Chris’s Blog

In Microsoft ISA Server, alerts can be configured to shut down the Microsoft Firewall service when situations that raise specific events occur. Whenever the Firewall service shuts down, ISA Server goes into lockdown mode, in which only specific types of traffic are allowed. ISA Server can leave lockdown mode only when the Firewall service is restarted. By default, the built-in Log failure alert shuts down the Firewall service. This alert is triggered by the Log failure event, which is raised when a logging failure occurs. You can prevent logging failures from causing ISA Server to go into lockdown by disabling the action of the Log failure alert that shuts down the Firewall service.

Microsoft have documented this on Microsoft Technet, although this solution is documented for ISA 2004, it seems to work just fine for ISA 2006. The only problem I encountered is that the script on Technet seems to have be “text wrapped” so it comes up with syntax errors.

***WARNING***

I am not in any way suggesting that this script should be run on your ISA servers. Lockdown mode is not a bug and was included in the product by design, there are many reasons why it is a good thing so my advice is that you consider all options very carefully before running this script. ALWAYS backup your configuration first!!

I have corrected the syntax errors, DisableLockdownOnLogFailure.vbs can be downloaded here

I came across this error for the first time the other day, not entirely sure why I have not seen it before on Win 2008. This particular server was Windows 2008 Ent with SP2.

“Setup failed due to insufficient permissions….”

At first I thought it was pretty obvious that my account did not have the correct permissions, right? that’s what the error suggests.. checked AD and it turns out I had been granted the correct permissions. What else could it be? As a test, I tried to open the Security Log and that worked.. I was a little confused. Then I realised what it was.. UAC

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista operating system. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware should be kept from receiving the privileges necessary to compromise the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not also have those privileges unless they are approved beforehand or the user explicitly authorizes it to have higher privileges. Windows 2008 also uses UAC.

The workaround I used was to turn off UAC and reboot the server, setup worked perfectly after that.

To turn off UAC, go to “Control Panel”, then “User Accounts”.

Microsoft have released Update Rollup 9 for Exchange 2007 SP1. This rollup includes included many bug fixes, but also enables support for Windows Server 2008 R2 Domain Controllers in the environment. For a full list of the issues that the update rollup fixes, click here

Update Rollup 9 for Exchange Server 2007 SP1 is a cumulative update. This update replaces rollups 1 – 8.

To download and for more information, click here

After a long day of troubleshooting ISA 2006 array problems, I must say, I felt like one after I saw this error: