locked
"Firewall settings could not be configured." RRS feed

  • Question

  • Hello,

    I am using UAG RTM, installed on a Win Server 2008 R2 VM.  It's currently my DirectAccess gateway, and it's in good working order as far as I can tell.  I have no trunks published at this time.  

    My experience is that, whenever I click on the "Activate Configuration" button, I get the above error message ("Firewall settings could not be configured.  Error(s) occurred while activating the configuration."  I've checked the event log, and all it has is an event with ID 1 that repeats this message verbatim with no additional information.  I've researched this error both on TechNet, MSDN, and the general Internet but I can't find anything on it at all.  I haven't been able to find any guidance in the UAG help either.  Has anyone else seen this error message? 

    Some more info and a guess:
    The only reason I tried to activate the configuration was that I had begun creating a trunk to expose an intranet website, but then I deleted the trunk and clicked the button to activate.  Maybe that's the issue, that there is no new configuration to activate. 

    Thank you,
    Justin
    Wednesday, February 24, 2010 10:28 PM

Answers

  • How many networks are defined on this server? Have you added an additional network for the "server management" traffic? What does the Internal network definition look like when compared to the actual network? Are there any additional errors in the event logs or the alert of TMG?

    My colleague Ben has provided the most common reason this error would occur but it certainly is not the only reason. We will need more data to point you in the right direction.

     

    Dan

    • Marked as answer by Erez Benari Wednesday, May 12, 2010 6:10 PM
    Wednesday, May 12, 2010 5:05 PM

All replies

  • Hi, Justin,
    Please check if the Windows firewall service is started on the server. The firewall itself can be on or off, but the SERVICE has to be started, as it's part of the DA configuration.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Monday, March 1, 2010 9:32 PM
    • Unmarked as answer by Justin J Martin Tuesday, March 2, 2010 11:38 PM
    Monday, March 1, 2010 9:32 PM
  • Hi Ben,

    Thank you very much for responding.

    I have checked the firewall service, and it is currently started.  I restarted it just in case (which also triggered restarts of the TMG services) and tried to apply the UAG configuration again.  I still get the same error.  
    Tuesday, March 2, 2010 11:40 PM
  • Are you, by any chance, running this as a normal user, and not administrator?


    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, March 18, 2010 11:47 PM
    • Unmarked as answer by Justin J Martin Friday, March 19, 2010 12:19 AM
    Thursday, March 18, 2010 11:46 PM
  • Hi,

    No, only my domain admin account has access to the box.  Also, my supervisor also has tried with his domain admin account and received the same error.  I suppose account permissions bear looking into, but as my supervisor is the group manager and architect of the hosting ops team, his domain admin account tends to have the most expansive privileges and permissions.  :-)

    Friday, March 19, 2010 12:19 AM
  • I am having the same problem.  Did you ever find a resolution?

    Thanks, Gretchen

    Tuesday, April 6, 2010 2:49 PM
  • Hi Gretchen,

    Unfortunately, we have not found a solution yet.  I will post one if we get it figured out.

    Justin

    • Proposed as answer by Gergely Vamos Sunday, November 27, 2016 3:13 PM
    Thursday, April 8, 2010 5:57 PM
  • Is this server running on a virtual environment??

     

    Saturday, April 10, 2010 4:03 AM
  • Yes.  Hyper-V on Server 2008, I believe.
    Saturday, April 10, 2010 9:38 PM
  • What network devices are you using in Hyper-V for the server?

    Monday, April 12, 2010 4:59 AM
  • Well, the VM itself has three network adapters, one connected to the public Internet and two connected to the company intranet.  One of the intranet adapters is for the DA traffic and one is for server management traffic.  Is that what you meant?  If not, I'll have to check with the VM host owner to get details about the physical box and the Hyper-V connections.

    Thank you.

    Monday, April 12, 2010 4:51 PM
  • How many networks are defined on this server? Have you added an additional network for the "server management" traffic? What does the Internal network definition look like when compared to the actual network? Are there any additional errors in the event logs or the alert of TMG?

    My colleague Ben has provided the most common reason this error would occur but it certainly is not the only reason. We will need more data to point you in the right direction.

     

    Dan

    • Marked as answer by Erez Benari Wednesday, May 12, 2010 6:10 PM
    Wednesday, May 12, 2010 5:05 PM
  • Hi guys,

    We're having the exact same problem. Previously had been working perfectly. We have many published applications.

    Just to run you down on our configuration:

    • Two node UAG Array
    • UAG01 is the array controller
    • Changes are made directly from UAG01
    • We have an "internal" network configured with our two internal network adaptors on the same subnet in here. This network is private to the UAG array.
    • The TMG computer object "Array Servers" contains the IP addresses of the TMG array members on the private network.

    Issue as follows

    1. Make a change
    2. Activate the change
    3. UAG reports "Firewall settings could not be configured"
    4. Activation Monitor reports: Error       Firewall settings could not be configured
    5. Activation Monitor reports that UAG02 has activated (green tick)
    6. TMG Alert log reports nothing
    7. TMG Packet logger reports that MS Firewall Storage blocked on the internal network
    8. Denied Connection UAG01 22/07/2010 12:42:32 PM 
      Log type: Firewall service 
      Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. 
      Rule: None - see Result Code 
      Source: Internal (192.168.1.11:37311) 
      Destination: Local Host (192.168.1.10:2171) 
      Protocol: MS Firewall Storage 
      
    9. Event Log on UAG01
    10. Log Name:  Application
      Source:  Microsoft Forefront UAG
      Date:   22/07/2010 12:29:51 PM
      Event ID:  136
      Task Category: None
      Level:   Error
      Keywords:  Classic
      User:   N/A
      Computer:  UAG01.domain.local
      Description:
      Firewall settings could not be configured. 
      Event Xml:
      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
       <System>
       <Provider Name="Microsoft Forefront UAG" />
       <EventID Qualifiers="0">136</EventID>
       <Level>2</Level>
       <Task>0</Task>
       <Keywords>0x80000000000000</Keywords>
       <TimeCreated SystemTime="2010-07-22T02:29:51.000000000Z" />
       <EventRecordID>17851</EventRecordID>
       <Channel>Application</Channel>
       <Computer>UAG01.domain.local</Computer>
       <Security />
       </System>
       <EventData>
       <Data>Firewall settings could not be configured.</Data>
       </EventData>
      </Event>
    11. Clicking ok on the UAG error dialog yeilds the following event log
    12. Log Name:  Application
      Source:  Microsoft Forefront UAG
      Date:   22/07/2010 12:39:20 PM
      Event ID:  136
      Task Category: None
      Level:   Error
      Keywords:  Classic
      User:   N/A
      Computer:  UAG01.domain.local
      Description:
      Error(s) occurred while activating the configuration. 
      Event Xml:
      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
       <System>
       <Provider Name="Microsoft Forefront UAG" />
       <EventID Qualifiers="0">136</EventID>
       <Level>2</Level>
       <Task>0</Task>
       <Keywords>0x80000000000000</Keywords>
       <TimeCreated SystemTime="2010-07-22T02:39:20.000000000Z" />
       <EventRecordID>17888</EventRecordID>
       <Channel>Application</Channel>
       <Computer>UAG01.domain.local</Computer>
       <Security />
       </System>
       <EventData>
       <Data>Error(s) occurred while activating the configuration.</Data>
       </EventData>
      </Event>
    Thursday, July 22, 2010 2:44 AM
  • In addition, I also notice that the TMG Firewall Configuration reports as Fully Synced (green tick) on both TMG array members.

    Rebooting the affected array member (UAG01) the configuration updates (As shown by Activation Monitor) and seems to be operational.

     

    Thursday, July 22, 2010 3:22 AM
  • UAG supports a single internal interface and single external interface. If you have more than one internal interface, try removing that and see if that corrects the problem.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, July 22, 2010 11:38 AM
  • Yeah thats right, we conform to that.

    So we have an External interface connected to the DMZ, and one internal interface which is a private network between the two UAG array members.

    Thursday, July 22, 2010 10:31 PM
  • So did you ever find a solution to this?

     

    It just started happening to me.  Everything has been fine.  I went to add a new authentication server and now this is happening.

    Thursday, October 21, 2010 7:17 PM
  • Hello guys,

    I had exactly the same problem. In my case was due to the use of objects generated by UAG in TMG, I was using some of these objects to my rules on TMG (eg, computers).
    The objects generated by UMG in TMG, can not be used to create own rules.

    Resolution:
    Just remove the rule and will work. 

    thks, 

    H

    • Proposed as answer by Adrian Ng Thursday, December 16, 2010 6:26 AM
    Thursday, November 4, 2010 9:06 PM
  • this was my issue as well.

    i had some rules that were manually created and i was using objects that were generated by uag.

    only worked it out once the ms guys told me run the tracing tool and analyse the dump of the operations that were being performed during the activation process.

    once i deleted all of these types of rules, activation worked perfectly.

    this was bugging me for months!

    ps: if anyone needs info on the tracing tool http://blogs.technet.com/b/fesnouf/archive/2010/03/17/tracing-uag-don-t-be-blind.aspx

    Thursday, December 16, 2010 6:29 AM
  • Hi Hugh and Adrian,

    Thanks for the update! I'll follow up on this and see if I can do a blog post on it.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, December 16, 2010 4:21 PM