we work with ISA 2004 on our Systemcenter enviroment. Every think works well, but the caching does not work. We got the following message: ISA Server alert: The Web cache proxy was disabled because of a global failure. The cache was not properly initialized. caching will be disabled (internal code 503.2188.8.131.521.50). Identify the specific reason for the failure from previous relevant event logs. Fix the problem, and then restart the Firewall service to enable caching. The failure is due to error: A cluster resource failed.
Hello, we have the same problem. Windows 2003 standart server with all hotfixes, ISA Server 2004 Final Edition. Everything works fine, but if i define a cache drive, then the following error is shown in the alert window:
Description: The cache was not properly initialized. caching will be disabled (internal code 503.2184.108.40.2061.50). Identify the specific reason for the failure from previous relevant event logs. Fix the problem, and then restart the Firewall service to enable caching. The failure is due to error: A cluster resource failed.
The urlcache directory was created but is still empty. I have set everyone fullcontrol permission to this folder and restart the isa services... no success...
thank You for Your tip. We already tested the cache on all drives in every size and combination. We believe that the information about the "cluster...." is the key to the solution. If we promt the set-command we see an entry about a cluster ressource. But why and how can these be shown on an standard edition?
Hi Guys, The solution described above suggests allowing full control to NETWORK SERVICE on the disk root. As a general security guideline, we recommend that you do not allow the NETWORK SERVICE extensive permissions.
What is the problem? When configuring cache drive, if the root dir on the drive (e.g. C:\ or D:\ or E:\ or...) has non-default permissions, in which a NETWORK SERVICE does not have sufficient permissions the creation of the cache file fails.
GMSonic proposed a solution in a previous posting: ˘...The solution is, you must set the network service user on the root of the disk with full control permissions...÷
What is the security problem with this solution? This solution would surely work. But from security PoV it is not recommended. A NWS is generally considered to be a service with low trust because it is dealing with network traffic and therefore there is a chance that it is possible to exploit it from the network. Therefore a NWS should not have full access to the drive root. This solution would work, but it is not recommended security-wise
What is a better solution? NWS only needs the following permissions to the driveĂs root: + ˘Read Attributes÷ + ˘Create Folders / Append data÷ Note: These permissions should not be inherited to subfolders or files. The permissions should apply to ÷This folder only÷ (use the advanced tab when setting permissions the permissions).
A few notes:
NETWORK SERVICE exists on Win 2003, but does not exist on Win 2000. On Win 2000 the ISA firewall service runs as system
On Win 2003 in a default installation a NWS is not explicitly allowed the above listed permissions, rather the USERS group is allowed them and a NWS is part of the USERS group.
thanks for Your help. The hardening guidelines isvery new. We alreday got them and changed the ACL on the maschines.
May be You can ask Your team in SP1 for ISA to implement in the wizzard a control for changing the correct ACL for the caching mode. This would be very helpfull for administrators. The error log was not very helpfull in this case.