At my company, internet usage is free for everyone. We do very little monitoring at the moment and the only thing I sometimes do is generate a report in ISA2004 to see who/what is generating the most traffic.
Over the last couple of weeks I noticed an increase of traffic generated by video on demand, social networking sites and chat sites. Especially the video sites are generating a lot of traffic. Now, if those sites were only visited during lunchbreaks, I wouldn’t have a problem with that, but for some people it’s just too hard to stay away from those sites throughout the whole day. Time to block some of those annoying sits. But while I’m at it, why don’t I block a lot of unwanted sites at one time ?
On Isaserver.org I found Steve Moffat’s block lists which provides some excellent destination sets which can be imported into ISA server right away.
I downloaded some of those lists and imported them from my workstation, using the ISA Server management console. I then create a firewall rule to block all sites in the newly imported set, and tested it. It worked, so I wanted to import more lists.
During that second import, something (I still don’t know what) went wrong, and the import was terminated. Immediately, the management console stopped responding and internet access was down. I opened a remote console to the ISA server and found out that the Firewall Service had stopped. I tried to restart, but it refused.
In my eventlog I found event ID 11004:
Microsoft Firewall failed to start. The failure occurred during Initializing policy rules because the system call failed. Use the source location 912.294.4.0.2167.887 to report the failure. The error description is: The system cannot find the file specified.
It seemed that the second destination set was corrupt, and was confusing the firewall rules. Ok, no problem I thought. I’ll just delete the last imported destination set and everything is OK. It turned out it wasn’t that simple. When I launched the ISA server manager, I could not access the toolbox. It came up with a “cannot find the file specified” error, so there was no way to get to the destination sets.
Searching for the event id on the net didn’t get me very far. The only solution I found was to delete ISA 2004 and do a reinstall. I did not want to do that yet, because I could not understand that a corrupted destination set could bring ISA down to it’s knees.
After some thinking and searching around in the ISA program directory, it dawned to me that the ruleset had to be somewhere in the registry. But where ? I searched the Isaserver.org forums on registry issues, and found the following key:
HKLM\Software\Microsoft\Fpc\Storage\Array-root\Arrays\xxxxx\
RuleElements\Domainnamesets
And there it was. My imported rulesets where there. The first imported set and the second one. The second one had some keys missing, so it was obvious that that was the one which had been interrupted during the import. I deleted the key, and rebooted my machine, and voila: the Firewall Service did start again.
Since the ISA server was down anyway, I decided to also upgrade to ISA 2004 SP3 right away, which installed without any problems.
Note to self: before importing destination sets in the future: do it on the machine itself, instead of a management console on a workstation. Oh, and make sure you make a backup of the ISA configuration. My last backup was almost a year old… I guess time flies when you’re having fun 
