I have a love/hate relationship with ISA server. Most of the time I love it, but there's that one hour out of the blue that it drives me crazy. Part of it is my own fault. I didn't realize when I first setup the server at home, how important it was to put in the right server name [or IP address] to ensure that the Remote Web Workplace would publish properly. One of these days I need google a resolution of the proper way to remove my unnecessary self certificates as the posts I've seen on the subject so far recommend being careful. Tonight I was having an issue and probably should not have knee jerk re-ran the Connect to internet wizard, but I did. And when I did it, the webproxy got stuck and would not restart. So for anyone else having this issue, this is how I fixed it. First I was getting these errors in the ICW log file:
calling StartWebProxyService (0x8007041c).
Error 0x8007041c returned from call to CCometCommit::Commit().
-------
CCertCommit::ValidatePropertyBag returned OK
*** CCertCommit::EnableSSL returned ERROR 80070002
*** CCertCommit::CommitEx returned ERROR 80070002
And in the event viewer was this error:
Event Type: Error
Event Source: Microsoft Web Proxy
Event Category: None
Event ID: 11000
Date: 1/28/2005
Time: 6:06:32 PM
User: N/A
Computer: SERVER
Description:
Microsoft Web Proxy failed to start. The failure occurred during Reading
publishing rules because the configuration property of the key
SOFTWARE\Microsoft\Fpc\Arrays\{1D048A10-3BE8-45B1-9670-D878E8E1376B}\PolicyElements\Proxy-Destination-Sets\{0DC896D0-3484-4BC5-926C-E37C43B4B0E4}
could not be accessed. Use the source location 2.546.3.0.1200.365 to
report the failure. The error code in the Data area of the event
properties indicates the cause of the failure. For more information
about this event, see ISA Server Help. The error description is: The
system cannot find the file specified.
I first looked at www.eventid.net and didn't find anything spot on. Then I googled on what I felt was the most unique thing about that error. The part that talks about source location 2.546.3.0.1200.365. I found a Jim Harrison post that gave me a clue:
What that error is saying is that:
1 - there's a protocol rule ("Reading protocol rules") that is referencing
a certain Client Address Set ("Client-Sets")
2 - the Client Address Set "{0FEE7518-FC55-48D1-9DB4-CB3949983e16}" likely
couldn't be located in the Policy Elements
("PolicyElement")
Start Regedit and drill down to:
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{7A3F7837-26E0-4410-A364-DC70E360B72E}\PolicyElement\Client-Sets
...do you find a key named "{0FEE7518-FC55-48D1-9DB4-CB3949983e16}"?
You'll have to search your protocol rules to see which one is complaining
about a missing Client Address Set.
I realized I had a mismash of protocol rules that wasn't matching the registries, so what I did was to manually delete all protocol rules, manually delete all web publishing rules [you have to do the protocols first and then the web publishing] and then I reran the connect to internet wizard and all was well and the wizard would run.
By the way you have gone into the folder called Program files, Microsoft Windows Small Business Server, Networking, ICW and there are included in there an HTM file of what exactly the wizard did
Run the Configure E-mail and Internet Connection Wizard to connect your server to the Internet.
A key function of Windows® Small Business Server 2003 is to configure Internet services to the small business network.
To configure Internet services, use the Configure E-mail and Internet Connection Wizard.
The wizard is designed to correctly configure settings for your network, firewall, secure Web site, and e-mail services that are used when connecting your computer running Windows Small Business Server to the Internet. Additionally, you can use the wizard to return your server's network configuration to its original state.
There are four components for the wizard:
- Configure networking. Define the type of connection that your server will use to connect to the Internet. The wizard is designed to support either a broadband or dial-up connection.
- Configure firewall. Secure your network by preventing unauthorized access to and from your local network. When you enable the firewall on your server, several standard services are allowed through the firewall to ensure Internet connectivity. You can also allow predefined Web services, predefined services, or custom-defined services through the firewall by using the wizard.
- Configure secure Web site. Allow access to specific Web services or to your entire Web site through the firewall from the Internet. You can select to allow access to the entire Web site or only specific Web services. Specific Web services include Outlook Web Access, Outlook Mobile Access, server performance and usage reports, Remote Web Workplace, and the Windows SharePoint™ Services intranet site. When you allow access to a Web service, the service is also automatically configured to use Secure Sockets Layer (SSL) to secure communications between your server and a Web browser.
- Configure e-mail. Specify how you will send and receive Internet e-mail. Based on the information specified in the wizard, a Simple Mail Transfer Protocol (SMTP) connector is automatically configured, which is necessary for your Exchange server. You can also configure the Microsoft Connector for POP3 Mailboxes to download mail from POP3 mailboxes at an Internet service provider (ISP). When you enable Internet e-mail, you also have the option to remove specific types of e-mail attachments from incoming Internet e-mail.
- Troubleshoot network problems. If the network configuration of your server becomes corrupted or changed in any way, you can reset the configuration simply by running the Configure E-mail and Internet Connection Wizard again.
Note
-
If you want to run the Configure E-mail and Internet Connection Wizard at a later time, click the Connect to the Internet task on the Manage Internet and E-mail taskpad in Server Management. To open Server Management, click Start, and then click Server Management.
Look for an htm called ICWdetails__.htm and it will let you know EXACTLY what that wizard did:
SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET
CONNECTION WIZARD
This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.
NETWORKING CONFIGURATION SUMMARY
After the wizard completes, the following network connection
settings will be configured:
Connection type: Do not change
FIREWALL CONFIGURATION SUMMARY
After the wizard completes, the following firewall settings
will be configured:
Internet Security and Acceleration (ISA) Server will be
configured as follows:
Disable existing filters that may create a filter
conflict.
Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and
Support.
Create the following additional filters:
E-mail
Virtual Private Networking (VPN)
Terminal Services
For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and
Support.
Create the following custom filters:
SBS Remote Web Workplace CustomFilter, 4125, TCP
NTP, 123, UDP
Add the internal domain name for Windows Small
Business Server to the local domain table (LDT) of ISA
Server to allow ISA Server to route internal network
requests on the local network.
Enable IP routing.
Disable automatic discovery as this interferes with
IIS as both ISA Server and IIS attempt to bind to port 80.
Configure the Web listeners to receive incoming http
requests using Small Business Reverse Proxy Listen Entry.
Disable the H.323 Application Filter for video and
audio conferencing for security.
Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Add the loopback adapter IP address of 127.0.0.1 to
support the http://localhost for IIS.
Create an incoming Web request listener and bind to
IP address of server’s local network adapter to allow ISA
Server to handle Web requests from the Internet.
Set the incoming Web request listeners to allow a
maximum of 300 connections from the outside. This improves
system availability and reliability by mitigating
denial-of-service attacks against your Web site.
Ensure that the publishing rules created by the
wizard are listed first in the order.
Create publishing rules to route appropriate
incoming Web requests to the server’s local network
adapter.
Create a Web publishing rule for Outlook Web Access
that publishes the following IIS Web site directories:
/exchange, /exchweb, and /public. This publishing rule
routes appropriate incoming Web requests to the server’s
local network adapter. Additionally, Outlook Web Access will
be configured for Forms Based Authentication (also called
Cookie Authentication). The Public folder is also configured
to accept Windows Integrated Authentication.
Create a Web publishing rule for the Remote Web
Workplace that publishes the /remote IIS Web site
directory.
Create a Web publishing rule for the Server
performance and usage reports that publishes the /monitoring
IIS Web site directory.
Create a Web publishing rule for Outlook Mobile
Access that publishes the following IIS Web site
directories: /OMA and /Microsoft-Server-ActiveSync.
Create a Web publishing rule for Outlook via the
Internet that publishes the /rpc IIS Web site directory.
NOTE: Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
connections.
Internet Information Services (IIS) will be configured as
follows:
Configure http.sys driver to only bind to the local
network adapter to prevent IIS from conflicting with ISA
Server on the ISP network adapter.
Disable socket pooling.
Set DNS to listen to only to the local network
adapter.
To only listen on the local network adapter. This
allows ISA Server to monitor incoming Web requests from the
Internet.
SECURE WEB SITE CONFIGURATION SUMMARY
After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
The Web server certificate required for https:// will be
created for the following Web server name: domain.com
Create a Web server certificate named ISAcert.cer in
the \sbscert folder and also install this certificate into
ISA Server. This certificate is required so that you can
access secure Web sites on the computer running Windows
Small Business Server if ISA Server is installed.
ISAcert.cer is configured for ISA Server for external Web
clients. Create an additional Web server certificate named
Sbscert.cer and install this certificate in IIS, which is
used by internal clients and by redirected Web requests from
ISA Server.
The incoming Web listener is configured to use the
ISAcert.cer certificate.
E-MAIL CONFIGURATION SUMMARY
After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
e-mail.
Keep the existing Internet e-mail configuration.
After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
updated.
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so
on.
Man... I told you someone in the SBS dev team was a beancounter in a prior life. See people? Do you REALLY want to do that by hand?
So anyway I had an extreme low tolerance for tech issues tonight, called Microsoft PSS.
What's funny is that because I ended up fixing the issue myself while on the call, they refunded the call. ;-)