Firewall Client is Unable to Connect to ISA Server 2006

Firewall Client is Unable to Connect to ISA Server 2006

  • Comments 7
  • Likes

1. Introduction

 

This scenario is based on a real experience that we were able to reproduce in lab. When Microsoft firewall client tries to connect to ISA 2006 server, it fails with an error: Operation failed as result of a network error. This happens with both automatic and manual detection of the ISA server from the client.

 

Figure 1 – Firewall Client Error message and red mark in the firewall client icon in taskbar.

 

Although the error message says “Operation failed as result of a network error” we didn’t have any network problem reaching the ISA Server 2006 from this workstation, as you can see in the netmon trace below:

 

TCP Three Way Handshake successfully happening:

10.20.20.201  10.20.20.1    TCP    TCP:Flags=......S., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340194, Ack=0, Win=65535 (scale factor 0) = 65535

 

10.20.20.1    10.20.20.201  TCP    TCP:Flags=...A..S., SrcPort=1745, DstPort=1173, PayloadLen=0, Seq=576250929, Ack=2944340195, Win=16384 (scale factor 0) = 16384

 

10.20.20.201  10.20.20.1    TCP    TCP:Flags=...A...., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340195, Ack=576250930, Win=65535 (scale factor 0) = 65535

 

Client configuration request:

10.20.20.201  10.20.20.1    TCP    TCP:Flags=...AP..., SrcPort=1173, DstPort=1745, PayloadLen=1, Seq=2944340195 - 2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

 

Client sending a TCP FIN to close the connection:

 

10.20.20.201  10.20.20.1    TCP    TCP:Flags=...A...F, SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

 

2. Using File Monitor to Troubleshoot Firewall Client

 

To better understand what the Firewall Client application was doing during the time of the issue, we used File Monitor from Sysinternals. When we launched Filemon and clicked on “Test Server” button, the log shows that the FwcAgent.exe process (Microsoft Firewall client) gets an “Access Denied” in the context of Local Service when trying to create a file under %systemdrive%\Documents and Settings\LocalService\Local Settings\Temp.

 

Note: LocalService and sub folders are hidden by default in Windows XP and Windows Server 2003.

 

 

Figure 2 – Filemon Log trying to create a file in the temp folder.

 

After accessing the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings, we see that Local Service does not have any permission on it as shown in Figure 3.

 

 

 

Figure 3 – ACL for Temp Folder.

 

3. Conclusion

 

This issue can be resolved by giving Local Service “Full Control” over the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings. This particular problem was happening because Local Service didn’t have "Full Control" over Temp folder. Firewall Client needs this permission to temporarily store the configuration received from ISA Server. When Firewall Client connects to the ISA server it sends a configuration request and the ISA server responds with the configuration response. Firewall client then tries to create a temp file where it stores the Internal Network definition (Configuration response).

 

This particular case was very interesting because this problem happened after a hardening template was applied on all Windows workstations which had Microsoft Firewall client installed. This again, is a real proof that before you deploy a hardening template you should test all the applications that need to run on a system and see if they behave as designed.

 

 

Authors

Mohit Kumar

Security Support Engineer

Microsoft CSS Forefront Edge Team

 

Yuri Diogenes

Security Support Engineer

Microsoft CSS Forefront Edge Team

 

 

Comments
  • News Security The Challenge of Information Security Management, Part 1 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11740336&s1=68628015-2ccc-cbc7-31b9-0e76c3415474

  • Introduction Sysinternals tools are just amazing to troubleshoot a huge amount type of issues: networking,

  • Hi,

    Thanks for your tip, I faced the problem when I migrated one system from one domain to another. Firewall Client could not connect to ISA server but changing permission for mentioned folder did the trick and saved me a lot of time.

  • Fantastic Tip!

    I´ve faced the same issue and I've been working during a week to find out a solution.

    Scenario: Win7 + IE8 + ISA 2006

    Thanks a lot.

  • Fantastic!!! You save me at 04:30AM!!

    Many Thanks!!!

  • This just helped me to solve a problem, but in my case it was TMG firewall client and it runs on NetworkService, and the network serice profile was changed from it original location.

    Restored NetworkService profile location to the original place and the issue was solved.

    NetworkService profile path is store in registry in this location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath = C:\Windows\ServiceProfiles\NetworkService

  • Hi,

    I've a different problem, when i'm testing the ISA server it is ok, but after that it doesn't connect.

    this happened when i installed the client on Win7 home Premium, i think this is related to the problem that Win 7 home Premium doesn't support the domain option.

    is there a solution for this issue?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment