You cannot use Routing and Remote Access service logging after you change the firewall policy on a Windows Server 2003-based computer that is also running ISA Server 2004 (921130)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

Consider the following scenario:
  • You have a Microsoft Windows Server 2003-based computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004.
  • You configure the server as a Routing and Remote Access server.
  • You configure as Windows Authentication the authentication provider for remote access clients.
  • You configure as Windows Accounting the accounting provider that maintains a log of connection requests.
  • You enable Routing and Remote Access service logging to log accounting requests to a local file.
In this scenario, when you make a configuration change to the ISA Server firewall policy, you may experience the following behavior:
  • The accounting provider configuration is changed and set as none.
  • The accounting requests option in the Routing and Remote Access server is not available.
  • The Routing and Remote Access server does not log accounting information.

CAUSE

ISA Server 2004 Services overwrites changes that are made to the Routing and Remote Access service. You may reconfigure the accounting provider configuration by selecting Windows Accounting. However, when there is a configuration change to the ISA Server firewall policy, you may experience the behavior that is mentioned in the "Symptoms" section. This is the expected behavior in ISA Server 2004.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To resolve this behavior, you can use the Visual Basic script that is described in this section. The logging option is not available as an ISA User Interface. You can only set the logging option by using a script. To do this, follow these steps.
  1. Click Start, point to Programs, point to Accessories, and then click Notepad.
  2. Copy and paste the following code into a new Notepad document, and then save it to a file name with a .vbs extension, such as logoption.vbs: 

    ********************************
 set fpc = CreateObject("FPC.Root")
 set arr = fpc.GetContainingArray
 set vpn = arr.NetworkConfiguration.VpnConfiguration
 'RADIUS accounting must be disabled before enabling windows accounting
 vpn.EnableRADIUSAccounting = false
 'enable windows accounting
 vpn.EnableWindowsAccounting = true
 vpn.Save
 '********************************

  3. To run the code, type the following command at a command prompt, and then press ENTER:

    cscript logoption.vbs

  4. Click Start, click Run, type regedit, and then click OK.
  5. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\GUID\NetConfig\VpnConfig

  6. Make sure that the following registry entries are set to the correct values:
    Registry entryValue
    msFPCVpnEnableWindowsAccounting1
    msFPCVpnEnableRADIUSAuthentication0
    msFPCVpnEnableRADIUSAccounting0
  7. Exit Registry Editor.
Modification Type:MajorLast Reviewed:7/26/2006
Keywords:kbtshoot kbbug KB921130 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.