ISA 2006 MP 6.0.6648.0 does not discover Firewall Role when the Firewall is part of the workgroup

ISA Firewall Role discovery might fail under below condition


a) ISA Configuration Storage Server is a part of domain
b) ISA Firewall Server is part of the workgroup
c) Action Account Configured for Operations Manager is Local System.


The FirewallServerRoleDisc.vbs is failing with below event.

Event Type: Error
Event Source: Health Service Script
Event Category: None
Event ID: 4001
User: N/A
FirewallServerRoleDisc.vbs : Error - Number:-1073478746 Source:FPC.Root.1 Description:The property or method Arrays is not supported when the ISA Server computer is not connected to a Configuration Storage server.
HelpContext:0 HelpFile:

For more information, see Help and Support Center at


The account used for running the script FirewallServerRoleDisc.vbs does not sufficient permissions to perform the operation.

Below is the failing code extract
strRemoteManaged = ""
Set oFPCRoot = CreateObject("FPC.Root")
Set oFPCServer = oFPCRoot.GetContainingServer() '#### Failing query


Step 1:
Create a Local Admin Account on the Configuration Storage Server eg. ISAOPSMGRActionAccount with password X

Step 2:
Create a Local Admin Account on the Firewall Server with the same name and password eg. ISAOPSMGRActionAccount / X
(Repeat the Steps if you have multiple firewall Servers , basically mirror the accounts)

Step 3:
On the Operations Manager Console
Click : Administration Node > Run As Accounts > Accounts
i) Create a new Run As Account : Type (Action Account) , Fill in the other Details Click Next
ii) Specify Username /Password for Domain Specify the ISA Firewall Machine Name
iii) Click Next and Create (Repeat the Steps for all Firewall Machines that need to be monitored)

Step 4:
Click : Administration Node > Run As Accounts > Profiles
i) Double click Default Action Account
ii) On the Add Run As accounts Screen , select the firewall and hit Edit
iii) In the Run As Account Drop down , choose the Action account created in the previous steps
 (Repeat the Steps for all Firewall Machines that need to be monitored)

Restart the System Center Management or Health Service on the agent (Firewall)
This time the script should work fine and firewall role should be discovered.


More Information



Jeevan Singh Bisht | Support Escalation Engineer


Comments (0)

Skip to main content