Swapping servers around would be a major job and involve an outage of the services, that I would rather avoid unless I have some reason to suspect hardware... like the knowledge that this error is often associated with hardware problems. MS don't indicate this in the KB's I've read to date, but I'd be happy to go with such a move if there was a sound basis for testing it.
Of course, if I have to buy new hardware, I could always buy a Cisco ASA55xx....
Just as an aside, the main reason for noting the role of this particular ISA server is that it's the main public perimiter firewall.
I have 3 ISA servers:
1. This one -- Inbound perimiter FW. 2. Outbound perimiter FW. 3. Internal server FW.
The inbound perimiter FW is the one that shows it's face large to the world, is the primary defence point, and cops and absolute hammering from hackers... it's under attack and/or probing all day every day.
There is only the one hotfix showing as being installed for ISA-2006, KB925403 (something to do with publishing Exchange2007) which was installed by MS-Update. I'm not sure about a service-pack for isa-2006 ??
Unless MS-Update advises me that something is available or I can manage to luck onto a specific KB article from the event description, I find the whole process of tracking MS hotfixes to be near impossible to deal with... so I have no idea if there are other patches/hotfixes which are available for isa-server-2006, that I am missing.
Yesterday it failed 5 times... 3 of them within 10mins of each other.
However, it's now gone nearly 24hrs since the last failure, which makes me suspect that it's content related, and has something to do with a published website and a request for content.
I've activated the recovery state on the service, to try and restart it if I'm not around, but auto-resarting a service is not something I see as a solution.
The MS ISA-Events chm describes the event as:: ISA Server 2006: Event 14057 Event Message The Firewall service stopped because the application filter module <filter module name> generated the exception code <exception code> at the address <address> when the function <function name> was called. To resolve this error, remove recently installed application filters and restart the service. Explanation The application filter module specified in the event message performed an invalid function call that raised an exception and stopped the Firewall service. User Action After removing the applicable application filter, restart the Microsoft Firewall service. To do this, in the ISA Server Management console tree, click Monitoring. In the details pane, click the Services tab, and then select Microsoft Firewall. On the Tasks tab, click Start Selected Service.
I am running a number of published websites (that's basically the job of this firewall) and these sites are running IIS6 GPZIP compression and header-level cache control, using a couple of tools from the Port80 guys.
If (when?) if fails again, I'll try playing with the hardware, just to rule it out, but based on the error description, I'm starting to wonder if this might have something to do with GZipped content and the firewall freaking out with particular responses.
Ha! Maybe is the compression settings that are gunking up the ISA Firewall. Read the ISA Server 2004 SP2 White Paper and pay close attention to the compression section and how you might be able to DoS yourself because of compression in a Web publishing scenario.