Disabling Firewall Service Lockdown due to Logging Failures
In Microsoft ISA Server 2004, alerts can be configured to shut down the Microsoft Firewall service when situations that raise specific events occur. Whenever the Firewall service shuts down, ISA Server goes into lockdown mode, in which only specific types of traffic are allowed. ISA Server can leave lockdown mode only when the Firewall service is restarted. By default, the built-in Log failure alert shuts down the Firewall service. This alert is triggered by the Log failure event, which is raised when a logging failure occurs. You can prevent logging failures from causing ISA Server to go into lockdown by disabling the action of the Log failure alert that shuts down the Firewall service.
In addition, when logging fails, ISA Server closes the applicable connection. This way, even if ISA Server does not go into lockdown mode, traffic is blocked when logging failures occur. However, if ISA Server does not go into lockdown mode, logging and the flow of most types of traffic can resume when the condition that causes the logging failures is resolved. In Microsoft ISA Server 2004 Enterprise Edition, when lockdown of the Firewall service due to logging failures is disabled, you can use the DropConnectionOnLogError property of the FPCLog object for each logging component to configure ISA Server not to drop connections when logging fails and to continue functioning without logging.
For computers running ISA Server 2004 Enterprise Edition, the Microsoft Visual Basic Scripting Edition (VBScript) code in DisableLockdownOnLogFailure.vbs (listed later in this Web page) disables lockdown of the Firewall service due to logging failures and allows traffic to continue flowing when logging fails by preventing connections from being dropped in all arrays of the enterprise. For a computer running ISA Server 2004 Standard Edition, this script disables lockdown of the Firewall service due to logging failures.
The script can be run on an ISA Server computer with the Firewall service installed, a remote management computer, or a Configuration Storage server (Enterprise Edition). If the script needs to connect to an ISA Server computer with the Firewall service installed or to a Configuration Storage server, it prompts the user for the name of the applicable computer and uses the credentials of the user who is logged on to connect to it. To run this script for an ISA Server 2004 Standard Edition computer or a single array of one or more ISA Server 2004 Enterprise Edition computers, the user must be an ISA Server Administrator in the array. To run this script for multiple arrays, the user must be an ISA Server Enterprise Administrator.
We recommend that you back up your configuration before running this script.
Usage:[CScript] DisableLockdownOnLogFailure.vbs
To disable Firewall service lockdown and the dropping of connections due to logging failures
Declare an FPC COM object, an FPCArrays collection, an FPCArray object, an FPCAlert object, an FPCLogs collection, and an FPCLog object.
Create an instance of the FPC COM object, which is known as the root object and provides access to the other ISA Server administration COM objects.
Try to get the number of arrays in the arrays collection by retrieving the value of the Arrays.Count property of the root object:
- If an E_FPC_NOT_CONNECTED_TO_ENTERPRISE (0xC00403A6) error is raised, the local computer is running ISA Server 2004 Enterprise Edition and is not connected to a Configuration Storage server. In this case, prompt the user for the name of a Configuration Storage server, and call the ConnectToConfigurationStorageServer method to connect to the Configuration Storage server specified by the user.
- If the number of arrays is equal to 0, the local computer may be a Standard Edition remote management computer or a Configuration Storage server that was set up in an enterprise in which no arrays are configured. In this case, call the Connect method with an empty string. If the local computer is a Configuration Storage server, an E_FPC_NOT_SUPPORTED_IN_EE_CENTRAL_MODE (0xC00403A0) error is raised, and the script should be terminated. If the local computer is a Standard Edition remote management computer, a different error is raised. Ignore this error, prompt the user for the name of an ISA Server computer with the Firewall service installed, and call the Connect method to connect to the ISA Server computer specified by the user.
Use the Arrays property of the root object to get a reference to the arrays collection.
In a For loop, perform the following steps for each array in the arrays collection:
- Call the Item method (the default method) of the FPCAlerts collection through the Alerts property of the array object to get a reference to the FPCAlert object that represents the Log failure alert.
- Call the Unset method of the FPCActions collection through the Actions property of the alert object to modify the alert so that it will not stop the Firewall service, and then call the Save method on the FPCActions collection to write the change to persistent storage.
- Use the Type method of the array object to determine whether the local computer is running ISA Server 2004 Enterprise Edition. If the local computer is running Enterprise Edition, use the Logging property of the array object to get a reference to the FPCLogs collection. Then in a For loop, ensure that the DropConnectionOnLogError property of each FPCLog object is set to False, and call the Save method on the FPCLogs collection to write the changes to persistent storage.
Script Listing: DisableLockdownOnLogFailure
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' For computers running ISA Server 2004 Enterprise Edition, this script
' disables lockdown of the Firewall service due to logging failures and allows
' traffic to continue flowing when logging fails by preventing connections from
' being dropped in all arrays of the enterprise.
' For a computer running ISA Server 2004 Standard Edition, this script disables
' lockdown of the Firewall service due to logging failures.
' The script can be run on an ISA Server computer with the Firewall service
' installed, a remote management computer, or a Configuration Storage server
' (Enterprise Edition). If the script needs to connect to an ISA Server
' computer with the Firewall service installed or to a Configuration Storage
' server, it prompts the user for the name of the applicable computer and uses
' the credentials of the user who is logged on to connect to it. To run this
' script for an ISA Server 2004 Standard Edition computer or a single array of
' one or more ISA Server 2004 Enterprise Edition computers, the user must be an
' ISA Server Administrator. To run this script for multiple arrays, the user
' must be an ISA Server Enterprise Administrator.
' We recommend that you back up your configuration before running this script.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit
' Define the constants needed.
Const Error_NotConnectedToCSS = &HC00403A6
Const Error_ConfigurationStorageServer = &HC00403A0
Const fpcTypeEnterpriseEdition = 1
Const fpcAlertActionStopServices = 3
Const alertName = "Log failure"
DisableLockdownOnLogFailure
Sub DisableLockdownOnLogFailure()
' Declare the objects needed.
Dim root ' The FPCLib.FPC root object
Dim isaArrays ' An FPCArrays collection
Dim isaArray ' An FPCArray object
Dim alert ' An FPCAlert object
Dim logs ' An FPCLogs collection
Dim log ' An FPCLog object
Dim serverName ' A String
Dim num ' An Integer
' Create the root object.
Set root = CreateObject("FPC.Root")
' Try to get the number of arrays.
On Error Resume Next
num = root.Arrays.Count
If Err.Number = Error_NotConnectedToCSS Then
serverName = _
InputBox("Enter the name of a Configuration Storage server.")
' Connect to the specified Configuration Storage server.
Err.Clear
root.ConnectToConfigurationStorageServer serverName
CheckError
ElseIf num = 0 Then
serverName = ""
Set isaArray = root.Arrays.Connect(serverName)
If Err.Number = Error_ConfigurationStorageServer Then
WScript.Echo "No arrays are configured in the enterprise."
WScript.Quit
End If
Err.Clear
' Get the name of an ISA Server computer with the Firewall service
' installed.
serverName _
= InputBox("Enter the name of an ISA Server computer.")
Err.Clear
Set isaArray = root.Arrays.Connect(serverName)
If Err.Number <> 0 Then
WScript.Echo "The specified computer is not available " _
& "or does not have the Firewall service installed."
WScript.Quit
End If
End If
' Get a reference to the arrays collection.
Err.Clear
Set isaArrays = root.Arrays
CheckError
For Each isaArray In isaArrays
' Get a reference to the "Log failure" alert object,
' and modify it so that it will not stop the Firewall service.
Set alert = isaArray.Alerts(alertName)
If Err.Number = 0 Then
alert.Actions.Unset fpcAlertActionStopServices
CheckError
alert.Actions.Save
CheckError
Else
WScript.Echo "The " & alertName & " alert was not found in " _
& isaArray.Name & "."
Err.Clear
End If
If isaArray.Type = fpcTypeEnterpriseEdition Then
' Get a reference to the FPCLogs collection
Set logs = isaArray.Logging
For Each log In logs
' Ensure that the DropConnectionOnLogError property
' is set to False.
log.DropConnectionOnLogError = False
Next
logs.Save
CheckError
End If
Next
WScript.Echo "Done!"
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & vbCrLf _
& Err.Description
Err.Clear
WScript.Quit
End If
End Sub