Errors - Various ISA Server error messages. What they mean and how to get rid of them

ISA Server 2000 Frequently Asked Questions (FAQ) topic 

[8] Cache specific - These Q & A's are specific to the ISA Server caching product

Updated: Jul 01, 2002

[15] Errors - Various ISA Server error messages. What they mean and how to get rid of them

Updated: Dec 11, 2002

[39] Firewall Specific - These Q & A's are specific to the ISA Server firewall

Updated: Aug 10, 2004

[49] General info - General questions about ISA Server

Updated: Aug 10, 2004

[13] Installation issues - Tackles various installation problems questions

Updated: Jul 06, 2001

[32] Setup - General ISA Server setup questions

Updated: Jul 27, 2004

I'm trying to get my Cisco and Nortel VPN clients working through the ISA Server. They are not using PPTP. I think they're using IPSec, but I'm not sure. All I know is that the Nortel and Cisco VPN clients on the internal network can't call out through the ISA Server. What do I need to do? 

These clients add proprietary IPSec implementations to the IP stack. IPSec won't go through any NAT firewall, including ISA Server. Recent versions of these clients provide a way to encapsulate the IPSec inside UDP. You have to set this up on the VPN server and make a configuration change on the client. Once you do this, then all you need to do is open the appropriate UDP ports on the firewall and traffic shoud pass. In the case of ISA Server, you'd write the appropriate outbound protocol definitions and protocol rules.

I've installed the Remote ISA Server MMC console on my Win2k Professional Machine. When I try to connect to the ISA Server through the console, it doesn't work! I'm logged in as a Domain Admin and I've even used the Run As command. What up with that? 

This is a common problem! Try this: On the isa server: START-> Run->dcomcnfg.exe. Go to the "Default Security" tab. Edit "Default Access Permissions". Now you can ADD the "Administrators Group". Note this is the group and not the account (untested) or REMOVE ALL the users. (tested) including the INTERACTIVE & SYSTEM accounts. This resets the default permissions. Just one other thing, you NEED to reboot the isa server. Many thanks to DION for sharing this tip!

How can I stop the dreaded 14120 error? 

This FAQ is by Thomas W. Shinder: The most common reason for the dreaded 14120 error is that you're looping backup through the external interface of the ISA Server to access an internal network server that you published via ISA Server. You can't do that! Another reason could be that you have not created a split DNS infrastructure. One way to get around creating a split DNS infrastructure is to create a HOSTS file on the ISA Server that contains the FQDN contained in the request host header. The entry in the HOSTS file would contain that same FQDN, but it would map to an internal network server. That way, www.mypublishedserver.com would resolve to an internal network IP address, instead of the public address on the external interface of the ISA Server

I receive an error in the event log Firewall “Cannot bind SMTP requests to port 25 because it is already in use by another process.” What could it be? 

Its probably the "Simple Internet Mail Service" installed automatically with IIS. Disable the service in the services control panel.

I've just installed RC1 and now I'm getting loads of 14120 errors in the event log (LAT and windows routing tables don't match) 

Just recreate the ‘Lat table’ in ISA console.

I'm having a problem with ISA and outlook express 5. I can't access my hotmail accounts - the error I get is: ”Proxy Error (Logon failure: unknown user name or bad password.)”. How can I fix this? 

Adding Hotmail web sites to exception list and using Winsock client (currently: Firewall client) to access them should do the trick (now we have the SNAT option, too).

Error on restart of the ISA-service 'The Microsoft Web Proxy failed to log information to file WEBxxxxxxxx.log ' 

Disable the indexing and compressing of the ISAlog-folder and unchecked compress / index in ISA-server MMC.

Upgrading NIC causes problems when ISA is running. When upgrading the internal adapter winows ask for a file called "|". How could I prevent this? 

Stop the ISA-service and you can upgrade the driver.

I get the following error message when i attempt to manually start the services: ‘ERROR 1747 - THE AUTHENTICATION SERVICE IS UNKNOWN’ 

Try unbinding the old listeners and rebinding them again. You may need to reconfigure any publishing rules and packet filters. Anything that you've created that has the old IP addresses bound to them.

I couldn't get a web connection at the client without the proxy setting. What could I be missing? The client gateway is set to the address of the inside adapter of the ISA server. And, since it does work with the proxy setting, I know that the protocol and site/content rules do allow access. If it makes a difference, the clients are Win98. 

Open all sites (which may be your default site/content rule, confirm that in the console), and open all protocols, to all network clients.
If you are using a dial-up connection, and you have a SNAT client, here's a secret: right click the routing node in the left pane and then choose the dial-up connection as the primary route for the firewall.