Firewall Client is Unable to Connect to ISA Server 2006

1. Introduction

 

This scenario is based on a real experience that we were able to reproduce in lab. When Microsoft firewall client tries to connect to ISA 2006 server, it fails with an error: Operation failed as result of a network error. This happens with both automatic and manual detection of the ISA server from the client.

 

Figure 1 – Firewall Client Error message and red mark in the firewall client icon in taskbar.

Although the error message says “Operation failed as result of a network error” we didn’t have any network problem reaching the ISA Server 2006 from this workstation, as you can see in the netmon trace below:

TCP Three Way Handshake successfully happening:

10.20.20.201 10.20.20.1 TCP TCP:Flags=......S., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340194, Ack=0, Win=65535 (scale factor 0) = 65535

10.20.20.1 10.20.20.201 TCP TCP:Flags=...A..S., SrcPort=1745, DstPort=1173, PayloadLen=0, Seq=576250929, Ack=2944340195, Win=16384 (scale factor 0) = 16384

10.20.20.201 10.20.20.1 TCP TCP:Flags=...A...., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340195, Ack=576250930, Win=65535 (scale factor 0) = 65535

Client configuration request:

10.20.20.201 10.20.20.1 TCP TCP:Flags=...AP..., SrcPort=1173, DstPort=1745, PayloadLen=1, Seq=2944340195 - 2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

Client sending a TCP FIN to close the connection:

10.20.20.201 10.20.20.1 TCP TCP:Flags=...A...F, SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535

2. Using File Monitor to Troubleshoot Firewall Client

To better understand what the Firewall Client application was doing during the time of the issue, we used File Monitor from Sysinternals. When we launched Filemon and clicked on “Test Server” button, the log shows that the FwcAgent.exe process (Microsoft Firewall client) gets an “Access Denied” in the context of Local Service when trying to create a file under %systemdrive%\Documents and Settings\LocalService\Local Settings\Temp.

Note: LocalService and sub folders are hidden by default in Windows XP and Windows Server 2003.

Figure 2 – Filemon Log trying to create a file in the temp folder.

After accessing the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings, we see that Local Service does not have any permission on it as shown in Figure 3.

Figure 3 – ACL for Temp Folder.

3. Conclusion

This issue can be resolved by giving Local Service “Full Control” over the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings. This particular problem was happening because Local Service didn’t have "Full Control" over Temp folder. Firewall Client needs this permission to temporarily store the configuration received from ISA Server. When Firewall Client connects to the ISA server it sends a configuration request and the ISA server responds with the configuration response. Firewall client then tries to create a temp file where it stores the Internal Network definition (Configuration response).

This particular case was very interesting because this problem happened after a hardening template was applied on all Windows workstations which had Microsoft Firewall client installed. This again, is a real proof that before you deploy a hardening template you should test all the applications that need to run on a system and see if they behave as designed.

Authors

Mohit Kumar

Security Support Engineer

Microsoft CSS Forefront Edge Team

Yuri Diogenes

Security Support Engineer

Microsoft CSS Forefront Edge Team