, type the password of the certificate file.
- Click Next.
- Click Install.
Reusing Cache Files after Reinstallation
Problem: When reinstalling ISA Server, the existing cache files are removed.
Cause: By design, when you reinstall ISA Server, the existing cache files are removed.
Solution: To preserve the cache file after reinstallation, perform the following steps:
- Before you begin the reinstallation process, create a copy of the existing cache file, located in <drive:>\urlcache\Dir1.cdat.
- Reinstall ISA Server.
- Reconfigure cache settings, the same way they were previously configured.
- Stop all the ISA Server services, by typing net stop fweng at a command prompt.
- Copy the Dir1.cdat file to the \urlcache folder.
- Restart the services.
Failed to Install ISA Server 2004 on ISA Server 2000 Computer
Problem: When installing ISA Server Management for ISA Server 2004 on a computer that already has ISA Server 2000 installed, ISA Server 2004 Setup upgrades the existing ISA Server 2000 program. ISA Server Management for ISA Server 2000 will not remain installed alongside ISA Server Management for ISA Server 2004.
Cause: This problem occurs because Microsoft does not support a parallel installation of ISA Server 2004 Administration Tools and ISA Server 2000 Administration Tools on the same computer.
Solution: If you no longer require the ISA Server 2000 Administration Tools, install ISA Server 2004 Administration Tools. ISA Server 2000 Administration Tools will be removed during the Setup program. Only ISA Server Management for ISA Server 2004 will be available when Setup completes. If you still want the ISA Server 2000 program, install it on another computer.
Failed to Migrate Site-to-Site Connections
Problem: When upgrading from ISA Server 2000, the migration tool failed with the following error:
Error: Failed while exporting the Remote Access Service VPN site-to-site connections.
Cause: This error sometimes occurs when you migrate the virtual private network (VPN) settings previously configured using ISA Server 2000.
Solution: Perform the following steps:
- Note the existing VPN site-to-site connection configuration settings, as configured in ISA Server 2000.
- Delete the VPN site-to-site connection from Routing and Remote Access.
- In ISA Server, reconfigure the VPN settings, as detailed in the Site-to-Site VPN in ISA Server 2004 Standard Edition and Site-to-Site VPN in ISA Server 2004 Enterprise Edition documents, available on the VPN page at the Microsoft Windows Server System Web site.
Migrating Alerts with No Additional Keys
Problem: After upgrading from ISA Server 2000, additional conditions for some alerts appear dimmed.
Cause: When an ISA Server 2000 configuration is upgraded to ISA Server 2004, the additional key in the definition of an alert for an event that is defined with no subevents may be set to 0, instead of to -1 (which indicates that there is no subevent).
Solution: Run the script described in the Correcting Upgraded Additional Keys document, available on the Coding Corner page at the Microsoft Windows Server System Web site.
No Traffic After Setup Completes
Problem: Setup completed successfully, but no traffic is allowed to pass through ISA Server.
Cause: After you complete Setup, the firewall policy is configured so that no traffic from the External network is allowed to pass through ISA Server. Only a specific set of preconfigured system policy rules allows limited access to critical servers, such as authentication servers, name resolution servers, and others.
Solution: Configure a rule base, consistent with your corporate policy. For more information about getting started, see the Getting Started Guide on the Planning, Deployment, and Integration page at the Microsoft Windows Server System Web site.
Setting Up ISA Server Standard Edition
This section describes issues that might be encountered when installing ISA Server 2004 Standard Edition.
FTP Usage After Upgrade
Problem: After upgrading from ISA Server 2000, clients of ISA Server 2004 can no longer upload File Transfer Protocol (FTP) content.
Cause: In ISA Server 2000, when you allowed FTP access, clients were allowed to upload and download using FTP. When you upgrade, however, any rules that apply to FTP are created in ISA Server 2004 with the ISA Server 2004 defaults. By default, when you create an access rule that allows FTP, clients can only download FTP content.
Solution: To allow clients to upload FTP content, perform the following steps for all rules that were migrated and apply to FTP:
- In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
- In the details pane, select the migrated rule that applies to FTP access.
- On the Tasks tab, click Edit Selected Rule.
- On the Protocols tab, in This rule applies to, select Selected protocols.
- Click Add, expand All Protocols, select FTP, click Add, and then click Close.
- Click Filtering, and then click Configure FTP.
- On the Protocol tab, select Read Only.
Failed While Registering Performance Monitoring
Problem: When installing ISA Server on a computer running Windows 2000 Advanced Server, Setup fails with the following error message:
Setup failed registering ISA Server Performance monitoring
Cause: A security template was applied to the computer, modifying the permissions required to install ISA Server.
Solution: Do not apply security templates. Instead, follow the instructions for hardening the ISA Server computer that are detailed in the Hardening the Windows Infrastructure on the ISA Server 2004 Computer document, available on the Planning, Deployment, and Integration page at the Microsoft Windows Server System Web site.
Setting Up ISA Server Enterprise Edition
This section describes issues that might be encountered when installing ISA Server 2004 Enterprise Edition.
Cannot Connect to Configuration Storage Server
When an array member loses connectivity with the Configuration Storage server, it will use the local copy of the configuration settings. However, connectivity to the Configuration Storage server is critical for maintaining the local copy, thereby providing the most up-to-date, timely protection for your network resources.
The array member cannot connect to its specified Configuration Storage server in any of the following scenarios:
- During installation, the array member cannot connect to the Configuration Storage server.
- ISA Server cannot authenticate with the Configuration Storage server.
- The Internal network was not configured properly.
- Setup did not complete successfully, and the Configuration Storage server is therefore inaccessible.
This section describes the cause and recommended actions to take when the array member cannot connect to its Configuration Storage server.
Cannot Access Configuration Storage Server
Problem: The array member cannot connect to the specified Configuration Storage server. This may happen for any of the reasons described in this section:
- Name of the Configuration Storage server was not correctly specified.
- Name of the Configuration Storage server cannot be resolved.
- The ISASTGCTRL service is not available.
Incorrect Name for Configuration Storage Server
Cause: The name of the Configuration Storage server is not correct.
Solution: Verify that the Configuration Storage server name is specified correctly. Do the following:
- In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004, click Arrays, right-click the specific array, and then click Properties.
- On the Configuration Storage tab, in Configuration Storage server, verify that the fully qualified domain name (FQDN) is correctly specified.
Configuration Storage Server Name Not Resolvable
Cause: The name of the Configuration Storage server cannot be resolved.
Solution: Verify that the forward name lookup is properly configured on the computer running ISA Server services, and that basic network connectivity with the Configuration Storage server computer exists. Perform the following steps:
- At a command prompt, type:ping namewhere name is the name of the Configuration Storage server.
- If the name cannot be resolved to an IP address, fix the name resolution problem by configuring the DNS server or by editing the Hosts file in the %windir%\system32\drivers\etc folder.
Configuration Storage Server Name Not Available
Cause: The Configuration Storage server service (ISASTGCTRL) is not available.
Solution: Verify that the Configuration Storage server service is available. Do the following:
- In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004, click Arrays, right-click the specific array, and then click Properties.
- On the Configuration Storage tab, in Configuration Storage server, note the name of the server.
- Verify that the specified Configuration Storage server is accessible. On the Configuration Storage server, verify that the Configuration Storage server service (ISASTGCTRL) is running.
Array Member Cannot Access Configuration Storage Server
Cause: The array member does not allow access to the Configuration Storage server.
Solution: Check the log files, to verify that the array member allows access to the Configuration Storage server. If access is blocked, do the following:
- Create a rule that allows access to the Configuration Storage server.
- To propagate the new configuration settings, do the following:
- Stop the Microsoft Firewall service. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004, click Arrays, and then click Monitoring. On the Services tab, right-click Microsoft Firewall and then click Stop.
- Download Fwengmon.exe from the Microsoft Download Center. At a command prompt, type:fwengmon.exe /a IP where IP is the IP address of the Configuration Storage server.
- Verify that the configuration was updated for the array. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004, click Arrays, and then click Monitoring. On the Configuration tab, verify that the Status column indicates Synced.
- Start the Microsoft Firewall service. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004, click Arrays, and then click Monitoring. On the Services tab, right-click Microsoft Firewall and then click Start.
- At a command prompt, type:fwengmon.exe /noallow
Inaccessible Configuration Storage Server
Cause: When trying to install the ISA Server services (an array member), the computer cannot connect to the specified Configuration Storage server. The Configuration Storage server may not be accessible.
Solution: Check connectivity. Perform the following steps:
- Run AdamSetup.exe, located in the \FPC\Program Files\Microsoft ISA Server\adam folder of the Microsoft Internet Security and Acceleration Server 2004 CD.
- Run the Ldp.exe tool, which was installed to the %windir%\ADAM folder.
- On the Connection menu, click Connect.
- In Server, type the fully qualified domain name (FQDN) of the Configuration Storage server.
- In Port, type 2172.
- Select the SSL check box.
Windows Authentication Failure
Problem: ISA Server cannot authenticate with the Configuration Storage server when using Windows authentication.
Cause: The Local System account on the array member cannot authenticate with the Configuration Storage server.
Solution: Verify that Local System account on the computer running ISA Server services can authenticate with the Configuration Storage server. Do the following:
- Run the Ldp.exe tool as the Local System account.
- Connect to the Configuration Storage server, using port 2171.
- Bind with NULL credentials (leave fields empty).
- Verify you can browse the configuration settings. If you cannot browse the configuration settings:
- Verify that the time on the computer running ISA Server services is the same as on the domain controller.
- Verify that the required Service Principle Names (SPNs) are properly registered. For instructions, see Administering ADAM service principal names topic in the ADAM.chm Help file located in the %windir%\help folder on the Configuration Storage server computer.
SSL Encrypted Channel Failure
Problem: ISA Server cannot authenticate with the Configuration Storage server, when using a Secure Sockets Layer (SSL) encrypted channel for authentication.
Cause: The Local System account on the array member cannot authenticate with the Configuration Storage server.
Solution: Verify that the Local System account on the computer running ISA Server services can authenticate with the Configuration Storage server. Do the following:
- Run the Ldp.exe tool as the Local System account.
- Connect to the Configuration Storage server, using port 2172 (SSL). If the connection fails, verify that:
- An appropriate valid server certificate with the exact name as specified in the Array Properties page is installed on the Configuration Storage server computer. If such a certificate is not installed or invalid, install a new certificate.
- Verify that a valid root certificate of the certification authority is installed on the computer running ISA Server services. If such a certificate is not installed or invalid, install a new certificate.
- Bind with the credentials of an ISA Server (array or enterprise) administrator.
Using a Different Configuration Storage Server
Problem: Neither the primary nor alternate Configuration Storage servers are accessible.
Cause: The primary Configuration Storage server may become unavailable, and the alternate Configuration Storage server is either not configured or also unavailable. The Configuration Agent can switch to another Configuration Storage server only by reading a configuration change from the currently configured Configuration Storage server.
Solution: To switch to a different Configuration Storage server, use the ChangeStorageServer.vbs script, available in the FPC\Program Files\Microsoft ISA Server folder on the ISA Server CD. For usage instructions, run
cscript ChangeStorageServer.vbs ?.
Internal Network Not Configured Correctly
Problem: During installation, the following error message appears:
None of the IP addresses of this ISA Server computer are included in the Internal Network for this array.
Cause: The ISA Server installation uses name resolution to determine the local IP addresses, required for constructing the Internal network. However, a line in the Hosts file also contains that information.
Solution: Check the Hosts file, located in the %windir%\system32\drivers\etc\hosts folder. Remove the following line: IP ISA_Server_Name.
Setup Failure
Problem: Installation did not complete successfully. Therefore, the Configuration Storage server is inaccessible.
Cause: Installation may not complete successfully for various reasons.
Solution: Check the setup logs for possible explanations. Three setup logs are created each time you try to install ISA Server. These files are created in the %windir%\%temp% folder and are named isa*.log.
No Certificate for ISA Server in a Workgroup
Problem: The computer running ISA Server services belongs to a workgroup. However, there is no certificate installed on the Configuration Storage server to which it will connect.
Cause: When the computer running ISA Server services belongs to a workgroup or to an untrusted domain, certificate authentication must be enabled on the Configuration Storage server.
Solution: Use the ISACertTool, available on the ISA Server 2004 Downloads page at the Microsoft Windows Server System Web site, to install a certificate. Alternatively, run Repair. Perform the following steps:
- On computers running Windows Server 2003, click Start, click Control Panel, and then double-click Add or Remove Programs.
- In Microsoft ISA Server 2004, click Change/Remove.
- On the Welcome page, click Next.
- On the Program Maintenance page, select Repair.
- On the Enterprise Deployment Environment page, choose the I am deploying in a workgroup or in domains without trust relationships. Then, do the following:
- In Server certificate, type the path and file name of the certificate.
- In Certificate password, type the password of the certificate file.
- Click Next, and then click Install.
Note
Before removing ISA Server, be sure to close ISA Server Management and ISA Server Performance Monitor.
If the storage is corrupted, as part of the procedure, you will also have to specify the array membership and Internal network configuration.
When you install a certificate, a private key container is created on the Configuration Storage server in the Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. The account running ISASTGCTRL service (by default, the Network Service account) must have appropriate permissions to the private key container.
Certificates typically have an expiration period, usually no more than one year. ISA Server cannot use an expired certificate. Be sure to renew your certificates before they expire, so that ISA Server can continue to function.
Additional Information
Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page at the Microsoft Windows Server System Web site.
Also, refer to the following Knowledge Base (KB) articles: