Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

Most of the monitoring and logging functionality in ISA Server is provided in the Monitoring node of the Console tree, as shown in Figure 19.1.

Figure 19.1. Viewing the ISA Monitoring node.

This node is the jumping-off point for the individual ISA monitoring and logging activities, and includes tabs in the Details pane for activities such as setting alerts, generating reports, monitoring sessions and services, and logging traffic. Before delving into the capabilities of each of these tools, it is important to properly set up the ISA Server Monitoring environment, using a best practice approach.

Delegating ISA Monitoring Settings

In addition to the ISA Full Administrator, ISA Server 2004 also provides for unique roles that provide for unique monitoring capabilities. These roles are as follows:

  • ISA Server Basic Monitoring An ISA Server Basic Monitoring Admin has the ability to view existing dashboards and session information setup.

  • ISA Server Extended Monitoring An ISA Server Extended Monitoring Administrator has all the rights of a Basic Monitoring Administrator, with the added capabilities to create alert definitions, custom dashboards, and other monitoring customizations.

If administration of the monitoring aspect of ISA Server is required, then it becomes necessary to delegate these roles to individual users or, preferably, groups. To delegate control of ISA extended monitoring to a group, for example, follow these steps:

1.

From the ISA Administration Console, right-click on the server name in the console tree and choose Administrative Delegation.

2.

At the Welcome screen, click Next to continue.

3.

Under the Delegate Control dialog box, click Add.

4.

Enter the group name (or click Browse to locate) that will be used, such as COMPANYABC\AG-ISA-ExtendedMonitoring, choose ISA Server Extended Monitoring from the list of roles, as shown in Figure 19.2, and click OK.

Figure 19.2. Delegating ISA Server Monitoring rights.

5.

Click Next to continue.

6.

Click Finish, Apply, and OK.

Understanding the ISA Advanced Logging Service

ISA Server 2004 logging is comprised of three unique types of logs as follows:

  • Firewall Logging

  • Web Proxy Logging

  • SMTP Message Screener Logging

Each one of these logging services is independently controlled and can be enabled and configured differently.

TIP

In general, it is best practice to configure ISA logs to reside on a separate logical drive from the operating system, but it is not required. There is no effective performance increase from having them on a separate physical drive.

The logs themselves can be stored in three unique formats, as shown in Figure 19.3 and listed as follows:

  • MSDE database The Microsoft Data Engine (MSDE) format allows for SQL-type database functionality without SQL licensing or operations costs. Although MSDE has a 2GB limit for the database files, ISA creates new files as necessary for logging, and the entire sum of logs can be searched when logging and troubleshooting.

  • File File-based logging saves the ISA logs to a W3C text-based format, which is often used when the ISA logs need to be parsed by third-party products.

  • SQL database The SQL database option enables an ISA Server to log all the logging information to a SQL Server 2000 server in the organization.

Figure 19.3. Exploring ISA logging options.

For the most advanced logging, either the MSDE or the SQL database logging component must be configured properly.

Installing the ISA Advanced Logging Service

If not already installed on an ISA Server (it is one of the default installation options), ISA Server 2004 advanced logging can be set up via the Add/Remove programs process on an ISA Server. Simply insert the ISA media and perform the following process:

1.

Click Start, Control Panel, Add or Remove Programs.

2.

From the list of installed programs, select Microsoft ISA Server 2004 and click Change/Remove.

3.

Click Next at the welcome dialog box.

4.

Select Modify from the dialog box shown in Figure 19.4 and click Next.

Figure 19.4. Adding the Advanced Logging component to ISA.

5.

Under Firewall Services, drill down to Advanced Logging, left-click, and choose This Feature, and All Subfeatures, Will Be Installed on Local Hard Drive. Click Next to continue.

6.

Click Install.

7.

Click Finish when complete.

Configuring Firewall Logging

Firewall logging can be enabled and configured on the ISA Server through the Logging tab in the Details pane of the ISA Monitoring Node. For example, the following step-by-step procedure enables ISA Firewall Logging to write up to 10GB of firewall logs to the D:\drive, and to enable logging of all potential fields.

1.

From the ISA Management Console, click on the Monitoring tab from the console tree.

2.

Select the Logging tab in the Details pane.

3.

Under the Tasks tab in the Tasks pane, click the link for Configure Firewall Logging.

4.

Select MSDE Database and ensure that Enable Logging for This Service is checked. Click the Options button.

5.

Under the location for the ISA logs, enter the folder path manually by selecting This Folder and entering the full path, as shown in Figure 19.5.

Figure 19.5. Configuring firewall policy logging options.

6.

Under Log File Storage Limits, select to limit total size of log files to 10GB, and to maintain 512MB of free space. Click OK.

7.

Select the Fields tab.

8.

Click the Select All button.

9.

Click OK, Apply, and OK to save the changes.

Configuring Web Proxy Logging

Web Proxy logging is very similar to Windows Firewall logging, but deals specifically with logging requests made from Web Proxy clients, whereas the firewall logs deal with SecureNAT clients. The same options exist for configuring Web Proxy logging, and the same basic procedure applies.

Configuring SMTP Screener Logging

The SMTP Screener Logging component is unique among the three logging types in that it cannot take advantage of SQL or MSDE logging. SMTP logging with ISA Server 2004 must be done in a text file format, such as W3C format. In addition, the number of fields available to log from, shown in Figure 19.6, is much smaller than the number from the Web Proxy or Firewall logging options.

Figure 19.6. Configuring SMTP Screener Logging components.

    Категории