You cannot use Routing and Remote Access service logging after you change the firewall policy on a Windows Server 2003-based computer that is also running ISA Server 2004

Consider the following scenario:

• You have a Microsoft Windows Server 2003-based computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004.
• You configure the server as a Routing and Remote Access server.
• You configure as Windows Authentication the authentication provider for remote access clients.
• You configure as Windows Accounting the accounting provider that maintains a log of connection requests.
• You enable Routing and Remote Access service logging to log accounting requests to a local file.

In this scenario, when you make a configuration change to the ISA Server firewall policy, you may experience the following behavior:

• The accounting provider configuration is changed and set as none.
• The accounting requests option in the Routing and Remote Access server is not available.
• The Routing and Remote Access server does not log accounting information.

ISA Server 2004 Services overwrites changes that are made to the Routing and Remote Access service. You may reconfigure the accounting provider configuration by selecting Windows Accounting. However, when there is a configuration change to the ISA Server firewall policy, you may experience the behavior that is mentioned in the "Symptoms" section. This is the expected behavior in ISA Server 2004.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To resolve this behavior, you can use the Visual Basic script that is described in this section. The logging option is not available as an ISA User Interface. You can only set the logging option by using a script. To do this, follow these steps.

1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Copy and paste the following code into a new Notepad document, and then save it to a file name with a .vbs extension, such as logoption.vbs:

   ********************************
    set fpc = CreateObject("FPC.Root")
    set arr = fpc.GetContainingArray
    set vpn = arr.NetworkConfiguration.VpnConfiguration
    'RADIUS accounting must be disabled before enabling windows accounting
    vpn.EnableRADIUSAccounting = false
    'enable windows accounting
    vpn.EnableWindowsAccounting = true
    vpn.Save
    '********************************
   

3. To run the code, type the following command at a command prompt, and then press ENTER:
   cscript logoption.vbs
4. Click Start, click Run, type regedit, and then click OK.
5. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\GUID\NetConfig\VpnConfig
6. Make sure that the following registry entries are set to the correct values:

   Registry entry	Value
   msFPCVpnEnableWindowsAccounting	1
   msFPCVpnEnableRADIUSAuthentication	0
   msFPCVpnEnableRADIUSAccounting	0

7. Exit Registry Editor.