we work with ISA 2004 on our Systemcenter enviroment. Every think works well, but the caching does not work. We got the following message: ISA Server alert: The Web cache proxy was disabled because of a global failure. The cache was not properly initialized. caching will be disabled (internal code 503.285.4.0.2161.50). Identify the specific reason for the failure from previous relevant event logs. Fix the problem, and then restart the Firewall service to enable caching. The failure is due to error: A cluster resource failed.
actually we don't know, why in the eventlog is the information about the cluster ressource. The windows server 2003 is anyhow "only" a standard edition.
We already installed everything from the scretch with the same result.
Hello, we have the same problem. Windows 2003 standart server with all hotfixes, ISA Server 2004 Final Edition. Everything works fine, but if i define a cache drive, then the following error is shown in the alert window:
Description: The cache was not properly initialized. caching will be disabled (internal code 503.285.4.0.2161.50). Identify the specific reason for the failure from previous relevant event logs. Fix the problem, and then restart the Firewall service to enable caching. The failure is due to error: A cluster resource failed.
The urlcache directory was created but is still empty. I have set everyone fullcontrol permission to this folder and restart the isa services... no success...
thank You for Your tip. We already tested the cache on all drives in every size and combination. We believe that the information about the "cluster...." is the key to the solution. If we promt the set-command we see an entry about a cluster ressource. But why and how can these be shown on an standard edition?
Isa Server 2004 runs under the network service user, we have set the ntfs permissions via policy to all our member servers (also isa server).
The solution is, you must set the network service user on the root of the disk with full control permissions. If you set it only on the urlcache directory, it fails to initialize.
I have modified our policy and added the network service user on this drives. Everything works fine.....
great point! We chance in our network also the root security just for local admin with full control. I will be in our office the next day and will chance the NTFS-Rights, then we see.
RE: ISA Server alert: The Web cache proxy was disabled ... - 5.Oct.2004 11:33:00 PM
Guest
ISA sets full control to the urlcache directory but it does not change the root directory. Setting Network Service to read access at the root access seems to work.
Hi Guys, The solution described above suggests allowing full control to NETWORK SERVICE on the disk root. As a general security guideline, we recommend that you do not allow the NETWORK SERVICE extensive permissions.
What is the problem? When configuring cache drive, if the root dir on the drive (e.g. C:\ or D:\ or E:\ or...) has non-default permissions, in which a NETWORK SERVICE does not have sufficient permissions the creation of the cache file fails.
GMSonic proposed a solution in a previous posting: ô...The solution is, you must set the network service user on the root of the disk with full control permissions...ö
What is the security problem with this solution? This solution would surely work. But from security PoV it is not recommended. A NWS is generally considered to be a service with low trust because it is dealing with network traffic and therefore there is a chance that it is possible to exploit it from the network. Therefore a NWS should not have full access to the drive root. This solution would work, but it is not recommended security-wise
What is a better solution? NWS only needs the following permissions to the driveÆs root: + ôRead Attributesö + ôCreate Folders / Append dataö Note: These permissions should not be inherited to subfolders or files. The permissions should apply to öThis folder onlyö (use the advanced tab when setting permissions the permissions).
A few notes:
NETWORK SERVICE exists on Win 2003, but does not exist on Win 2000. On Win 2000 the ISA firewall service runs as system
On Win 2003 in a default installation a NWS is not explicitly allowed the above listed permissions, rather the USERS group is allowed them and a NWS is part of the USERS group.
thanks for Your help. The hardening guidelines isvery new. We alreday got them and changed the ACL on the maschines.
May be You can ask Your team in SP1 for ISA to implement in the wizzard a control for changing the correct ACL for the caching mode. This would be very helpfull for administrators. The error log was not very helpfull in this case.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> ISA Server alert: The Web cache proxy was disabled because of a global failure. 
ISA Server alert: The Web cache proxy was disabled beca... - 
RE: ISA Server alert: The Web cache proxy was disabled ... - 
RE: ISA Server alert: The Web cache proxy was disabled ... - ![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread