Okay not to crazy but what is WSC? ICF is the firewall right? Yes the firewall is disabled. I did find that the browser service was stopping for no reason and found a MS KB article id 889320 but I will have to contact MS to get the fix. I will have to see if this is happening on anyone elses machine. We just loaded XP, drivers and SP 2 and tried it and we are not having any problems so we are now adding all the extra little patches to see if that may cause a problem.

Sorry, WSC is Windows Security Center. Did you see any events in the event log or the MC?

We disable the Browser service because it's not necessary. Please post if you find a patch that is causing the problem. I tested 4.0.3-728 and the "CSA fails to load rule sets..." message went away.

Tom

I am seeing an event ID 273 "Service CSAgent started although rules failed to load within 30 seconds"

Also If I cancel the vpn client before log in and log in quickly I get two errors in the system event log. One is ID 40961, source: lsasrv, Category: spnego (negotiator) and the second is ID 40960 with everything else the same.

Apparently the agent times out because it:

- doesn't have network connectivity

or

- can't resolve to the CSA MC yet

I had a TAC case open on this one too for a while (600804068).

We had a few machines (laptops mostly) that took too long to boot because of all the stuff we have loading and would timout to the MC.

My thoughts were that machines with multiple NICs and network shims were trying to accomplish the same things.

I was able to find a workable solution:

I disabled two of the three network shims (McAfee VSE 8 and XP SP2) on my laptop and updated to 728. The event ID 273 and MC timeout problems went away and my boot ime decreased dramtically. My system is fully patched from MS.

It would also be nice to either let the agent load the last known good set of rules without resolving to the MC or be able to increase the timeout for machines that take longer to find it.

Tom

How do you disable network shims?

For CSA, create a kits without the shim.

For XP SP2, you disable the ICF service.

For McAfee VSE 8.0i, keep the TDI driver from

loading.

I have specific registry settings for the last two if you are interested.

Tom

Doesn't CSA need that shim? I already have ICF disabled along with a million other services and we are running TrendMicro AV. I'll try to load CSA with out the shim to see if that helps.

Yes, CSA needs the shim to enable the Network Shield but it may conflict with certain Firewall or VPN software. You could disable it for testing purposes and then make a decision.

Here is the help text from "Agent Kits" on the CSAMC:

CAUTION: In some circumstances, you may not want users to enable the network shim on their systems as part of the agent installation. For example, if users have VPN software or a personal firewall installed on their systems, the network shim's Portscan detection, SYN flood protection, and malformed packet detection capabilities are in conflict with VPNs and personal firewalls. To allow users to enable it, you would create kits as non-quiet installations. (Do not select the Quiet install checkbox.) This way, users are prompted to enable the network shim during the agent installation.

NOTE: Not enabling the network shim does not mean that Network Access Control rules won't work. It only means that the system hardening features (configured in the Network Shield rule page) mentioned in the previous paragraph are not enabled.

Hi,

one general note: on XP SP2 machines ICF Service is needed if you want to use Browser functionality!

I had a similiar problem with Browser Service timing out and stopping.

I recommend not to disable ICF Service or set to manual. AFAIK during CSA installing the installer leaves ICF Service on automatic start and disables ICF protection on the particular interfaces for binding CSA on them. Maybe this information is applicable,too?

Up to now I did not have to disable WSC for troubleshooting reasons but maybe this day will come :)

Regards,

Arne

We turned the Computer Browser off because every machine does not need to keep a list of NetBIOS names. That's what AD, DNS, etc.. is for. Unless you are doing peer-to peer, it's a liability (and even then you need only one master browser).

We disabled WSC to hide it from users and ICF because of McAfee, not CSA. ICF and CSA seem to co-exist fine.

I turn off many services and disable them to increase performance and security. 2000 and XP came with a lot of unnecessary stuff on and enabled.

I may have to go back and turn them on some day but for now I think we have a more efficient setup.

Just my two cents...

Tom

Following up on this...

I did get 4.5 installed and it is a marked improvement over 4.0x. Currently, I'm in the process of migrating clients over to the new version and I'm impressed thus far. Boot times are much faster with 4.5.