کد:
http://blogs.technet.com/isablog/archive/2009/04/07/firewall-client-is-unable-to-connect-to-isa-server-2006.aspx
1. Introduction

This scenario is based on a real experience that we were able to reproduce in lab. When Microsoft firewall client tries to connect to ISA 2006 server, it fails with an error: Operation failed as result of a network error. This happens with both automatic and manual detection of the ISA server from the client.


Figure 1 – Firewall Client Error message and red mark in the firewall client icon in taskbar.

Although the error message says “Operation failed as result of a network error” we didn’t have any network problem reaching the ISA Server 2006 from this workstation, as you can see in the netmon trace below:

TCP Three Way Handshake successfully happening:
کد:
10.20.20.201  10.20.20.1    TCP    TCP:Flags=......S., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340194, Ack=0, Win=65535 (scale factor 0) = 65535
 
 10.20.20.1    10.20.20.201  TCP    TCP:Flags=...A..S., SrcPort=1745, DstPort=1173, PayloadLen=0, Seq=576250929, Ack=2944340195, Win=16384 (scale factor 0) = 16384
 
 10.20.20.201  10.20.20.1    TCP    TCP:Flags=...A...., SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340195, Ack=576250930, Win=65535 (scale factor 0) = 65535
Client configuration request:
کد:
10.20.20.201  10.20.20.1    TCP    TCP:Flags=...AP..., SrcPort=1173, DstPort=1745, PayloadLen=1, Seq=2944340195 - 2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535
Client sending a TCP FIN to close the connection:

کد:
10.20.20.201  10.20.20.1    TCP    TCP:Flags=...A...F, SrcPort=1173, DstPort=1745, PayloadLen=0, Seq=2944340196, Ack=576250930, Win=65535 (scale factor 0) = 65535
2. Using File Monitor to Troubleshoot Firewall Client

To better understand what the Firewall Client application was doing during the time of the issue, we used File Monitor from Sysinternals. When we launched Filemon and clicked on “Test Server” button, the log shows that the FwcAgent.exe process (Microsoft Firewall client) gets an “Access Denied” in the context of Local Service when trying to create a file under %systemdrive%\Documents and Settings\LocalService\Local Settings\Temp.

کد:
Note: LocalService and sub folders are hidden by default in Windows XP and Windows Server 2003.

Figure 2 – Filemon Log trying to create a file in the temp folder.

After accessing the Temp folder under%systemdrive%\Documents and Settings\LocalService\Local Settings, we see that Local Service does not have any permission on it as shown in Figure 3.



Figure 3 – ACL for Temp Folder.

3. Conclusion

This issue can be resolved by giving Local Service “Full Control” over the Temp folder under %systemdrive%\Documents and Settings\LocalService\Local Settings. This particular problem was happening because Local Service didn’t have "Full Control" over Temp folder. Firewall Client needs this permission to temporarily store the configuration received from ISA Server. When Firewall Client connects to the ISA server it sends a configuration request and the ISA server responds with the configuration response. Firewall client then tries to create a temp file where it stores the Internal Network definition (Configuration response).

This particular case was very interesting because this problem happened after a hardening template was applied on all Windows workstations which had Microsoft Firewall client installed. This again, is a real proof that before you deploy a hardening template you should test all the applications that need to run on a system and see if they behave as designed.


Authors
Mohit Kumar
Security Support Engineer
Microsoft CSS Forefront Edge Team

Yuri Diogenes
Security Support Engineer
Microsoft CSS Forefront Edge Team




موضوعات مشابه: