ISA Server and Windows Server 2003 Service Pack 2


Recently Microsoft released Service Pack (SP) 2 for Windows Server 2003 (http://www.microsoft.com/technet/windowsserver/sp2.mspx). We tested ISA Server with the Windows service pack quite extensively. Unfortunately we discovered after the release of the Windows service pack that there are several issues that have potential ill-effects on ISA Server. This blog summarizes the currently known issues, and suggestions on how to mitigate those issues.


1.     If you run ISA Server 2004 Enterprise Edition with or without the ISA Server SP2, you must install ADAM SP1 on the ISA Server Configuration Storage Server prior to installing the Windows Server 2003 SP2. ADAM SP1 can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en.
If you install Windows Server 2003 SP2 without first installing the ADAM SP1, ISA Server will not start after the installation, and you will have to uninstall Windows Server 2003 SP2. Further information is available in the Windows Server 2003 SP2 release notes, at http://technet2.microsoft.com/WindowsServer/en/library/ed5382af-e819-4d33-ace0-225d31b7ab751033.mspx?mfr=true .


2.     If you run ISA Server 2000, 2004 or 2006 Standard or Enterprise editions on a multi-core / multi-processor 32-bit computer, and the CPU is heavily utilized, you might experience performance degradation in certain deployment scenarios after installing Windows Server 2003 SP2. The issue stems from a change in interrupt handling introduced in SP2.
To correct the issue you must download and run the Interrupt Affinity Tool (intfiltr) available in Windows Server 2003 resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en).
You can read about installation and usage of intfiltr.exe in http://support.microsoft.com/kb/252867.


3.     If your network adaptors (NICs) support receive-side scaling (RSS), then in certain NAT scenarios ISA Server 2000, 2004 or 2006 Standard or Enterprise editions might not transfer packets from one NIC to the other after installation of Windows Server 2003 SP2.
To correct the issue you must disable RSS support ­­- follow the instructions in http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695.


 


Neta Amit


Program manager


ISA Server Sustained Engineering Team


 


Comments (55)

  1. Anonymous says:

    ISA Server 2004 In modo poco appariscente, ed in barba alla festa del lavoro , Microsoft ha rilasciato

  2. Anonymous says:

    Has this been resolved with Windows 2003 SP2 and ISA 2006?  I’m still putting off installing SP2 after hearing about this.

  3. Anonymous says:

    Hi,

    Any Update on this issue?

    Thanks,

    Jake

  4. Anonymous says:

    Many have wondered about where I’ve been and what I’ve been doing not keeping up on this blog. Well,…

  5. Anonymous says:

    ISA Server 2006, Windows 2003 R2 w/ SP2.

    I disabled RSS Support via the registry and through the NIC settings.  Pretty much everything is back to normal, except I noticed that I’m still unable to RDP to the ISA externally.  It’s a lab network so it’s not really a big deal, but I’d like it to work.  RDP is published using a non-default port, and my machine is allowed…

    Thanks for any guidance

  6. Anonymous says:

    Anybody know why the ISA 2006 FW policy screen is blank in Vista using the MMC?

  7. Anonymous says:

    1. Run ISA Server 2004 Enterprise Edition on Windows 2003 RTM/SP1? Make sure to install ADAM SP1 on the ISA Server Configuration Storage Server before installing Windows 2003 SP2. 2. If you run ISA Server on a multi-core / multi-processor 32-b

  8. Anonymous says:

    Thanks for the info, little bit disappointed/angry, but I don’t mind doing such steps.

    However, I am having difficulties in uninstalling the W2K3 SP2 on my ISA 2004, saying "The system cannot find file specified"  "SP2 was not uninstalled."

    Any help

    Thanks

  9. Anonymous says:

    Das Windows Server 2003 SP2 ist ja nun schon ein paar Tage verfügbar. Inzwischen wurden auch einige Probleme

  10. Anonymous says:

    If you are having specific issues with Service Pack 2, or trouble with any other ISA Server configuration issues, you may want to post to the ISA Server (Forefront Edge) forums at http://forums.microsoft.com/ForeFront/default.aspx?ForumGroupID=384&SiteID=41. These forums are monitored by other ISA Server users and by the ISA Server Development Team.

  11. Anonymous says:

    Hello,

    I am not sure my problem caused a combination ISA2004 SP3 and W2k3 Std. SP2, but…

    Sometimes happens users cannot access the Internet. After typing the URL into the address line in MS IE 6 or 7, there will pop-up the logon window. Even if they fill-up domain account name and password, window "demands" login again and again.

    After this IE shows the message with error 407 (probably authentication error) (12209). Nevermind what I do, for some minutes is Internet unavailable. From ISA I can reach Inet. All connectors showing ok. But, in System Log on ISA is the error message NETLOGON 5719. Restart of this service does not help. DNS zone transfer from Primary NS to Slave NS (ISA) does not help. DNS cache cleaning does not help. Microsoft Firewall Service on ISA restarting does not help.

    Where could be a problem? Any ideas? I am near the end 🙂

    Thank you for any positive response.

  12. Anonymous says:

    Longhorn Beta3 recenze Jak je dobrým zvykem na SuperSite recence na Longhorn na sebe nedala dlouho čekat a je poměrně hodně obsáhlá. Doporučuji k přečtení Paul Thurrott’s SuperSite for Windows- Wind …

  13. Anonymous says:

    Hello,

    I am not sure my problem caused a combination ISA2004 SP3 and W2k3 Std. SP2, but…

    Sometimes happens users cannot access the Internet. After typing the URL into the address line in MS IE 6 or 7, there will pop-up the logon window. Even if they fill-up domain account name and password, window "demands" login again and again.

    After this IE shows the message with error 407 (probably authentication error) (12209). Nevermind what I do, for some minutes is Internet unavailable. From ISA I can reach Inet. All connectors showing ok. But, in System Log on ISA is the error message NETLOGON 5719. Restart of this service does not help. DNS zone transfer from Primary NS to Slave NS (ISA) does not help. DNS cache cleaning does not help. Microsoft Firewall Service on ISA restarting does not help.

    Where could be a problem? Any ideas? I am near the end 🙂

    Thank you for any positive response.

  14. Anonymous says:

    I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.videoconverter.org

  15. Ray Avila says:

    Why cannot I generator a report any more? ISA 2006 Standard on a fresh R2 server. It seems it’s related to IE7, isn’t it?

  16. Phillip Windell [MVP - ISA] says:

    In my experiments I could not even getISA2006 Std to even install/startup properly if the Server2003 had SP2 before ISA was installed.

    I tried it on a clean install of 2003 (not R2) with SP2 and then installed ISA2006 Std.  In the first attempt the install would fail in the second phase (installing components?). On the second attempt it fail on the final phase (starting ISA Services).

  17. Bob Hyatt says:

    I am also unable to generate a report any more in ISA 2006 Standard with a fresh R2 server…

  18. as Phillip Windell I make a clean install of 2003 (not R2) with Sp2 and then installed ISA2006. I’ve a lot of problems with the HTML-Authentification Formular for OWA, or other published Websites and also much trouble with RPC over Https. It doesn’t run anywhere. After I deinstalled ISA2006 and SP2 and Reinstall ISA20006

    all publishing items running fine.

    Its a bug ?

  19. Cheikh Yassine says:

    On a Dell PowerEdge 1950 server with Windows 2003 R2 and ISA 2006 Standard, I installed the Windows 2003 SP2. All computers in my network were using secure NAT to connect to internet through ISA. Now it is impossible, I can only connect using proxy client (I did not test the firewall client). The NIC on this server is a BroadCom NetExtreme  II with the latest driver. I disabled the RSS but still having problem with secure NAT connections. Any idea about this?

  20. Hafiz SAeed says:

    Some what bettr but will be tested more to make a hard decision.

  21. adam says:

    Are there any fixes for these problems yet?  I planned on implementing ISA 2004 for a client.  The machine was already prepared with Windows 2003 R2 and SP2.  Should I re-install without SP2 before installing ISA?

  22. John Hogan says:

    This is absolute crap. We get to spend days fixing Component Services, SQL Server, and ISA Server after SP2.

    It is totally ridiculous that MS would release a service pack that breaks component of the OS and all the critical Enterprise applications.

  23. Joquita says:

    I posted on the Forefront Edge forums a question about ISA 2004 and WSUS.

  24. Delaghetto says:

    This is just a shame for MS!! How can they release such a crap in Server products!!.. I’d like to sue them..

    After installing SP2 in our ISA Server, all our company users were without Web Browsing and VPN access to our customers!!.. everything got fixed unistalling SP2.. but this is so lame!.. now I have a insecure ISA Server, coz I can’t install SP2 on it!.. why do I have to fix a lot of mess everytime MS takes out an update??.. Sure.. I will be able to install SP2, I’ll have to in order to cover security holes!.. but I’m sure I’ll have to delete registry keys, edit configuration files, and a lot of more craps! coz this MS guys are a bunch of useless!

  25. Russ in Ohio says:

    All of you who are upset that SP2 messed something up, I have one question for you.  Did you install it in a test environment first?  Why in God’s name would you install a SP on a production system without first testing it.  

  26. I guess I would be one who is at least a little upset. But I am not upset because it messed up anything of mine, it has not. But it is preventing me from upgrading to ISA2006 because I am moving to new hardware at the same time and wish to do a clean install without having to follow up with over 100 patches for Server 2003 SP1.  Regaurdless of who is upset or why they are upset, the problems need to be nailed down, verified, and fixed so that those of us who are waiting can get on with the projects that are being held up by these problems.

    At this point I have not really even seen a real aknowledgement of any ISA-Std problems which is what I ran into. All I see are talk of ISA-Ent right now. I would at least feel like we were moving forward if someone just simply said,  "Yes, the are problems with SP2 and ISA-std also,…here is what they are, <blah, blah>,..and we are working on it."  At that point I would happily, quietly, and patiently wait for news of what needed to be done to solve it.

  27. Torpedak says:

    Hi all

    I have big problem

    SBS2003R2 Premium ( with ISA2004 ) or W2K3 R2 standalone with ISA2004 std ed

    SP2 ( join to domain ) configure as trihomed server – 3 x NIC ( LAN, DMZ,

    WAN – 192.168.0.x, 10.0.0.x, 172.16.0.x ). After applicable SP2 on Windows

    2003 server all communication for LAN segment is droped. RPC is

    unavailable – not communicate LAN to WAN over NAT on internet ( proxy

    communication is o.k. ). Outlook is not connect to server and PC not joined

    to domain ( RPC not available ). Netbios is ok if enable Access Rule Netbios

    datagram LAN to localhost. If enable all TCP/UDP port situation is same. ISA

    have disable "Strict RPC compliance" on system edit ISA, and modified

    registry
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

    Please help me with problem – If uninstall SP2 for W2K3 not problem in

    communication.

    Thanks MP

  28. Texan IT | Texas Computer Service says:

    Thanks for the links to the bug fixes and the good info on this website.  

  29. Frank Jones says:

    "All of you who are upset that SP2 messed something up, I have one question for you.  Did you install it in a test environment first?  Why in God’s name would you install a SP on a production system without first testing it."  

    I’ll tell you why, its because we don’t have a test unit or the time to set one up!

  30. adam says:

    Microsoft should be testing service packs at least in the basic of environments. Like a fresh install of an operating system with every different microsoft application to make sure it works.  Not everyone has the money or time (or space in some cases) to spend on lengthy test lab projects.  On a fresh install of Windows 2003 server R2 with all updates, and after installing ISA Server 2006 with default template for edge network and unlimited internet access, SecureNAT does not work. This is on a multi-core multi-processor server.

  31. Angelo74 says:

    So, what about Windows 2003 installation like this below:

    Imagine this cenario, you have:

    Windows 2003 R2 SP1 + ISA 2004 STD SP2

    at first, installing ISA 2004 SP3

    Win2003 R2sp1 + ISA2004SP3

    Next, Install WIN2003 SP2

    finally, we will have: WIN2003 R2 SP2 + ISA2004 SP3

    Does anyone try to install like this?

    thanks,

    Angelo

  32. Igor says:

    For gods sake this is lame.

    Dell PE 860 Xeon Dualcore, 2 Broadcom Gig NICS, W2K3 Std R2 SP2. Out of the box. Pourring……

    Domain Member.WSUS and GPOs applied.

    ISA 2006 Standard.VPN Server.Fw + Webproxy.

    Integrated+Digest Windows AD authentication. SecureNAT redirected or dropped. Everything works like a charm.^^ No SSL yet though. Soon to be, need to setup CA first.RDP,VNC passthrough for VPN clients and branch offices.

    Use your brain, ISA2006 isnt ISA2000. Network rules, FW rules, Remove All users.

  33. Igor says:

    And I forgot, another lame is "no time no box for lab testing"

    Use it again, Virtual server, and vhds are free!!! And those Xeons Dualcores are wonders =)

  34. adam says:

    Igor,

    You’re full of sh*t. Don’t make it sound like ISA 2006 does not have bugs. 2 system policies right out of the box do not function correctly without manual firewall entries.

    1) Windwows 2003 Active Directory requires tcp port 1026, which is not included in the system policy rules for active directory

    2) MMC remote management, requires tcp ports 1062,1064 and 64242, also not included in the system policy rules for MMC

    Im sure there are many more than I havent tested yet. It basically says the product has not been thoroughly tested before release.

    SecureNAT does did not work for me, and I’d like to know what you tweaked to get it to work after installing ISA on top of a fully patched Win2K3 R2 SP2 box, unless you lied.

    Adam

  35. adam says:

    By the way, I use an extended subnet of 10.0.0.0/23

    Try setting up the servers on the 10.0.0 portion of the subnet, and the workstations on the 10.0.1 portion. The servers will be able to securenat, but not the workstations.

  36. Muhammad Kamran Ashfaq says:

    please solve the problem of isa server 2000 firewall problem with server 2003 service pack 2 when i insatall isa firewall on server it should curropt the dns of server

    please help me what i do or send me any kind of patch to solve the problem

  37. smartguy says:

    why isnt there a SP for ISA2006 available yet……ran into al lot of problems with Sp2 who was slipstreamed in a MS distributed release ……after hours of googling we found this site…..amazing……get up to date MS!!!!!

  38. ML49448 says:

    So, is there going to be a fix!!!???

  39. Speedi says:

    After Installaton of Windows Server 2003 Service Pack 2 Connection to outlook ist not working. No solution found on Internet

  40. Meh says:

    Platform:ISA 2006 Std on W2K3 Std R2.

    After applying SP2 I get the following event logged:

    Event ID 1053 – Windows cannot determine the user of computer name. (The RPC server is unavailable) Group policy processing aborted.

    the server is unable to quesry the domain following the install.

    After uninstalling the SP everyting returns to normal.

  41. Grant Willey says:

    I had a huge problem yesterday when ISA 2004 SP3 failed to install properly on a Windows Server 2003 Standard server running Windows SP2, it didn’t rollback properly and wouldn’t allow any users to login to the network or have internet access. If you’re a reseller, open a business critical support incident with Microsoft and get an ISA engineer. I had to do the fix in the registry with the RSS stuff on the NIC’s and then re-register a DLL or two. Here is the steps the engineer gave to me after completing the RSS fixes listed above:

    A.      Start | Run

    B.      Type “cmd” <Enter>

    C.      Run the following commands:

    1.       cd /d "%programfiles%Microsoft ISA Server" (use the quotes)

    2.       regsvr32 wspadmin.dll

    3.       md VPNNetsh

    4.       net start fwsrv

    This worked for me.

  42. Andrew McMurtrie says:

    I made the fatal of allowing auto updates to install Win2k3 Sp2 on my home server running as a domain controller with ISA 2004 SP3 using Realtek 8139 network cards and I have no access to any of my network shares. I followed all the instructions for disabling the offloading and RSS entries in the registry and ran the MS RSS fix update, updated my adapter drivers with what I could find on Realtek’s site, installed the ADAM patch after uninstalling win2k3 SP2 rechecked all the registry entries and still no joy. Now even if I uninstall SP2 I still have no access to my shares. Lucky this is just my home network. I have come to the end of options and still I cannot restore my network to the functionality I had before. I agree with posts earlier about frustration about how a SP can be released as an auto-update to systems that may not comply with the requirements to not suddenly break normal client access to common resources. If I have allowed this at work i would be in a power of trouble right now because I would have an organization that couldn’t access what it needed to function normally and I would have no answer to resolve it.

    Now what do I do?

  43. Andrew McMurtrie says:

    OMG it worked! I uninstalled SP2, made sure the latest drivers from Realtek were installed,  installed ADAM SP1 update, reinstalled Win2k3 SP2, ran the RSS patch and changed the registry entries as per a number of the instructions from MS and other blogs, restarted Win2k3 a number of times through the process and I now have network access to my shared folders again. Wiped the brow and let out a sigh of relief! Seems the essential part is installing ADAM SP1 before installing win2k3 SP2 then all the registry changes seem to work where they didn’t before.

  44. natedog says:

    It is amazing how upset people get when they don’t understand why something breaks. Most problems with SP2 are caused by poorly written drivers and insecure implementations of products. Take a look! almost all issues with SP2 are hardware drivers, software or security related issues. SP2 fixes many security holes and breaks those software and hardware items that use these holes. MS has had its fair share of crap, but most of the rantings that I have seen here are inexperianced admins and people who are poor admins because they didn’t test their changes first. Shame on you – there is no excuse!

  45. Andrew McMurtrie says:

    It is fantastic to be surrounded by such high intellect!

    Anyway, for something a little more constructive. None of the fixes actually worked consistently and my shared folders would be accessible and then not but once there were no longer accessible I could not get them back. It turned out that it was neither drivers, ADAM or registry fixes that solved it for me although I tried them all. Nothing showed up in the system events or in the ISA query or any logs I looked at.

    I run OpenVPN to provide remote support for a couple of clients whom have small business networks that I administer. It turns out that as soon as the vpn connection is made I loose all access to shares on the server. Usually the best solution is to  disconnect the VPN’s and at worst log off and back on. I suspect it has to do with ISA detecting the different IP range traffic through an internal network group, but hay what do I know.

    Most of you don’t need the help obviously but hopefully someone will find that little bit of info just points them in the right direction when nothing else has worked.

  46. Armando Valdés says:

    Hello.-

    I found that problems related to Windows 2003 SP2 and ISA 2004 are related to RPC and web proxy filters.

    Check this links. They are not pointing to Windows 2003 Server SP2, but following recomendations about RCP and Web Proxy let my server back to function again.

    I hope this helps.

    http://www.microsoft.com/technet/isa/2004/plan/ts_proxy_traffic.mspx#localhost

    http://support.microsoft.com/kb/887222

  47. Anders says:

    Is it (still) recommended not to install SP2 on a Windows 2003 std Server if you going to have it as a ISA 2006 server?

  48. Pedro says:

    hi, ihave the same problem i just got a new DELL PowerEdge 1950 and i installed Windows 2003 R2 SP2 and ISA Server 2006, and i am not able to establish a VPN using L2TP using th ISA as a VPN server, and also every certain time the outside interface (internet) loose connectivity, i installed the last drivers and dissabled the RSS and TCPA in regedit, but it still does not work, any idea?

    Peter

  49. Jose says:

    When I publish rules of protocols, type 443, 21, 3389 non-Web server.

    So that it always appears to me he himself error, [enterprise] default rule.

    and with SP1 if it works

  50. Kingsley says:

    uninstalling ISA and its resources

  51. shotorbaan says:

    I have ISA server 2006 in windows server 2003. My user on the network cannot use outlook, but my server can. they have access to the web through proxy settings.

  52. laraallsopp says:

    Windows SP2 and ISA 2004 SP3. Access from clients (firewall client installed) to FTP sites (login required) was working fine before the application of Windows 2003 SP2 and now it is not working even after application of above RSS patch.

    Any more ideas?  Did you test this? FTP access from the server is fine and FTP "read-only" is unticked for all.

  53. Greg T says:

    What an article!!

    Thank you so much for this…I have been literally tearing my hair out over adding a second ISA server to an existing array for the last two days. Being the good boy I am, it seems that TCPChimney among other things was preventing the second ISA server joining the array.

    Changed the 3 keys from 1 to zero, reboot and the second array member joins without a hitch!

    NT4 used to be a swine with even number service packs…..

  54. shafiq shah says:

    My ISA 2006 was running ok.. but, report on my ISA cannot generate a graf, it’s steal generate the report, but nothing… just blank with out chart. My ISA 2006 Running on Windows Server 2003 R2 SP 1

  55. gohar says:

    where can i download isa 2003 from?