Troubleshooting ISA Server Installation and Configuration Problems

Installation of ISA Server usually proceeds in a straightforward fashion. Problems during or directly following installation are often related to one of three things:

• Hardware incompatibilities

• Software incompatibilities

• Improper initial configuration

Let's look briefly at each category in the following sections.

Hardware and Software Compatibility Problems

In most cases, ISA Server works with common hardware and software configurations. In some cases, however, hardware incompatibility causes a conflict or ISA does not run properly in conjunction with another software program that is installed on the server.

ISA Server Doesn't Meet Minimum System Requirements

In order for ISA Server to function properly, the computer on which it is installed must meet the minimum hardware specifications:

• Pentium II or compatible processor running at 300MHz or above

• A member of the Windows 2000 Server family with SP1 or later

• At least 192MB (256MB recommended) of RAM

• At least 20MB of free disk space

• At least one NTFS partition

• A Windows 2000-compatible NIC connected to the internal network

If you are installing ISA Server as an array member, Active Directory must be implemented on your network. In some cases, ISA could refuse to install if the proper hardware configuration is not present. In others, ISA might appear to install successfully, even though your machine does not meet the minimum requirements. However, you might find that unusual behavior results; for example, all ISA Server services might not start if you have an insufficient amount of RAM.

You should also check the Windows 2000 Hardware Compatibility List (HCL) prior to installing Windows 2000 Server on the machine. The HCL is available on the Microsoft Web site at the following location: www.microsoft.com/whdc/hcl/default.mspx.

ISA Server Exhibits Odd Behavior When Windows 2000 NAT Is Installed

If Network Address Translation (NAT) or Internet Connection Sharing (ICS) is being used on the Windows 2000 Server computer, when you install ISA Server, NAT/ICS will automatically be disabled. However, we have found that, in some cases, having NAT installed will cause continuing odd behavior on the part of the ISA server, resulting in intermittent loss of connectivity. The solution to this problem is to delete the NAT routing protocol from the IP Routing section of the RRAS console tree.

Internal Clients Are Unable to Access External Exchange Server

When you install ISA Server and your clients need to be able to use an external Exchange Server, you might find that using Outlook for e-mail does not work, although Web services function properly.

In this case, you need to add the IP address of the external Exchange Server to the LAT and install the firewall client software on the internal machines that are running Outlook. This will allow the clients' e-mail to go through.

Initial Configuration Problems

Many of the problems that occur following installation result from incorrect or incomplete configuration during the installation process or changes made to the ISA Server configuration following installation.

Unable to Renew DHCP Lease

You might find that, after upgrading from Microsoft Proxy Server or installing a fresh copy of ISA Server, you are unable to renew a lease from the DHCP Server using the ipconfig /release and ipconfig /renew commands. The only way to renew the lease is to reboot the server. This occurs even after adding a custom packet filter to allow UDP in both directions on local fixed port 68 and remote fixed port 67, as you might have done to solve this problem with Proxy Server.

The solution is to enable the DHCP client rule under Packet Filters, as shown in Figure 26.10. Once you enable the filter, you should be able to use the ipconfig switches to release and renew your DHCP lease.

Figure 26.10: Enable the DHCP Client Rule to Allow a Release and Renew of the DHCP Lease

Failure of Services to Start After Completing Installation

For a couple of reasons, the ISA services might not start after installation has completed successfully. As always, check the Event Viewer for any relevant messages.

In some cases, we have noted that, if there is insufficient RAM in the server, the services might not start or might have to be started manually. Upgrading the physical memory will solve the problem if this is the cause.

If the LAT is not configured correctly and doesn't include the internal NIC (which communicates with Active Directory), the ISA Server services will not be able to start. In this case, you should first stop the ISA services (you can do this by typing net stop mspfltext at the command line) and then reconfigure the LAT using ISA Server Administration COM objects. An article in the ISA Server SDK, Constructing the Local Address Table, will instruct you in how to do this.

After you have added the appropriate entries to the LAT, you must reboot the ISA Server computer.

Inability to Join Array

You could find that it is possible to create a new array by right-clicking Servers and Arrays in the ISA Management MMC and selecting New and Array. This starts the New Array Wizard. You can enter a name, site, and domain location for the new array, and it will appear in the management console. However, when you install a new ISA server and attempt to join an array, you will not be able to join the new array you have created.

Our experience shows that during installation, you are given the option to join only those arrays that have at least one member. Because the array you created with the wizard contains no members, you cannot join it. You can create a new array during the installation of the first computer that will be a member of the new array, and then this array will be available to join when you install subsequent ISA servers.

Inability to Save LAT Entry

If you receive an error message: "ISA Server cannot save the properties. Error 0x80040340. The IP range already exists in the Local Address Table (LAT)," when you attempt to save a new LAT entry, this could be due to the fact that it is an exact duplicate of an already existing address.

It is possible to overlap IP ranges in the LAT. That is, a new entry can have either a "from" address or a "to" address that already exists in the LAT, but not both.

ISA Server Control Service Does Not Start

You could get the following error messages when you attempt to connect to an array in the ISA Management MMC:

ISA Error The operation failed Failed to connect Error 0x8007203a

This happens when the LAT is not configured properly. If you have installed ISA Server Enterprise Edition as an array member and you include only the external interfaces in the LAT, the array will not be able to communicate with Active Directory on the internal Windows 2000 network. Array configuration information is stored in Active Directory when ISA Server is installed as an array member, and if ISA cannot contact Active Directory, it cannot determine its configuration.

The result is that the ISA Server Control (ISACTRL) service will not be able to start, and you will not be able to correct the LAT entries from any array member, because the ISA Management MMC will not display the current configuration.

This problem must be corrected from another computer or ISA array that is running the ISA Management MMC. The ISA management tools can be installed on any Windows 2000 computer (including Windows 2000 Professional) that is connected to the domain in which the ISA array resides.

Use the Connect to feature to connect to the array that has the misconfigured LAT. You will be able to access the configuration information that is stored in Active Directory and make the appropriate changes to the LAT. You need to restart the ISA servers in the array after you make the modifications to the LAT.

For detailed, step-by-step instructions and more information about this problem, see article Q282035 in the Microsoft Knowledge Base on the Microsoft Web site.