Chapter 19. Monitoring and Troubleshooting an ISA Server 2004 Environment
IN THIS CHAPTER
Some of the best security solutions suffer from the same problem. They offer great capabilities and functionality, but lack available tools to assist administrators with trouble shooting and monitoring of their environment.
Fortunately, the ISA development team took this into account and built in a series of robust and capable monitoring and logging tools. ISA logging, for example, provides live or archived views of network traffic that hits the ISA Server, enabling administrators to make
This chapter focuses on understanding the monitoring and troubleshooting capabilities of ISA Server. It details ISA tools that are used to monitor a network environment, and provides step-by-step guides on how to use them to trouble shoot. Specific information on using Microsoft Operations Manager (MOM) 2005 to monitor ISA Server 2004 are also presented and discussed.
Outlining the Importance of ISA Monitoring and Logging
Without a log of what is happening on an ISA Server, ISA's functionality is a real "black box," with no way to understand what is happening with the traffic, what type of errors may be occurring, or whether the server is overwhelmed or underpowered. It therefore becomes important to understand what types of tools and capabilities ISA possesses to enable the configuration to be modified as necessary and to help administrators adapt to evolving threats.
Logging for Governmental and Corporate Compliance
In addition to the troubleshooting capabilities inherent in the monitoring options in ISA Server 2004, logging access to protected resources can also help to establish an audit trail of who accessed which resources. Putting controls in place to secure and control access to network resources is also a central aspect of many governmental compliance rules that have come into the spotlight recently, such as Sarbanes Oxley and HIPAA.
ISA provides for accurate, manageable, and auditable logging, which enables organizations to create custom
Taking a Proactive Approach to Intrusion Attempts
In today's risky computing atmosphere, caution simply cannot be thrown to the wind. Organizations that aren't proactive in monitoring intrusion attempts, looking for activities such as port
Configuring ISA Logging and Monitoring
Most of the monitoring and logging functionality in ISA Server is provided in the Monitoring node of the Console tree, as shown in Figure 19.1.
Figure 19.1. Viewing the ISA Monitoring node.
This node is the jumping-off point for the individual ISA monitoring and logging activities, and includes tabs in the Details pane for activities such as setting alerts, generating
Delegating ISA Monitoring Settings
In addition to the ISA Full Administrator, ISA Server 2004 also provides for unique roles that provide for unique monitoring capabilities. These roles are as
If administration of the monitoring aspect of ISA Server is required, then it becomes necessary to delegate these roles to individual users or, preferably, groups. To delegate control of ISA extended monitoring to a
Understanding the ISA Advanced Logging Service
ISA Server 2004 logging is comprised of three unique types of logs as follows:
Each one of these logging services is independently controlled and can be enabled and configured differently.
In general, it is best practice to configure ISA logs to reside on a separate logical drive from the operating system, but it is not required. There is no effective performance increase from having them on a separate physical drive.
Figure 19.3. Exploring ISA logging options.
For the most advanced logging, either the MSDE or the SQL database logging component must be configured properly.
Installing the ISA Advanced Logging Service
If not already installed on an ISA Server (it is one of the default installation options), ISA Server 2004 advanced logging can be set up via the Add/Remove programs process on an ISA Server. Simply insert the ISA media and perform the following process:
Configuring Firewall Logging
Firewall logging can be enabled and configured on the ISA Server through the Logging tab in the Details pane of the ISA Monitoring Node. For example, the following step-by-step procedure enables ISA Firewall Logging to write up to 10GB of firewall logs to the D:\drive, and to enable logging of all potential fields.
Configuring Web Proxy Logging
Web Proxy logging is very similar to Windows Firewall logging, but deals
Configuring SMTP Screener Logging
The SMTP Screener Logging component is unique among the three logging types in that it cannot take advantage of SQL or MSDE logging. SMTP logging with ISA Server 2004 must be done in a text file format, such as W3C format. In addition, the number of fields available to log from, shown in Figure 19.6, is much smaller than the number from the Web Proxy or Firewall logging options.
Figure 19.6. Configuring SMTP Screener Logging