ISA 2006 MP 6.0.6648.0 does not discover Firewall Role when the Firewall is part of the workgroup

  • Article

ISA Firewall Role discovery might fail under below condition

 

Environment
===========
a) ISA Configuration Storage Server is a part of domain
b) ISA Firewall Server is part of the workgroup
c) Action Account Configured for Operations Manager is Local System.

 

The FirewallServerRoleDisc.vbs is failing with below event.

Event Type: Error
Event Source: Health Service Script
Event Category: None
Event ID: 4001
Date:
Time:
User: N/A
Computer:
Description:
FirewallServerRoleDisc.vbs : Error - Number:-1073478746 Source:FPC.Root.1 Description:The property or method Arrays is not supported when the ISA Server computer is not connected to a Configuration Storage server.
HelpContext:0 HelpFile:

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

Cause

The account used for running the script FirewallServerRoleDisc.vbs does not sufficient permissions to perform the operation.

Below is the failing code extract
============================
strRemoteManaged = ""
Set oFPCRoot = CreateObject("FPC.Root")
Set oFPCServer = oFPCRoot.GetContainingServer() '#### Failing query
============================

Resolution

Step 1:
Create a Local Admin Account on the Configuration Storage Server eg. ISAOPSMGRActionAccount with password X

Step 2:
Create a Local Admin Account on the Firewall Server with the same name and password eg. ISAOPSMGRActionAccount / X
(Repeat the Steps if you have multiple firewall Servers , basically mirror the accounts)

Step 3:
On the Operations Manager Console
Click : Administration Node > Run As Accounts > Accounts
i) Create a new Run As Account : Type (Action Account) , Fill in the other Details Click Next
ii) Specify Username /Password for Domain Specify the ISA Firewall Machine Name
iii) Click Next and Create (Repeat the Steps for all Firewall Machines that need to be monitored)

Step 4:
Click : Administration Node > Run As Accounts > Profiles
i) Double click Default Action Account
ii) On the Add Run As accounts Screen , select the firewall and hit Edit
iii) In the Run As Account Drop down , choose the Action account created in the previous steps
(Repeat the Steps for all Firewall Machines that need to be monitored)

Restart the System Center Management or Health Service on the agent (Firewall)
This time the script should work fine and firewall role should be discovered.

 

More Information

https://technet.microsoft.com/en-us/library/cc302457.aspx

 

Jeevan Singh Bisht | Support Escalation Engineer