Firewall Client is Unable to Connect to ISA Server 2006


1. Introduction


 


This scenario is based on a real experience that we were able to reproduce in lab. When Microsoft firewall client tries to connect to ISA 2006 server, it fails with an error: Operation failed as result of a network error. This happens with both automatic and manual detection of the ISA server from the client.


 



Figure 1 – Firewall Client Error message and red mark in the firewall client icon in taskbar.


 


Although the error message says “Operation failed as result of a network error” we didn’t have any network problem reaching the ISA Server 2006 from this workstation, as you can see in the netmon trace below:


 


TCP Three Way Handshake successfully happening:



10.20.20.201  10.20.20.1    TCP    TCP:Flags=……S., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340194, Ack=0, Win=65535 (scale factor 0) = 65535


 


10.20.20.1    10.20.20.201  TCP    TCP:Flags=…A..S., SrcPort=1745, DstPort=1173, PayloadLen=0, Seq=576250929, Ack=2944340195, Win=16384 (scale factor 0) = 16384


 


10.20.20.201  10.20.20.1    TCP    TCP:Flags=…A…., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340195, Ack=576250930, Win=65535 (scale factor 0) = 65535


 


Client configuration request:



10.20.20.201  10.20.20.1    TCP    TCP:Flags=…AP…, SrcPort=1173, DstPort=1745, PayloadLen=1, Seq=2944340195 – 2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535


 


Client sending a TCP FIN to close the connection:


 



10.20.20.201  10.20.20.1    TCP    TCP:Flags=…A…F, SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535


 


2. Using File Monitor to Troubleshoot Firewall Client


 


To better understand what the Firewall Client application was doing during the time of the issue, we used File Monitor from Sysinternals. When we launched Filemon and clicked on “Test Server” button, the log shows that the FwcAgent.exe process (Microsoft Firewall client) gets an “Access Denied” in the context of Local Service when trying to create a file under %systemdrive%\Documents and Settings\LocalService\Local Settings\Temp.


 



Note: LocalService and sub folders are hidden by default in Windows XP and Windows Server 2003.


 


 


Figure 2 – Filemon Log trying to create a file in the temp folder.


 


After accessing the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings, we see that Local Service does not have any permission on it as shown in Figure 3.


 


 


 


Figure 3 – ACL for Temp Folder.


 


3. Conclusion


 


This issue can be resolved by giving Local Service “Full Control” over the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings. This particular problem was happening because Local Service didn’t have “Full Control” over Temp folder. Firewall Client needs this permission to temporarily store the configuration received from ISA Server. When Firewall Client connects to the ISA server it sends a configuration request and the ISA server responds with the configuration response. Firewall client then tries to create a temp file where it stores the Internal Network definition (Configuration response).


 


This particular case was very interesting because this problem happened after a hardening template was applied on all Windows workstations which had Microsoft Firewall client installed. This again, is a real proof that before you deploy a hardening template you should test all the applications that need to run on a system and see if they behave as designed.


 


 


Authors


Mohit Kumar


Security Support Engineer


Microsoft CSS Forefront Edge Team


 


Yuri Diogenes


Security Support Engineer


Microsoft CSS Forefront Edge Team


 


 

Comments (8)

  1. Anonymous says:

    Introduction Sysinternals tools are just amazing to troubleshoot a huge amount type of issues: networking,

  2. Anonymous says:

    This just helped me to solve a problem, but in my case it was TMG firewall client and it runs on NetworkService, and the network serice profile was changed from it original location.

    Restored NetworkService profile location to the original place and the issue was solved.

    NetworkService profile path is store in registry in this location: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileListS-1-5-20ProfileImagePath = C:WindowsServiceProfilesNetworkService

  3. Pouya says:

    Hi,

    Thanks for your tip, I faced the problem when I migrated one system from one domain to another. Firewall Client could not connect to ISA server but changing permission for mentioned folder did the trick and saved me a lot of time.

  4. Felipe Brazil says:

    Fantastic Tip!

    I´ve faced the same issue and I've been working during a week to find out a solution.

    Scenario: Win7 + IE8 + ISA 2006

    Thanks a lot.

  5. Rodrigo Soares says:

    Fantastic!!! You save me at 04:30AM!!

    Many Thanks!!!

  6. Tamer says:

    Hi,

    I've a different problem, when i'm testing the ISA server it is ok, but after that it doesn't connect.

    this happened when i installed the client on Win7 home Premium, i think this is related to the problem that Win 7 home Premium doesn't support the domain option.

    is there a solution for this issue?

    1. Renato Marchesani says:

      After installing Windows 10 anniversary upgrade (1607), I started receiving a similar error in the tray bar:
      Disabled: cannot authenticate to Forefront TMG server

      Also, in the event log,
      The description for Event ID 2 from source Forefront TMG Client cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

      If the event originated on another computer, the display information had to be saved with the event.

      For every executable trying to use the firewall client to connect to the proxy.
      This was not happening in WIndows 10 1511

      Trying the above suggestions doesn’t work
      Any suggestion?
      Thanks