Logging ISA Traffic

One of the most powerful troubleshooting tools at the disposal of ISA Administrators is the logging mechanism, which gives live or archived views of the logs on an ISA Server, and allows for quick and easy searching and indexing of ISA Server log information, including every packet of data that hits the ISA server.


Many of the advanced features of ISA Logging are available only when MSDE or SQL databases are used for the storage of the logs.

Examining ISA Logs

The ISA logs are accessible via the Logging tab in the Details pane of the Monitoring node, as shown in Figure 19.7. They enable administrators to watch, in real time, what is happening to the ISA server, whether it is denying connections, and what rule is being applied for each Allow or Deny statement.

Figure 19.7. Examining ISA Logging

The logs include pertinent information on each packet of data, including the following key characteristics:

  • Log Time The exact time the packet was processed.

  • Destination IP The packet's destination IP address.

  • Destination Port The destination TCP/IP port, such as Port 80 for HTTP traffic.

  • Protocol The specific protocol that the packet utilized, such as HTTP, LDAP, RPC, or others.

  • Action What type of action the ISA Server took on the traffic, such as initiating the connection or denying it.

  • Rule Which particular firewall policy rule applied to the traffic.

  • Client IP The IP address of the client that sent the packet.

  • Client Username The username of the requesting client. Note that this is populated only if the Firewall Client is being used.

  • Source Network The source network from which the packet came.

  • Destination Network The network where the destination of the packet is located.

  • HTTP Method If it is HTTP traffic, this column displays the type of HTTP method utilized, such as GET or POST.

  • URL If HTTP is used, this column displays the exact URL that was requested.

Searching through the logs for specific criteria identified in these columns, such as all packets sent by a specific IP address, or all URLs that match http://mail.companyabc.com, simplifies advanced troubleshooting and monitoring.

Customizing Logging Filters

What is displayed in the Details pane of the Logging tab is a reflection of only those logs that match certain criteria in the log filter. It is highly useful to use the filter to weed out the extraneous log entries that just distract from the specific monitoring task. For example, on many networks, an abundance of NetBIOS broadcast traffic makes it difficult to read the logs. For this reason, a specific filter can be created to show only traffic that is not NetBIOS traffic. To set up this particular type of rule, do the following:


From the ISA Administration Console, click on the Monitoring node from the console tree and select the Logging tab in the Details pane.


From the Tasks tab in the Tasks pane, click the link for Edit Filter.


In the Edit Filter dialog box, change the Filter By, Condition, and Value fields to display Protocol, Not Equal, NetBios Datagram, and click Add to List.


Repeat for the NetBios Name Service and the NetBios Session values, so that the dialog box looks like the one displayed in Figure 19.8.

Figure 19.8. Creating a custom logging filter.


Click Start Query.


It cannot be stressed enough that this logging mechanism is quite literally the best tool for troubleshooting ISA access. For example, it can be used to tell whether traffic from clients is even hitting the ISA Server, and if it is, what is happening to it (denied, accepted, and so on).

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net