Chris Blankenship's Ramblings

If you ever find yourself needing to verify that an Array Member is in fact receiving and applying policy changes from the Configuration Storage Server (CSS) this post might be of help to you.  I was assisting in the deployment of an ISA Reverse Proxy solution and we ran into some very strange behavior.  Everything seemed to be in working order during the installation but shortly it became clear that something was not working on the array members.  Looking at the ISA Management Console we could see that policy settings had already synchronized between the Array Members and the CSS server but the changes were not reflected in the Array Member behavior.  Specifically, a simple test policy granting access to a service was not being allowed (the ISA logs showed a denied for the request).  So how could we tell whether the Array Members were actually receiving and applying the changes from the CSS Server?  Well a look into the registry will give you a clue.

An Enterprise ISA Array Member will store the configuration information in the registry under the HKLM\IsaStg branch.  There are two separate branches where information is stored:

HKEY_LOCAL_MACHINE\IsaStg_Eff1

HKEY_LOCAL_MACHINE\IsaStg_Eff2

Only one branch is used at any given time while the other branch is a staging area for new updates to be applied.  You can see what branch the array member is using along with the last time it was updated by looking at the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Storage\ActiveEffective

Additionally there is an incremental value that changes every time a policy has been received and applied to the ISA Server:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Storage\GlobalChangeNum

So looking at these registry settings I was able to identify if and when a policy update was being made to the ISA Array Member.  One word of caution, do not make any changes in the registry!

Hope this helps anyone else troubleshooting ISA server.