Isa SP1 Intra Array Communications Outside Domain

I’m busy to create a nice reverse proxying environment, for this we choose the ISA 2006 server. Mainly because we have some experience with this and it should be really easy to create a High Availabilty solution. The biggest problem in our case is that the ISA servers are not member of a domain and that the ISA Configuration Storage Server is placed on a separate server in a whole different subnet. After some puzzling everything was working great, until we updated the environment to ISA 2006 SP1. The ISA server went complaining that the Intra-Array communication was broken (event id: 221225). The exact message:

For intra-array authentication when array members are in a workgroup, the intra-array account must be defined and enabled. Some features such as VPN, CARP, and reporting will not work unless the intra-array account is properly configured.

It took not really long to figure out what went wrong, but I find it worth mention it, in case someone else rans in the same situation. The problem was that the local accounts had different passwords and since SP1 wasn’t asking for the Array members password anymore it could not establish a connection. So setting the same password on the ISA CSS machine was all we had to do to fix the problem.

Rob Maas
Rob Maas
Technical Challanger at ON2IT

If it is broken, fix it! If it ain’t broken, make it better!