Chapter19.Monitoring and Troubleshooting an ISA Server 2004 Environment

Chapter 19. Monitoring and Troubleshooting an ISA Server 2004 Environment

IN THIS CHAPTER

Outlining the Importance of ISA Monitoring and Logging
Configuring ISA Logging and Monitoring
Logging ISA Traffic
Monitoring ISA from the ISA Console
Generating Reports with ISA Server
Monitoring ISA Server 2004 Health and Performance with Microsoft Operations Manager (MOM)
Summary
Best Practices

Some of the best security solutions suffer from the same problem. They offer great capabilities and functionality, but lack available tools to assist administrators with trouble shooting and monitoring of their environment.

Fortunately, the ISA development team took this into account and built in a series of robust and capable monitoring and logging tools. ISA logging, for example, provides live or archived views of network traffic that hits the ISA Server, enabling administrators to make intelligent troubleshooting decisions and to have access to all pertinent information, without requiring anyone to wade through long, complex, and hard-to-manage log files.

This chapter focuses on understanding the monitoring and troubleshooting capabilities of ISA Server. It details ISA tools that are used to monitor a network environment, and provides step-by-step guides on how to use them to trouble shoot. Specific information on using Microsoft Operations Manager (MOM) 2005 to monitor ISA Server 2004 are also presented and discussed.

Outlining the Importance of ISA Monitoring and Logging

Without a log of what is happening on an ISA Server, ISA's functionality is a real "black box," with no way to understand what is happening with the traffic, what type of errors may be occurring, or whether the server is overwhelmed or underpowered. It therefore becomes important to understand what types of tools and capabilities ISA possesses to enable the configuration to be modified as necessary and to help administrators adapt to evolving threats.

Logging for Governmental and Corporate Compliance

In addition to the troubleshooting capabilities inherent in the monitoring options in ISA Server 2004, logging access to protected resources can also help to establish an audit trail of who accessed which resources. Putting controls in place to secure and control access to network resources is also a central aspect of many governmental compliance rules that have come into the spotlight recently, such as Sarbanes Oxley and HIPAA.

ISA provides for accurate, manageable, and auditable logging, which enables organizations to create custom reports on specific types of network activities, in response to specific threats or as a result of requested audits . This type of functionality makes it ideally suited for modern business, which requires a strict record of activities.

Taking a Proactive Approach to Intrusion Attempts

In today's risky computing atmosphere, caution simply cannot be thrown to the wind. Organizations that aren't proactive in monitoring intrusion attempts, looking for activities such as port scans , authentication failures, and outright service-level attacks. If these types of activities are not proactively monitored and dealt with, they can turn into serious security issues. Fortunately, ISA Server 2004 allows for automatic detection of many forms of intrusion attempts, providing greater peace of mind.

Configuring ISA Logging and Monitoring

Most of the monitoring and logging functionality in ISA Server is provided in the Monitoring node of the Console tree, as shown in Figure 19.1.

Figure 19.1. Viewing the ISA Monitoring node.

This node is the jumping-off point for the individual ISA monitoring and logging activities, and includes tabs in the Details pane for activities such as setting alerts, generating reports , monitoring sessions and services, and logging traffic. Before delving into the capabilities of each of these tools, it is important to properly set up the ISA Server Monitoring environment, using a best practice approach.

Delegating ISA Monitoring Settings

In addition to the ISA Full Administrator, ISA Server 2004 also provides for unique roles that provide for unique monitoring capabilities. These roles are as follows :

ISA Server Basic Monitoring An ISA Server Basic Monitoring Admin has the ability to view existing dashboards and session information setup.
ISA Server Extended Monitoring An ISA Server Extended Monitoring Administrator has all the rights of a Basic Monitoring Administrator, with the added capabilities to create alert definitions, custom dashboards, and other monitoring customizations.

If administration of the monitoring aspect of ISA Server is required, then it becomes necessary to delegate these roles to individual users or, preferably, groups. To delegate control of ISA extended monitoring to a group , for example, follow these steps:

1.	From the ISA Administration Console, right-click on the server name in the console tree and choose Administrative Delegation.
2.	At the Welcome screen, click Next to continue.
3.	Under the Delegate Control dialog box, click Add.
4.	Enter the group name (or click Browse to locate) that will be used, such as COMPANYABC\AG-ISA-ExtendedMonitoring, choose ISA Server Extended Monitoring from the list of roles, as shown in Figure 19.2, and click OK. Figure 19.2. Delegating ISA Server Monitoring rights.
5.	Click Next to continue.
6.	Click Finish, Apply, and OK.

Understanding the ISA Advanced Logging Service

ISA Server 2004 logging is comprised of three unique types of logs as follows:

Firewall Logging
Web Proxy Logging
SMTP Message Screener Logging

Each one of these logging services is independently controlled and can be enabled and configured differently.

TIP

In general, it is best practice to configure ISA logs to reside on a separate logical drive from the operating system, but it is not required. There is no effective performance increase from having them on a separate physical drive.

The logs themselves can be stored in three unique formats, as shown in Figure 19.3 and listed as follows:

MSDE database The Microsoft Data Engine (MSDE) format allows for SQL-type database functionality without SQL licensing or operations costs. Although MSDE has a 2GB limit for the database files, ISA creates new files as necessary for logging, and the entire sum of logs can be searched when logging and troubleshooting.
File File-based logging saves the ISA logs to a W3C text-based format, which is often used when the ISA logs need to be parsed by third-party products.
SQL database The SQL database option enables an ISA Server to log all the logging information to a SQL Server 2000 server in the organization.

Figure 19.3. Exploring ISA logging options.

For the most advanced logging, either the MSDE or the SQL database logging component must be configured properly.

Installing the ISA Advanced Logging Service

If not already installed on an ISA Server (it is one of the default installation options), ISA Server 2004 advanced logging can be set up via the Add/Remove programs process on an ISA Server. Simply insert the ISA media and perform the following process:

1.	Click Start, Control Panel, Add or Remove Programs.
2.	From the list of installed programs, select Microsoft ISA Server 2004 and click Change/Remove.
3.	Click Next at the welcome dialog box.
4.	Select Modify from the dialog box shown in Figure 19.4 and click Next. Figure 19.4. Adding the Advanced Logging component to ISA.
5.	Under Firewall Services, drill down to Advanced Logging, left-click, and choose This Feature, and All Subfeatures, Will Be Installed on Local Hard Drive. Click Next to continue.
6.	Click Install.
7.	Click Finish when complete.

Configuring Firewall Logging

Firewall logging can be enabled and configured on the ISA Server through the Logging tab in the Details pane of the ISA Monitoring Node. For example, the following step-by-step procedure enables ISA Firewall Logging to write up to 10GB of firewall logs to the D:\drive, and to enable logging of all potential fields.

1.	From the ISA Management Console, click on the Monitoring tab from the console tree.
2.	Select the Logging tab in the Details pane.
3.	Under the Tasks tab in the Tasks pane, click the link for Configure Firewall Logging.
4.	Select MSDE Database and ensure that Enable Logging for This Service is checked. Click the Options button.
5.	Under the location for the ISA logs, enter the folder path manually by selecting This Folder and entering the full path , as shown in Figure 19.5. Figure 19.5. Configuring firewall policy logging options.
6.	Under Log File Storage Limits, select to limit total size of log files to 10GB, and to maintain 512MB of free space. Click OK.
7.	Select the Fields tab.
8.	Click the Select All button.
9.	Click OK, Apply, and OK to save the changes.

Configuring Web Proxy Logging

Web Proxy logging is very similar to Windows Firewall logging, but deals specifically with logging requests made from Web Proxy clients, whereas the firewall logs deal with SecureNAT clients . The same options exist for configuring Web Proxy logging, and the same basic procedure applies.

Configuring SMTP Screener Logging

The SMTP Screener Logging component is unique among the three logging types in that it cannot take advantage of SQL or MSDE logging. SMTP logging with ISA Server 2004 must be done in a text file format, such as W3C format. In addition, the number of fields available to log from, shown in Figure 19.6, is much smaller than the number from the Web Proxy or Firewall logging options.