After ISA is deployed, the important job of administering and maintaining the environment begins. Fortunately, ISA Server 2004 provides powerful yet easy-to-use tools to assist administrators in these tasks. The ease of use of these tools overshadows the impressive functionality that they provide. Thankfully, the straightforward approach that Microsoft took when designing the tools helps administrators to more easily administer and maintain an ISA Server environment.
Taking Advantage of Improvements in ISA Management Tools
The ISA Server Management Console, shown in Figure 1.6, provides straightforward wizards to assist with complex tasks, and puts all ISA's functionality at the fingertips of an administrator. Configuration, reporting, logging, monitoring, and securing can all be done from the centralized console, simplifying the management experience and making it less likely that configuration mistakes will result in security breaches.
Figure 1.6. Using the ISA Server Administrator Console.
The ISA Console also includes several built-in wizards and templates that enable an administrator to perform common functions and procedures, such as publishing a mail server, creating access rules, defining networks, and the like. For example, the New Network Wizard allows the creation of additional networks and their associated network rules quickly, easily, and securely. After the networks are created, the network rules and policies can then be modified to suit the needs of the organization. This offers administrators the best of both worlds, with the simplicity of a wizard combined with the power of a customizable toolbox.
For more information on administering ISA Server 2004, see Chapter 16, "Administering an ISA Server 2004 Environment."
Backing Up and Restoring ISA Server Environments
Backing up and restoring Windows environments has often been a complex and cumbersome process. Fortunately, ISA Server 2004 has learned a lesson from many of its firewall peers, and included an incredibly simple method of backing up the firewall configuration to an XML (essentially text) file that can be then re-imported on other ISA Servers or saved for restoration purposes. In addition to the capability to back up the entire configuration to this file, individual ISA elements such as firewall rules can be backed up to individual files, allowing one-by-one restores of ISA elements. This flexibility allows for reduced restoration times and ease of recoverability of whole servers or individual elements.
For more information on backing up and restoring ISA Server 2004 environments, see Chapter 18, "Backing up, Restoring, and Recovering an ISA Server 2004 Environment."
Maintaining an ISA Server Environment
The "care and feeding" of an ISA Server environment that has been put into place is a key component to an ISA Server deployment plan. Although ISA is typically low maintenance, there are still several important procedures and proactive steps that should be followed to keep ISA running smoothly. Chapter 17, "Maintaining ISA Server 2004," covers many of these procedures, and includes the types of daily, weekly, monthly, and quarterly tasks that should be performed to keep ISA in top shape. In addition, the concept of updating ISA with OS and other patches is covered in this chapter.
Monitoring and Logging Access
Deployed out of the box, ISA includes a robust logging mechanism that can be configured to use a SQL-style MSDE database for logging purposes. These logs can be easily queried and powerful reports, such as the one shown in Figure 1.7, can be generated to provide administrators with a detailed analysis of the type of traffic sent across ISA servers.
Figure 1.7. Viewing an ISA Server 2004 report.
The MSDE Database, installed as an option with ISA Server 2004, is configured to allow only local access from a user logged in to the console. This prevents attacks such as SQL Slammer, which take advantage of a SQL or MSDE server with open ports to the network.
It is critical to proactively respond to ISA Alerts, intrusion attempts, and performance data generated by ISA Servers; therefore, it may be prudent in certain cases to deploy a means of gathering ISA logging and performance data in a centralized location and automatically alerting on this information. Chapter 19 covers the use of the ISA Server 2004 Management Pack for Microsoft Operations Manager (MOM), which allows for proactive management, monitoring, and troubleshooting of an ISA environment.