RE: ISA 2004 firewall won't start anymore
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 14:03:30 -0500
Hi Jeff,
I think we're just getting in deeper here :)
Have you restarting the computer?
Any other errors in the Event Viewer that might be helpful?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Thursday, October 27, 2005 2:01 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 firewall won't start anymore
>
> http://www.ISAserver.org
>
> Thanks for the suggestion Tom, but that didn't work, assuming
> I understood
> what you meant.
>
> I have a certificate in the Trusted Root CA from the
> Enterprise CA. I have
> a domain policy which puts this on domain members. This
> certificate show as
> OK and says it is intended for "all issuance policies" and
> "all application
> plicies".
>
> In the personal store I have a certificate with the DNS name
> that I want to
> use for OWA which was issued from the same root CA (it is the
> only machine I
> have running certificate services). It says its intended purpose is
> "ensures the identity of a remote computer" and says "you
> have a private key
> that corresponds to this certificate".
>
> what I tried was exporting the cert from the personal store
> and importing it
> into the trusted store. I wasn't sure if that's what you
> meant or not.
> Anyway, it didn't work.
>
> I'm not sure if I don't have enough grasp of the certificate
> store concept
> or if this is just a very strange problem. The trusted root
> certificate
> isn't necessary to install ISA is it? I don't remember
> anything about it.
> I didn't think any certificates were necessary to start the
> firewall service
> itself. Policies or web listeners are the only thing that
> came to mind as
> something that would look for a certificate. I just tried
> deleting all of
> the policies I created and the one web listener, rebooted the
> server, and
> still the same errors.
>
> I think I'm about ready to punt.
>
> Jeff
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, October 27, 2005 1:02 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 firewall won't start anymore
>
> http://www.ISAserver.org
>
> Hi Jeff,
>
> Try installing the CA certificate again. Export it from the Web site
> certificate you're using and put the CA cert in the Trusted Root
> Certification Authorities store for the machine account.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > Sent: Thursday, October 27, 2005 11:48 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> >
> > http://www.ISAserver.org
> >
> > How true! I thought I had a fairly good idea of what I was doing
> > until it broke. I'd like to believe it is a software bug,
> but figured
> > something I did was more likely since I'm still learning this.
> >
> > I have a certificate for the OWA web listener in the
> personal store.
> > The path looks OK and it says the certificate is OK.
> Deleting the web
> > listener and firewall policy didn't correct the problem
> which made me
> > think that it was looking for another certificate
> somewhere? The only
> > place I recall configuring a certificate was for the web listeners.
> >
> > Jeff
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Thursday, October 27, 2005 11:57 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> >
> > http://www.ISAserver.org
> >
> > Hi Jeff,
> >
> > Not being sure is the most common reason for things happening that
> > we're not sure why they happened :)
> >
> > I know, because I'm not sure what I'm doing at least half
> of the time.
> > And once I'm sure, I've moved on to something else that I'm
> not sure
> > what I'm doing. Living a life of uncertainty can get
> unnerving, but I
> > wouldn't trade it for the alternative :)
> >
> > Open the Certificates MMC and check what certs are installed in the
> > machine's Personal certificate store. Double click on the Web site
> > certs in the right pane of the console and check the cert path.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > Sent: Thursday, October 27, 2005 9:26 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> > >
> > > http://www.ISAserver.org
> > >
> > > I must confess, I'm not sure. In hindsight, I wish I'd
> > made notes of
> > > exactly what I did when, but I didn't think I did anything worth
> > > noting while I was doing it... ;-)
> > >
> > > I did have a couple of web listeners I deleted that I
> wasn't using,
> > > but I didn't think that should cause this error.
> > >
> > > I do have a certificate from my domain CA in the cert
> store and one
> > > for the web listener.
> > >
> > > I could wipe the box and reinstall since I don't have it in
> > > production, but I'd like to know what is wrong to better
> understand
> > > how all of this works.
> > > I haven't messed with this stuff since Proxy 2.0; things
> > have changed
> > > quite a bit.
> > >
> > > Jeff
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Thursday, October 27, 2005 10:12 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA 2004 firewall won't start anymore
> > >
> > > http://www.ISAserver.org
> > >
> > > Wow Jeff. That's a good one. How'd you do that?
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Thursday, October 27, 2005 9:06 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] ISA 2004 firewall won't start anymore
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Yesterday I finally got OWA publishing through ISA and
> > immediately
> > > > managed to break it somehow. After restarting ths ISA
> > > services I got
> > > > these errors in the event log
> > > >
> > > > 14177
> > > > Some certificates cannot be initialized (error code
> > > -2146885628). The
> > > > Web Proxy filter could not initialize. Check that all
> > certificates
> > > > used by the Web Proxy filter are valid.
> > > >
> > > > 14060
> > > > Cannot load an application filter Web Proxy Filter
> > > > ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed
> > > with code
> > > > 0x80092004. To attempt to activate this application filter
> > > again, stop
> > > > and restart the Firewall service.
> > > > 14001
> > > >
> > > > Firewall Service failed to initialize. Previous event
> log entries
> > > > might help determine the proper action.
> > > >
> > > > Eventid.net didn't have anything useful, and the only
> reference I
> > > > found at
> > > > http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=19;
> > > > t=000394
> > > > had no resolution. I have not done an export or anything.
> > > >
> > > > How can I tell which certificates are used by the web proxy
> > > filter as
> > > > the message in 14177 suggests?
> > > >
> > > > Jeff
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > bunting@xxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > bunting@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
