Microsoft Firewall Service(WSPSRV.exe) on Forefront TMG(Threat Management Gateway) is not Starting

 

Introduction:

I am sure many of us would have faced the issue where the Firewall Service on the ISA/TMG servers wont start. The reason for the Firewall Service not starting can be different. I was also working on a similar issue a few days back. That's what I am going to discuss here with you in this Post.

Scenario:

In this particular scenario when the TMG server restarted the Firewall Service did not start. And when we tried to start the Service Manually, even that Failed. When we looked at the Event Viewer after trying to Start the service, we could see the following Events there:

 

clip_image002

 

clip_image004

 

Although you might see the above Events in most of the “Firewall Service Not Starting” Issues, however the reason behind the Firewall Service not starting can be different.

By Default Firewall Service runs under the “NetworkService” Account. So, as troubleshooting step, we changed the “Log On” Account there to “Local System” Account to see if its a Permission issue.

NOTE: We should not run the Firewall Service under the Local System Account as it imposes a security risk because Local System Account has very high Privileges. Its just for the sake of narrowing down the issue we performed this step here.

So, after changing the Log On Account to “Local System” Account in the Firewall Service properties, we were able to start the service fine. So, now we knew that it was surely a Permission issue.

In this case we took a different approach. Rather than collecting the TMG Data Packager we collected Process Monitor Logs while trying to start the Firewall Service. Process Monitor Tool can be downloaded from the link below:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

A few tips on how to filter the traffic in the Process Monitor Logs to look for some specific Results:

1) Open the Process Monitor Log.

2) Click on the Tools Option in the Menu Bar at the top and then click on “Occurrences”.

3) You will see a window like this:

 

image

4) Then select the Option Results from the Drop Down menu which you see in front of Column:

 

image

5) Click on the “Count” Button in front of the Result Column and you will all the Result Types from that Log:

 

image

 

6) As we are specifically looking for the Permission issues here, we will concentrate on the “Access Denied” Result Codes here.

7) So, when we Double Click on the “Access Denied” we would see something like this:

 

image

 

 

 

Then we went ahead and looked at the Process Monitor logs which we collected. And here is what we saw there:

clip_image006

As you can see above the we are getting “Access Denied” Error here while the Firewall Service is trying to access the Files under the Folder “C:\ProgramFiles\MicrosoftISAServer\ErrorHTMLs”.

As the Firewall Service runs under the “NetworkService” Account, this account should have Read Permission on all the files under that Folder.

When we checked the Permissions on those Two Files, NetworkService Account was not even there. So, we added the NetworkService Account there under the Security Tab of those two files and then gave it Read Permission.

After that when we tried to Start the Firewall Service, we were able to start it successfully this time.

 

Some more reasons why the Firewall Service wont start and you get those Events as discussed above:

http://blogs.technet.com/b/yuridiogenes/archive/2009/08/02/isa-server-2006-firewall-service-not-starting.aspx

 

 

 

Blog Written By

NITIN SINGH

SUPPORT ESCALATION ENGINEER, FOREFRONT EDGE SECURITY, MICROSOFT