ISA Policy Storage 101

ISA Policy Storage 101

  • Comments 5
  • Likes
Introduction

ISA Server Enterprise and Standard Editions use different locations for the persistent policy store, but there is only one functional location for ISA Policy; in each local ISA server’s registry and file system.  Since the registry limits maximum hive size, and because ISA policies can be quite large (especially with some 3rd-party products), the ISA installer creates separate hive files for ISA storage.  These hive files are located in %IsaInstallFolder%\StgData\. 

Any policy data that would exceed 10k in the registry is written to a BLOB (binary large objects) file in the same folder as the registry hives and a pointer to that file is placed in the registry instead. Although the BLOB files are accessible directly, they can only be interpreted through ISA Storage.  

All policy storage activity (read/write, import/export) operates through calls to the ISA Storage Service (isastg).  ISA installer sets access controls on these files to prevent inadvertent or malicious manglement.

 

Standard Edition

Because ISA Server Standard Edition has no need to share the policy store, it uses only the local policy storage.  This storage is spread across three registry locations:

HKLM\IsaStg_Eff1

contains the traffic policy

HKLM\IsaStg_Eff1Policy

contains the low-level policies (attack detection, flood mitigation, etc.)

HKLM\IsaStg_Eff1Prot

contains the protocol definitions

On startup, Microsoft Firewall (fwsrv) calls to the Microsoft ISA Storage (isastg) to read the current policies.  If isastg returns an error while being asked to read the policies during startup, fwsrv logs an alert and enters lockdown mode.

  

Enterprise Edition

There are two locations for ISA policy in Enterprise Edition; one in Configuration Storage Server (CSS) and another in each array member’s registry.  When you create a new Firewall Policy rule for example, this rule is first sent to CSS so it can be added to ADAM and then replicated to local registry. This means that if the ISA Server Firewall that you are locally creating this rule does not have access to the CSS during that operation, the policy will not be propagated to the local registry. By losing access to CSS you cannot create new rules, but ISA will honor the current rules since it is located in the local storage, the registry. The registry for EE is actually made up of three storage locations:

HKLM\IsaStg_Cache*

used by the mixer as a policy transformation workspace

HKLM\IsaStg_Eff[1|2]

copy of the traffic policy

HKLM\IsaStg_ Eff[1|2]Policy

copy of the low-level policies (attack detection, flood mitigation, etc.)

HKLM\IsaStg_ Eff[1|2]Prot

copy of the protocol definitions

The active policy location is indicated in HKLM\Software\Microsoft\Fpc\Storage\ActiveEffective.  This value rotates between HKLM\IsaStg_Eff1* and HKLM\IsaStg_Eff2* for each successful policy change.  This behavior provides two benefits:

1.       ISA can compare current policy changes to the old policy and thus detect changes which may break ISA functionality (CSS connectivity, for instance)

2.       ISA can roll back to a previous policy if the new policy update fails for any reason

As with Standard Edition, Microsoft Firewall (fwsrv) calls to the Microsoft ISA Storage (isastg) to read the current policies on startup.  If isastg returns an error while being asked to read the policies during startup, fwsrv logs an alert, but unless both registry storage locations are unreadable, it won’t enter lockdown.   In this regard, Enterprise Edition is much more resilient than Standard Edition.

Note: the polices stored in the IsaStg_Eff locations are stored in a format identical to Standard Edition policy, and thus the Enterprise context for these policies is lost.

 

What it all boils down to:

 

1.       ISA Standard Edition has only one policy storage, so if policy storage updates or initial load fails, it cannot function. 

2.       ISA Enterprise Edition can still perform as a firewall/proxy using the last known good policy in the registry even if CSS is not available.   Only if this system-local copy fails to initialize properly will the firewall service enter lockdown for policy load failure

3.       You cannot reverse-engineer the registry-based Enterprise Edition policies to CSS-format storage

4.       In a disaster recovery situation, you cannot export the registry keys and import in a new system as an attempt to recreate the firewall policies.

5.       If you deploy a single CSS for your Enterprise firewall solution, you’re risking a complete Enterprise rebuild when (not if) that CSS fails.

6.       If you use any method besides ISA Export / Import for disaster recovery, you risk losing data

 

Author

Jim Harrison, Program Manager, Forefront Edge CS

Tech Reviewers

Mohit Saxena, Security Technical Lead (Forefront Edge CSS Team)

Yuri Diogenes, Security Support Engineer (Forefront Edge CSS Team)

Nathan Bigman, Content Publishing Manager (Forefront Threat Management Gateway)

Vic Singh Shahid, Escalation Engineer (Forefront Edge CSS Team)

 

Comments
  • PingBack from http://mstechnews.info/2008/10/isa-policy-storage-101/

  • How many times were you wonder what the difference between HKEY_LOCAL_MACHINE\IsaStg_Eff1 and \IsaStg_Eff1Policy

  • 203 Microsoft Team blogs searched, 113 blogs have new articles in the past 7 days. 318 new articles found

  • But how to troubleshoot, if Control service is not able to update the local registry using the data from CSS?

  • Regarding "3.       You cannot reverse-engineer the registry-based Enterprise Edition policies to CSS-format storage":

    You actually CAN reverse-engineer the registry-based Enterprise Edition policies to CSS-format storage.

    Current array configuration can be exported from array node's registry to XML using script with root.ConnectToLocalStorage. Then this XML file after some modifications can be successfully imported to CSS.

    I tested this method after the only TMG EMS server was lost and no configuration backup was available.

    I described it in details here ant-sh.blogspot.com/.../retrieve-current-TMG-configuration-from-array-node-registry.html

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment