This week I upgraded my ISA lab from ISA Server 2004 SP2 to ISA Server 2006. The inline upgrade went very well except on the ISA Server box ‘ISA Local’ where some third-party Web Filters were installed. Although I first deinstalled all non-compatible ISA Server 2006 third-party products, the Firewall Service refused to start because of a failure in loading the Link Translation filter as shown below:
Thereafter, a bunch of other events are logged, all linked to Web Proxy filter problems. Disabling the rules who used those third-party Web Filters fixed the problem. Hmm… apparently the deinstall procedure of those third-party Web Filters didn’t clean up the configuration very well!
Because I’m very concerned about IPSec tunnel mode site-to-site VPN connections, due to the need for integration with third-party products, the first thing I checked out was if the problem described in my blog When using an IPSec tunnel mode site-to-site VPN you are noticing frequent ISA 2004 error messages “0xC0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” was resolved are not. I was a little bit disappointed that that issue wasn’t fixed with ISA 2006. So, I contacted Microsoft to find out why. Apparently, because there was a valid workaround for this issue, check out KB917025 for more info, it was not worth the effort to fix the problem in ISA Server 2006. Hopefully the next ISA Server version will have a much better support for IPSec tunnel mode site-to-site VPN connections.
HTH,
Stefaan