Hi William, That is interesting, because I've never had to include anything in the "exclude" list and haven't had the problem. I did see that problem the other day on a Windows 2003 machine with ISA Server installed after I did a big of system hardening experimentation. Nice tip! Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:william.robertson@xxxxxxxxx] Sent: Friday, March 28, 2003 1:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] Interesting feedback from Microsoft http://www.ISAserver.org Hi there I am busy working through a problem with Microsoft regarding a RRAS/VPN issue where my Firewall Service fails when a VPN Client connects. The problem is unfortunately not resolved but one of the issues we identified was that I would receive the following error message for each of my Server Publishing Rules when the Firewall was in it's "funny state" Here is the alert: Microsoft Firewall failed. The failure occurred during Initialization of reverse Network Address Translation (NAT). because the configuration property of the key SOFTWARE\Microsoft\Fpc\Arrays\{6DC...}\Publishing\PNATServerMappings\{FF BA...}\ClientSetsExcluded could not be accessed. Use the source location 2.546.3.0.1200.166 to report the failure. The error code in the Data area of the event properties indicates the cause of the failure. For more information about this event, see ISA Server Help. The error description is: The system cannot find the file specified. The specific registry key within Parentheses differs for each alert. Anyway, official feedback from Microsoft is that this is a bit of a bug and will be fixed in the next SP to be released. The problem is due to the fact that all my Server Publishing Rules do not make use of the "Exclude..." option in the "Applies To" tab, thus this registry key has not been generated and the Firewall Service is then unable to find whatever it is looking for. The workaround for this at the moment is to create a dummy client address set, and assign it to the "Exclude" list within each Server Publishing rule. Just thought some of you may find this interesting, if not helpful. Cheers William R. _____ William Robertson AST Mpumalanga Systems House / Consultant: Software Tel: 013-2472703 / 083 638 0354 Fax: 013-2462236 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')