Share via


Monitoring, Logging, and Reporting Features in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 provides a range of monitoring tools to help you track network status, create alerts to keep you up-to-date on firewall behavior, configure and view logs to track ISA Server activity, and create reports to customize and summarize log information. These features make it easier to ensure that your network is running as expected, to stay aware of attempted intrusions, to track network usage, and to begin troubleshooting where necessary.

The following table summarizes the key monitoring features that appear in the details pane of the Monitoring node in ISA Server Management.

Feature Details

Dashboard

The Dashboard summarizes information from the various monitoring tabs and ISA Server performance counters to provide a quick view of system functioning.

Alerts

The Alerts tab provides a list of alerts that have been triggered. Alerts are triggered when specific events occur. You can reset alerts to remove them from the Alerts tab, or indicate that you are handling alerts by acknowledging them, thus changing their status on the Alerts tab, and removing them from the Dashboard display.

Sessions

The Sessions tab lists all active sessions. You can sort or disconnect individual or groups of sessions. You can filter the entries in the session's interface to focus on the sessions of interest.

Services

The Services tab provides the status of ISA Server services. You can stop and start the Microsoft Firewall service, the Microsoft ISA Server Job Scheduler service, and the Microsoft Data Engine service.

Configuration (Enterprise Edition)

The Configuration tab allows you to validate that all arrays have been updated with the latest configuration information from the Configuration Storage server.

Reports

The Reports tab displays reports that have been created or are in the process of being created. You can use the reporting features to summarize and analyze usage patterns, and to monitor network security. You can manage existing reports, create scheduled report jobs, create one-time reports, and customize report information.

Connectivity Verifiers

The Connectivity Verifiers tab displays all the configured connectivity verifiers. Configure connectivity verifiers to check connections to a specific computer name, IP address, or Uniform Resource Locator (URL). Use the following methods to determine connectivity: Ping, Transmission Control Protocol (TCP) connect to a port, or Hypertext Transfer Protocol (HTTP) GET.

Logging

The Logging tab displays Firewall logs and Web Proxy logs in real time. You can query the log files using the built-in log query facility.

System Performance

The Dashboard provides a System Performance section showing the status of two of the main performance counters for ISA Server:

  • Allowed packets per second
  • Dropped packets per second

Dashboard

  • The Dashboard view summarizes monitoring information about sessions, alerts, services, reports, connectivity, and general system health. The Dashboard is divided into a number of sections, providing a summary of each of the monitoring tabs, and system performance.

The Dashboard is useful to quickly identify critical issues related to ISA Server. You can use it daily to verify the status of critical servers and services. For example, you can use the Dashboard to check that the ISA Server services are available and that servers are connected. After you check the operating status, you can review any alerts, to check if any attacks have been thwarted—or if any specific problem requires your immediate attention. Each Dashboard section contains an icon. A yellow warning icon or red error icon indicates that you may want to check settings and behavior. A green icon indicates that everything is functioning as expected. You can tailor the columns for each section that appears in the Dashboard, or navigate from section titles to the relevant monitoring tab.

Alerts

ISA Server events are generated by ISA Server services when particular run-time conditions occur. The alert service of ISA Server 2006 acts as a dispatcher and event filter. It notifies you when specified events occur by triggering an alert for the event. Some events have additional conditions. In this case, both the event and the additional condition must occur before the alert is triggered.

ISA Server provides a number of predefined alerts for every type of event defined by ISA Server. The predefined alert definitions are summarized in Appendix A: Alert Definitions.

Configuring Alert Definitions

You can customize alert definitions by enabling or disabling alerts, edit existing alerts, and create new alert definitions.

During Setup, alerts are preconfigured for all events, but you may want to define additional alerts. For example, consider the preconfigured alert definition for the Network configuration changed event. As the network administrator, you might want to refine this general alert, creating two unique alert definitions:

  • An alert definition for when a network is disabled.
  • An alert definition for when a network is enabled.

The alert definition for the former would trigger an action to run a batch file to disconnect the computer from a load balancing cluster each time a network becomes disabled. The alert definition for the latter might be to send you an e-mail message.

Alerts with specific events take precedence over less-specific events. For example, suppose you have two alerts configured, one for Any network configuration change and the other for Network connected. When a network is connected, the alert actions for the latter will be performed.

You create an alert definition using the New Alert Configuration Wizard. The following table summarizes the alert properties you specify in the wizard.

Property Details

Alert name

Specify a unique name for the alert.

Events and Conditions

Specify an event that will trigger the alert. Some events allow you to specify an additional condition that must occur to trigger the alert. If an event and additional condition are configured, both must occur to trigger the alert.

Category and Severity

Select a category for the alert, as follows:

  • Security
  • Cache
  • Routing
  • Firewall service
  • Network Load Balancing
  • Other

Select the severity of the alert:

  • Error
  • Warning
  • Information

Actions

Specify the actions to be taken when the event is triggered.

Configuring Alert Actions

You can define alerts to perform one or more of the following actions when triggered:

  • Send an e-mail message.
  • Run a specific action.
  • Log the event in the Windows event log.
  • Stop or start the Microsoft Firewall service or Scheduled Content Download service.

Alert action for sending an e-mail message

You specify the following settings when configuring an alert to send an e-mail message when it is triggered:

  • Name of the SMTP server. Note the following:
  • If you specify an SMTP server located on the Internal network, you must enable the system policy rule to allow this traffic. To do this, in the Remote Monitoring configuration group of the System Policy Editor, select SMTP, and then click Enable. This enables the "Allow SMTP protocol from firewall to trusted servers" system policy rule.
  • If you specify an SMTP server located on the External network, you must create an access rule that allows the Local Host network to access the External network (or the network on which the SMTP server is located), using SMTP.
  • E-mail address of sender.
  • E-mail addresses of recipients.

Alert action for running a program

You can specify the following settings when configuring an alert to run a program when it is triggered:

  • Path location of the program.
  • Parameters required for running the program.
  • Credentials for running the program.

Note the following:

  • Use the Local Security Policy to configure user privileges.
  • If you specify an alert to run a program, the program path specified must exist on the ISA Server computer, and we recommend that you use an environment variable (such as %SystemDrive%) within the path name.
  • Be sure that the specified user has Logon as batch job privileges.
  • When the alert action is to execute a command, the path specified for the command action must exist on the ISA Server computer. We recommend that you use environment variables (such as %SystemDrive%) within the path name.
  • Do not specify an interactive program that requires user input.

The new alert will appear in the list of alert definitions.

Configuring actions for Alert Action Failure alert

Although the Alert Action Failure alert can be configured, we recommend that you do not edit properties for this alert. If the action for this alert fails, the failure is not registered anywhere, and troubleshooting will be difficult.

If you encounter this alert, check the event log for action failures. Check the event message associated with the failure, and the previous events issued before the action failure event. They may provide additional information about which action failed.

Configuring Alert Thresholds

After initial configuration of the new alert using the wizard, you can further refine settings in the property page of the alert. The following table summarizes the additional settings that can be configured on the property page of the alert.

Property Details

Number of occurrences

Specify how many times in total the event should occur before the alert is triggered.

Number of events per second

Specify how many times the event will occur per second before the alert is triggered.

If you specify a value in the number of occurrences and the number of events per second, both limits must be reached before the alert is reissued.

Immediately

Specify that the alert is triggered immediately each time the threshold is reached.

Only if the alert was manually reset

Specify that the alert is triggered again each time the threshold is reached only if it is manually reset.

If number of minutes since last execution is more than

Specify that the alert is triggered again each time the threshold is reached if it was last triggered before a specified number of minutes. Then specify the number of minutes.

Monitoring Alerts

All triggered alerts are displayed on the Alerts tab. The display shows the alert name, the time it occurred, the status, and the alert category: information, warning, and error. Information about each alert also appears in the Windows event log. You can perform the following tasks on alerts displayed in the tab:

  • Set the refresh rate to specify an automatic refresh rate for alerts.
  • Reset selected alerts. Resetting an alert effectively removes it from the Alerts tab.
  • Acknowledge selected alerts. You can indicate that you are handling a specific event, or a group of events, by acknowledging the alerts. When you mark an alert (or group of alerts) as acknowledged, the status for those events is changed on the Alerts tab, and the alerts are no longer displayed on the Dashboard.

When the Microsoft ISA Server Control service (isactrl) is restarted or the ISA Server computer restarts, all alerts are automatically reset.

Predefined Trigger Limits

There are some events for which alerts are only triggered once a second, regardless of other settings. The following table summarizes these events.

Event Condition

Connection limit exceeded

Any

Intrusion detected

Windows out-of-band attack

Intrusion detected

IP half scan attack

Intrusion detected

Land attack

Intrusion detected

UDP bomb attack

Intrusion detected

Ping of death attack

Intrusion detected

All port scan attack

Intrusion detected

Well-known port scan attack

Invalid DHCP offer

Any

IP spoofing

Any

Oversized UDP packet

Any

Sessions

The Sessions tab allows you to monitor active connections, where a session is the unique combination of a client's IP address and user name. The following information is displayed on the Sessions tab:

  • Activation. Date and time the session began.
  • Server name. The name of the ISA Server firewall.
  • Session type. You can monitor connections from the following ISA Server clients: Firewall client, SecureNAT, virtual private network (VPN) client, VPN site-to-site, and Web Proxy.
  • Client IP. The source IP address of the client.
  • Source network. The network from which the session originated.
  • Client user name. The client authenticated by ISA Server when authentication is required.
  • Client host name. For Firewall clients.
  • Application name. For Firewall clients. This field is not displayed by default.

Note the following:

  • ISA Server 2006 does not separate session counters for all clients. Note the following:
  • Web Proxy client sessions have a corresponding SecureNAT session. There is one SecureNAT session for all Web Proxy client sessions from a particular computer.
  • Firewall clients have a corresponding SecureNAT session. For a computer with Firewall Client installed, there will be a SecureNAT session, as well as a Firewall client session, for that computer.
  • If a computer has both Web Proxy and Firewall client sessions, there will be only one SecureNAT session for it, because it is defined per computer.
  • A connection between two computers through the firewall can only belong to one session. This design affects how server publishing rule connections are displayed in the sessions list. A session is shown between the published server and the ISA Server computer. Client connections to this published server are associated with the session between the published server and ISA Server, and do not show as separate sessions.
  • When ISA Server does not require authentication, all traffic from the same IP address is considered to be a single session. For example, if a Web browser opens more than one TCP connection to the same IP address, ISA Server considers the connections to be a single session.
  • Web Proxy client sessions indicate the last minute of Web browser activity, even if the client is not currently browsing.
  • When IP routing is disabled, traffic from users and IP addresses is listed on the Sessions tab. When IP routing is enabled, only sessions from traffic that passes using an application filter are listed.

A summary of the sessions for each client type, and the total sessions, is displayed on the Dashboard.

Configuring Sessions

You can filter session information, and then save the resultant query for future use. You can also pause and stop session monitoring, and disconnect sessions.

Filtering Sessions

ISA Server provides session filtering. For example, if a client reports problems connecting, you can filter the information on the Sessions tab to display only sessions initiated by that client. The Sessions tab displays only data for sessions that match all the expressions included in the filter. The filter expressions are combined using the logical AND operator.

To filter a session, you select a Filter by field from one of the column values displayed on the Sessions tab, and then you select a condition from one of the conditions available for the field. Then select a value. For some fields, predefined values may be available, or you can type a value. Some fields and conditions do not have values associated with them.

After you define a filter and run a query with it, you can save it for future use. It is often useful to have a set of queries, with each query used to focus on a different session type. Queries are saved as .xml files.

Pausing and Stopping Session Monitoring

You can stop session monitoring, essentially clearing the Sessions tab in ISA Server Management. When you stop session monitoring, ISA Server loses all information about any sessions that have been monitored. When you restart session monitoring, ISA Server must collect all information about active sessions.

Alternatively, you can pause monitoring. In this case, sessions displayed on the Sessions tab are not removed. However, new sessions are not added to the tab. When you resume session monitoring, ISA Server updates the Sessions tab with the relevant, new session information.

Disconnecting Sessions

The Sessions tab provides a visual indication of any potentially malicious or unwanted session activity. On the Sessions tab, you can stop the unwanted session immediately. When you stop a session, all associated connections are also closed.

Note that stopping sessions will not prevent a client from reactivating the session. Instead, you must change the firewall policy configuration, creating a rule that specifically denies access to the unwanted clients.

Services

The Services tab shows the names, status, and server uptime of a number of services running on the ISA Server firewall. Not all services are displayed and managed from this tab. Other services can be managed in Computer Management, or from a command prompt. The following table summarizes the services.

Service name Alternate name Managed by ISA Server Management Managed by Computer Management

Microsoft Firewall

fwsrv

Yes

Yes

Microsoft ISA Server Job Scheduler

W3Prefch

Yes

Yes

Routing and Remote Access

RemoteAccess

Yes

Yes

Network Load Balancing

NLBS

Yes

Yes

Microsoft Data Engine

MSSQL$MSFW

Yes

Yes (as MSSQL$MSFW)

Microsoft ISA Server Control

mspadmin

No

Yes

Microsoft ISA Server Storage

isastg

No

Yes

ISASTGCTRL

ISASTGCTRL

No

Yes

Firewall engine

fweng

No

No

Note the following when starting and stopping services on the Services tab:

  • When you stop the Microsoft Firewall service (fwsrv), the information in the cache is not deleted. However, when you restart the service, several seconds may pass before the cache is fully enabled and functional. If the service failed, ISA Server will restore the information in the cache. This will take some time, and performance may not be optimal until the cache is eventually restored.
  • If the Microsoft ISA Server Job Scheduler service is stopped, you cannot run scheduled content download jobs.
  • If you configure logging to use MSDE logging, when you stop the Microsoft Data Engine service, the Routing and Remote Access and Firewall services are also stopped.
  • In Enterprise Edition, when integrated NLB is enabled in ISA Server Management, you can stop, start, suspend, resume, or drain-and-stop the NLB service for each server in the array.
  • When VPN client access is enabled or when you create a site-to-site network to represent a remote VPN site, the Routing and Remote Access service is displayed.

Configuration

Use the Configuration tab to monitor the configuration version on each array member. It shows the server and the Configuration Storage server it is connected to, the connection status, and when it was last updated.

Connectivity Verifiers

You can verify connectivity by regularly monitoring connections from the ISA Server computer to any specific computer or URL on any network. The following table summarizes the available connectivity methods.

Connectivity method Details Usage

PING

When you configure this method, ISA Server sends a Ping request (ICMP ECHO_REQUEST) to the specified server, and waits for an ICMP ECHO_REPLY.

Use this method to verify that a server is running and can be reached by ISA Server.

TCP connect

When you configure this method, ISA Server tries to establish a TCP connection to a specific port on the specified server.

Use this method to verify that a specific service is running on the server and can be reached by ISA Server.

HTTP request

When you configure this method, ISA Server sends an HTTP GET request and waits for the reply.

Use this method to verify that a Web server is running and can be reached by ISA Server.

To use one of these methods to monitor connectivity to a server, you create and configure a connectivity verifier, and place it in one of the following predefined groups: Active Directory, DHCP, DNS, Published Servers, Web (Internet), and Others. For example, suppose you publish servers running FTP, Microsoft SQL Server™, and Microsoft Exchange Server. You can create a connectivity verifier for each server, and group them all in the Published Servers group. In another scenario, you might want to validate that ISA Server has connectivity to Web sites on the External network. To do this, you might define HTTP connectivity verifiers for each Web site that you want to verify, and group them in the Web (Internet) group.

Connectivity is verified by default every 30 seconds. You can change this interval, by using the Refresh rate script, described in "Setting the Refresh Rate for Connectivity Verifiers" at the Microsoft TechNet Web site. In Enterprise Edition, the refresh rate applies to all connectivity verifiers, on all array members.

Configuring Connectivity Verifiers

Connectivity verifiers are created using the New Connectivity Verifier Wizard. The settings you specify in the wizard are summarized in the following table.

Property Details

Welcome page

Specify a unique name for the connectivity verifier.

Connectivity Verification Details page

Specify the following settings:

  • The name, IP address, or URL of the server for which you want to verify the connection. Or browse to locate the server.
  • The group in which you want to categorize the new connectivity verifier.
  • The verification method you want to use to connect to the specified server. For example, if you select the Web (Internet) group, select to use the HTTP GET request. To verify that a specific application or service is running on the server, select from the predefined application list and predefined port number for the application, or select a custom port.

Note that if you select Send an HTTP "GET" request, a dialog box appears, informing you that a rule allowing HTTP or HTTPS to the specified destination must be configured. You can select to enable a default system policy rule: "Allow HTTP/HTTPS request from ISA Server to the selected servers for connectivity verifiers."

After running the New Connectivity Verifier Wizard, you can configure additional properties on the connectivity verifier properties, as follows:

  • Enable or disable the connectivity verifier.
  • Specify a time-out response threshold, which by default is 5,000 milliseconds. This setting specifies a time limit for the specified server to respond. By default, an alert will be triggered if the server does not response within the allocated limit.

Server Farm Connectivity Verifiers

When you create a server farm, you specify a connection method to be used when checking the connectivity status for the servers in the farm. After creating the server farm, a connectivity verifier is automatically created for the farm and appears on the Connectivity Verifiers tab. You can edit the connection method in the properties for the server farm, or from the Connectivity Verifiers tab. You cannot create or delete a connectivity verifier for a server farm directly from the Connectivity Verifiers tab.

Analyzing HTTP GET Responses

When you configure a connectivity verifier method to send an HTTP GET request, the monitored server is expected to return an HTTP response. Depending on the response, ISA Server will mark the connectivity verifier status, as detailed in the following table.

HTTP response from monitored server Connectivity verifier status

1xx, 2xx, or 3xx

OK. This is the response time in milliseconds.

401 (Web server authentication required)

OK. This is not considered an error, because the Web server returned the message.

407 (proxy authentication required)

Error (Microsoft Windows Server® 2003). This is considered an error because connectivity to the actual Web server cannot be determined.

407 (proxy authentication required)

Authentication required (Windows® 2000 Server).

4xx (except 401 and 407) or 5xx

Error.

Request timed out

Time-out.

The server name could not be resolved

Unresolved name.

ISA Server is down

Unable to verify. The Microsoft Firewall service is unavailable.

Logging

By default, ISA Server logs all information for monitoring and analyzing the status of the following components:

  • Web Proxy logs. ISA Server logs requests handled by Web Proxy Filter.
  • Microsoft Firewall service logs. ISA Server logs traffic handled by the Microsoft Firewall service.

Each component has a separate log, and you can customize the log fields. For a complete list of log fields, see "ISA Server 2006 Logging Fields and Values" at the Microsoft TechNet Web site.

Logging Formats

Log information can be stored in one of the following formats:

  • Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) database.
  • SQL database
  • Text file

The following table compares the logging formats, which are detailed in the following sections.

Format Features

File

Sequential logging to a text file has the following features:

  • Provides the best performance of all logging methods.
  • Logging is local, with no network bandwidth consumption.
  • Log size is limited to 2 gigabytes (GB).
  • Log maintenance feature enforces log size and cleans out log, as appropriate.
  • Log failure stops the Firewall service.
  • You can filter and view logs in real time (online). Filtering and viewing of historical data (offline) is not supported.
  • File logging performs approximately two disk accesses for 10 megabits.
  • In Enterprise Edition, there is a central log for all array members.

MSDE

Logging to a local MSDE database provides the following features:

  • Provides good performance.
  • Logging is local, with no network bandwidth consumption.
  • Log size is limited to 1.5 GB
  • Log maintenance feature enforces log size and cleans out log, as appropriate.
  • Log failure stops the Firewall service.
  • Runs on the ISA Server computer.
  • An MSDE instance can only be accessed locally.
  • You can filter and view logs in real time (online) or for historical data (offline).
  • Consumes more disk resources than text file logging. MSDE logging performs approximately two disk accesses for every megabit.
  • In Enterprise Edition, there is a central log for all array members.

SQL

Logging to a remote SQL database provides the following features:

  • Because logging is to a remote server, sufficient network bandwidth is required, preferably 1 GB connectivity between ISA Server and computers running SQL Server to accommodate the capacity of the log traffic. Network connections must utilize Internet Protocol security (IPsec) to secure the log records sent to the remote SQL database.
  • With sufficient hardware, performance will be better than MSDE logging.
  • No limit to log size. This is configured by the user, based on retention and maintenance policy.
  • The database administrator is responsible for log maintenance.
  • Log failure stops the Firewall service.
  • Account used for logging must have permissions on the computer running SQL Server.
  • Data is encrypted on the connection to the computer running SQL Server.
  • SQL Server and ISA Server are mutually authenticated.
  • You can filter and view logs in real time (online) or for historical data (offline).
  • Logging performance depends on:
    • Number of ISA Server computers logging.
    • SQL Server settings.
    • Bandwidth allocation.
  • On the ISA Server firewall, SQL logging consumes CPU resources somewhere between those used by MSDE and file logging, and uses almost no disk input/output (I/O).
  • In Enterprise Edition, there is a central log for all arrays in the enterprise.

MSDE Logging

ISA Server includes the MSSQL$MSFW service, which is an instance of the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) that can be used for logging. By default, ISA Server saves logging information in MSDE databases. Each database is stored in two files, an .mdf file and an .ldf file. For each log database, two files are created: ISALOG_yyyymmdd_xxx_nnn.mdf and ISALOG_yyyymmdd_xxx_nnn.ldf, where:

  • yyyy represents the year that the log database refers to.
  • mm represents the month that the log database refers to.
  • dd represents the day that the log database refers to.
  • xxx represents the type that the log database refers to. This can be one of the following:
  • FWS. Represents the Firewall log.
  • WEB. Represents the Web Proxy log.
  • nnn is a counter that distinguishes between log databases that refer to the same day.

ISA Server keeps a buffer in memory for 30 seconds (or until there is a 10,000 buffer entry) before writing information to the MSDE log. This number is specified by the MSDENumberOfInsertsPerBatch property of the ISA Server FPCLogs COM object. We do not recommend reducing this buffer size. Note that Web proxy requests (HTTP GET) are only logged after the request is complete.

By default, MSDE logs are saved in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. Do not select a compressed drive as the logging directory. Saving logs to a compressed directory causes severe performance degradation for MSDE, which impacts the ISA Server firewall performance.

ISA Server creates new MSDE databases as follows:

  • For each log, ISA Server creates a new database every day.
  • In addition, ISA Server limits MSDE logs to 1.5 GB. When a log exceeds this limit, ISA Server automatically creates a new database.

ISA Server prepares log databases for the next day in advance. When you save logs to MSDE, a database that refers to the next day always exists.

MSDE logs can be viewed in the log viewer. This provides easy access to online information about network activity. The log viewer displays all the data as if it were in a single database. You can export the data displayed in the log viewer, to save MSDE data to a text file.

Note that the MSDE instance used by ISA Server has network protocols disabled, and you cannot connect to it remotely. You can only connect using a local SQL tool, for example Enterprise Manager, OSQL, ISQL.

Text File Logging

You can save ISA Server logs to a text file, in one of the following formats:

  • World Wide Web Consortium (W3C) format. W3C logs contain both data and directives, describing the version, date, and logged fields. Because the fields are described in the file, unselected fields are not logged. The tab character is used as a delimiter. Date and time are in Coordinated Universal Time (UTC).
  • ISA Server format. ISA Server format contains only data with no directives. All fields are always logged. Unselected fields are logged with a dash, to indicate that they are empty. The comma character is used as a delimiter. The date and time fields are in local time as configured on the computer.

By default, log files are saved in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. We recommend that log files are stored on an NTFS partition. Using NTFS, you can compress the log files to decrease their size and reduce the amount of space they use. You may notice a decrease in performance when working with NTFS-compressed files. When you read from (access) a compressed file, Windows automatically decompresses it for you, and when you write to the file, Windows compresses it. This process may decrease your computer's performance.

ISA Server creates new databases as follows:

  • For each log, ISA Server creates a new database every day.
  • In addition, ISA Server limits text file logs to 2 GB. When a log exceeds this limit, ISA Server automatically creates a new database.

Moving MSDE or Text File Logs

Logs should always be stored in a safe location with tightly controlled access.

By default, MSDE logs and text file logs are stored in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. You can specify an alternative log file location, including an environment variable such as %logDirectory%. If you specify a relative directory, the log is saved in the ISALogs folder, under the ISA Server installation folder. If you specify an absolute path, the actual log folder may be different on every server. If the specified folder does not exist, ISA Server will warn you that the specified location is not valid and will try to create the folder.

For any alternative logging folder, the Network Service account must have read permissions from the root partition and any parent folder for the folder. On the logging folder itself, the following permissions are required:

  • Network Service: Full Control
  • System: Full Control
  • Administrators: Full Control

If you change the log folder location and do not set the correct permissions, event ID 11002: Microsoft Firewall service failed to start, may be issued in Event Viewer.

If you need to copy MSDE log files from one location to another, or to move the files to another server, you must first detach the database from the current server. You should never detach a database that is currently in use. One way to determine whether a database is in use is to verify that the date included in the file name is a past date or that a database with a higher number exists for the current date. Another way is to enter the following lines at command prompts:

OSQL -S computer_name \MSFW -E

sp_who2

go

This will list all MSDE databases that currently have open connections, and show which application and user has them locked or is using them.

To detach a database from a server, enter the following lines at command prompts:

OSQL -S computer_name \MSFW -E

sp_detach_db database_name

go

quit

SQL Logging

You can save log information to an SQL database. This is useful for remote logging. Configuring SQL logging consists of configuring settings on the computer running SQL Server and in ISA Server, as follows:

  • Create a separate database and tables for Web Proxy logging and Microsoft Firewall service logging on the computer running SQL Server. ISA Server contains two SQL scripts to create the tables. These scripts are located in the %Program Files%\Microsoft ISA Server folder. For the Microsoft Firewall service logs, open the Fwsrv.sql file. For Web Proxy logs, open the W3proxy.sql file. You modify the script to use an existing database or create a new one. Then configure application permissions so that SQL Server accepts the data connection from the ISA Server computer. If SQL Server and ISA Server are in the same domain, use Windows authentication. If they are in untrusted domains or a workgroup scenario, you must set up a SQL Server account.
  • Configure ISA Server for Web Proxy logging and Firewall logging to the SQL database. You must specify the name of the computer running SQL Server to which the information will be logging, the port number to use (1433 by default), the name of the database, and authentication method and credentials.

Note the following when configuring SQL logging:

  • The system policy rule named "Allow remote logging using NetBIOS to trusted servers" must be enabled to log to an SQL database. In the System Policy Editor, verify that the enabled setting is selected for the Remote Logging (SQL) system policy configuration group to enable this rule. This rule allows SQL access from the Local Host network to all computers on the Internal network. We recommend that you modify the system policy so that this rule applies only to the specific computer running SQL Server.
  • For ISA Server 2006 Standard Edition, note the following:
  • In previous versions of ISA Server Standard Edition, SQL logging used ODBC. ISA Server 2006 uses direct access.
  • By default, ISA Server uses a Secure Sockets Layer (SSL)-encrypted connection to the computer running SQL Server, to help secure the sensitive data in the log files. To enable this connection, you must install a root certification authority (CA) certificate on the ISA Server computer. For more information, see "How to enable SSL encryption for SQL Server 2000 if you have a valid Certificate Server" at Microsoft Help and Support.
  • We recommend that you use Ethernet cards for the Peripheral Component Interconnect (PCI) bus with transfer rates of at least 100 megabits per second for communication between the ISA Server computer and the computer running SQL Server.
  • For ISA Server 2006 Enterprise Edition, note the following:
  • When applicable, we recommend that you use Windows authentication. In a workgroup deployment, if you configure SQL logging for Windows authentication, you should specify a local user account. This account must exist on all array members and on the computer running SQL Server. The account should also have appropriate logon permissions specified in SQL Server Security.
  • If you specify a non-default port for the computer running SQL Server, do the following: Create custom UDP and a TCP protocols for the specified port. Then create an access rule from the Local Host network to the network on which the computer running SQL Server is located, allowing use of the two protocols you created.
  • You can configure data encryption on the properties of Firewall logging and Web Proxy logging when connecting to an SQL database. If you configure encryption when logging to an SQL database, you must install a certificate on the computer running SQL Server. Then, update the trusted root authority on each array member to trust the server certificate.
  • By default, ISA Server uses an SSL-encrypted connection to the computer running SQL Server, to help secure the sensitive data in the log files. To enable this connection, you must install a root certification authority (CA) certificate on the array members.

Querying the Logs

You can use the ISA Server log viewer to monitor and analyze traffic, and troubleshoot network activity. By default, the log viewer displays all log records for the Web Proxy log and Firewall log in real time as they occur, with each event displayed in the log viewer as soon as it is logged. To display records with the default filter, click the Logging tab, and then on the Tasks tab, select Start Query.

You can modify the default filter conditions to display data that meets specific criteria in the log viewer. The viewer displays only log data if it matches all the expressions included in the filter. The filter expressions are combined using the logical AND operator. For example, you may want all log entries currently being logged for a specific IP address. To do this, you would edit the logging filter as follows:

  • Set Client IP to the relevant IP address.
  • Set Log Time to Live.

When you filter the log, you can select to view the Web Proxy log, the Firewall log, or both.

All log formats allow you to filter data by Log Time. For Text logs, you can only specify the Log Time with the Live value. This is known as online viewing, and displays real-time log data. MSDE logging and SQL logging allow you to specify the Log Time with other values. This allows you to display log data that was logged during a specific time period, and not just live data. This is known as offline viewing. When offline data is displayed, the log viewer actually queries the database.

When you create a filter, you specify a criterion, a condition, and a value. You select a field on which to filter the log, and then select a condition from one of the conditions available for the field. Then select a value. For some fields, predefined values may be available, or you can type a value. Some fields and conditions do not have values associated with them.

You cannot remove the entries in the default filter, but you can select the fields that appear in the default query and make changes to the values.

The following table summarizes the criteria on which you can filter logs.

Filter by Condition Values and description

Action

(not applicable to Web Proxy log)

Equals

Not Equals

The action performed by the Firewall service for the current connection or session.

Possible values:

  • Allowed Connection
  • Closed Connection
  • Closed VPN Connection
  • Connection Status
  • Denied Connection
  • Failed Connection Attempt
  • Failed VPN Connection Attempt
  • Initiated Connection
  • Quarantine Timeout
  • User Cleared Quarantine

Authenticated Client (not applicable to Firewall log)

Equals

Not Equals

Indicates whether the client has been authenticated with ISA Server.

Possible values:

  • No or Yes

Authentication Server

Contains

Equals

Not Contains

Not Equals

Possible values:

  • Text or numeric value

Bidirectional (not applicable to Web Proxy log)

Equals

Not Equals

Indicates whether the traffic is send/receive.

Possible values:

  • No or Yes

Bytes Received

Greater or Equal

Less or Equal

The number of bytes sent from the destination computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were received from the destination computer.

Possible values:

  • Numeric value only

Bytes Sent

Greater or Equal

Less or Equal

The number of bytes sent from the source client to the destination server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were sent to the destination computer.

Possible values:

  • Numeric value only

Cache Information (not applicable to Firewall log)

Equals

Not Equals

This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy log.

Possible values:

  • For a table of possible values, see the "Cache Information Log Values" section in "ISA Server 2006 Logging Fields and Values" at the Microsoft TechNet Web site.

Client Agent

Contains

Equals

Not Contains

Not Equals

The client application type sent by the client in the HTTP header.For Microsoft Firewall service, this field includes information about the client's operating system.

Possible values:

  • For more information, see the "Client Agent Log Values" section in "ISA Server 2006 Logging Fields and Values" at the Microsoft TechNet Web site.

Client Host Name

Contains

Equals

Not Contains

Not Equals

The domain name for the local computer for the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination. In the Firewall log, this field is reserved for future use.

Possible values:

  • Numeric or text value

Client IP

Equals

Greater or Equal

Less or Equal

Not Equal

The IP address of the requesting client.

Possible values:

  • IP address format

Client Username

Contains

Equals

Not Contains

Not Equals

The account of the user making the request. If ISA Server access control is not being used, ISA Server uses anonymous.

Possible values:

  • Numeric or text value

Destination Host Name

Contains

Equals

Not Contains

Not Equals

The domain name for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination.

Possible values:

  • Numeric or text value

Destination IP

Equals

Greater or Equal

Less or Equal

Not Equal

The network IP address for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was sourced from the cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned.

Possible values:

  • IP address format

Destination Network

Contains

Equals

Not Contains

Not Equal

The network that provides service to the current connection.

Possible values:

  • Any defined network

Destination Port

Equals

Not Equal

The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.

Possible values:

  • Numeric value

Destination Proxy

Contains

Equals

Not Contains

Not Equal

The remote computer that provides service to the current connection.

Possible values:

  • Numeric or text value

Error Information (not applicable to Firewall log)

Equals

Not Equals

Error information.

Possible values:

  • Numeric value

Filter Information

Contains

Equals

Not Contains

Not Equal

This field includes information that a Web filter can log. For example, when the HTTP filter denies a request, the reason for the denial is stored here.

Possible values:

  • Blocked by HTTP Security filter
  • Body contains sequences which are disallowed
  • Query string length exceeded maximum allowed
  • Request body length exceeded maximum allowed
  • Sent verb is disallowed
  • Sent verb is not specifically allowed
  • The request contains a header which exceeds the maximum header length allowed
  • The request contains a header which is not allowed
  • The response contains a header which exceeds the maximum header
  • The response contains a header which is not allowed
  • The response content is encoded and cannot be scanned
  • There are request headers which contain a disallowed sequence
  • There are response headers which contain a disallowed sequence
  • URL contains '.' in the path
  • URL contains an extension which is disallowed
  • URL contains an extension which is not specifically allowed
  • URL contains high-bit characters
  • URL contains sequences which are disallowed
  • URL length exceeded maximum allowed
  • URL normalization was not complete after one pass

GMT Log Time

On or After

On or Before

Indicates Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), which is the log time date.

Possible values:

  • Select calendar date

HTTP Method

Contains

Equals

Not Contains

Not Equals

Specifies the application method used. .

Possible values that are common for the Web Proxy log:

  • GET
  • PUT
  • POST
  • HEAD

Possible values that are common for the Firewall log:

  • CONNECT
  • BIND
  • SEND
  • RECEIVE
  • GHBN (GetHostByName)
  • GHBA (GetHostByAddress)

HTTP Status Code

Equals

Not Equals

Specifies the HTTP status code.

Possible values:

  • Numeric value

Log Record Type

Equals

Specifies the log type to filter.

Possible values:

  • Firewall
  • Web Proxy Filter
  • Firewall or Web Proxy Filter

Log Time

Last 24 hours

Last 30 days

Last 7 days

Last hour

Live

On or After

On or Before

The time that the logged event occurred.

Possible values:

  • Live, for all logging except MSDE format
  • MSDE, for all values
    If you select On or After, or On or Before, select dates from the calendar.

MIME Type (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equals

The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.

Possible values:

  • Select from defined content types
    Content types are defined on the Toolbox tab, available from the Firewall Policy node in ISA Server Management.

Network Interface (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equals

Primary IP address of the interface that received the traffic. Possible values:

  • Numeric or text value

Object Source (not applicable to Firewall log)

Equals

Not Equals

Indicates the source that was used to retrieve the current object.

Possible values:

  • Cache
  • Internet
  • Not Modified
  • Not Verified Cache
  • Upstream
  • Verified Cache
  • Verified Failed Internet

Original Client IP

Equals

Greater or Equal

Less or Equal

Not Equal

The IP address of the client making the request.

Possible values:

  • IP address format

Processing Time (not applicable to Firewall log)

Greater or Equal

Less or Equal

This indicates the total time, in milliseconds, that is needed by ISA Server to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed.

For cache requests that were processed through Web Proxy, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

Possible values:

  • Numeric value

Protocol

Contains

Equals

Not Contains

Not Equals

Specifies the application protocol used for the connection. Common values are HTTP, FTP, and HTTPS. For the Firewall service, the port number is also logged.

Possible values:

  • Any protocol defined in ISA Server

Raw IP Header (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equals

The Raw IP header information.

Possible values:

  • Numeric or text value

Raw Payload (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equals

The raw data of the packet.

Possible values:

  • Numeric or text value

Referring Server

Contains

Equals

Not Contains

Not Equals

If ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request.

Possible values:

  • Numeric or text value

Result Code

Equals

Not Equals

The result code numeric ID.

Possible values:

  • For more information, see the "Result Code Log Values" section in "ISA Server 2006 Logging Fields and Values" at the Microsoft TechNet Web site.

Rule

Contains

Equals

Not Contains

Not Equals

This reflects the rule that either allowed or denied access to the request.

Possible values:

  • Select the rule

Server Name (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equals

The name of the computer running ISA Server. This is the computer name that is assigned in Microsoft Windows Server 2003 or Windows 2000 Server

Possible values:

  • Select the server name

Service (not applicable to Firewall log)

Equals

Not Equals

The type of request being logged.

Possible values:

  • Proxy, indicating outgoing Web request
  • Reverse Proxy, indicating incoming Web requests (publishing)

Source Network

Contains

Equals

Not Contains

Not Equals

The network from which the request originated.

Possible values:

  • Select a network

Source Port (not applicable to Web Proxy log)

Equals

Not Equals

The port on which the requesting client makes the request.

Possible values

  • Numeric value

Source Proxy (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equals

IP address representing the client computer.

Possible values:

  • Text or numeric value

Transport

Contains

Equals

Not Contains

Not Equals

Specifies the transport protocol used for the connection.

Possible values:

  • ICMP
  • TCP
  • UDP

URL (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equals

This field shows the contents of the URL request.

Possible values:

  • Text or numeric value

Note the following when filtering log views:

  • Up to 10,000 results are displayed in the log viewer.
  • ISA Server logs each request in the authentication process for a Web Proxy client. The destination IP address and port number are not logged for denied requests.
  • Some log information, including IP data, Raw IP header, and Interface, is displayed only for stateless traffic that is not allowed for reasons other than a policy rule or application filter. For example, if traffic is dropped because it is considered spoofed, it is displayed.
  • If no rule specifically allows the outgoing or incoming request, the rule name is logged as "Default Rule." This indicates the following:
  • That the connection was denied but the denial was not due to access policy. For example:
  • No network relationship is defined between the source and destination networks.
  • Intrusion detection dropped the traffic as spoofed.
  • The request is from a client that exceeded the maximum connection limits.
  • That the connection was allowed implicitly, without a specific system policy rule or access rule to allow it. This can happen in a number of scenarios. For example, an application filter running on ISA Server may update its files from the Web, and open a connection to a Web server without a specific policy rule that allows the connection. In this case, the rule name field in the log will be empty, and not populated with "Default Rule".
  • After you define a filter and run a query with it, you can save it as an .xml file for future use. It is often useful to have a set of queries, with each query used to focus on a different session type. You can then import saved filter query definitions as required.

Log Maintenance

Because ISA Server is deployed to secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQL Server connectivity issues, and others.

ISA Server summarizes the previous day's logs, and reports are based on these log summaries. Properly maintained logs help ensure that reports are accurate. For MSDE logging and text file logging, you can specify the following log maintenance settings:

  • Limit total log file size. Specifies how many total gigabytes (GB) of disk space log files can use. Each log file is limited to 1.5 GB. When a log file reaches 1.5 GB, a new file is automatically created.
  • Maintain free disk space. Specifies the minimum amount of disk space that must be kept free.
  • Delete files older than a specified number of days

When these limits are reached, logs are maintained according to one or more of the following methods:

  • Delete older log files as necessary. Specifies that when limits are reached, older files are deleted as newer files are saved.
  • Discard new log entries. Specifies that when limits are reached, new entries will not be saved until limits are changed, or old files are deleted. An alert is issued to notify of this event.
  • Delete log files older than. Specify how long log files are kept before being automatically deleted. To delete old files from storage, decrease this number.
  • Compress log files. Specify that log files should be compressed to reduce disk space. Only available on NTFS partitions.

ISA Server checks that logs do not exceed the specified limits every 30 seconds. This means that for up to a period of 30 seconds, logs might exceed the limits. ISA Server automatically deletes logs in accordance with these settings. For accurate reporting, ensure that you allocate sufficient disk space to accommodate logs for at least a day or two. If you only configure space for less than a day, reports will be based on that portion of the day only. Note that each log component (Firewall and Web proxy) is maintained separately in accordance with settings. So for example, if the total log size for each component is set to 8 GB, then the maximum size of the combined log will be 16 GB.

SQL logs are maintained on the computer running SQL Server by the SQL Server administrator.

Attack Mitigation

When an attack occurs, many events will be logged. To continue logging despite the large number of events, follow these guidelines:

  • By default, if ISA Server cannot log activity, the log failure alert is configured to stop the Microsoft Firewall service when it is generated. Consider reconfiguring this alert to send an e-mail message to an administrator's e-mail address, especially when you want to provide maximum serviceability. Also, use the ISA Server software development kit (SDK) to create a script that does not drop connections for which traffic is not logged. For example, you can use the script "Disable Firewall Service Lockdown due to Logging Failures", located at the Coding Corner. For more information about using COM properties, see ISA Server SDK Help.
  • Review how you have configured logging for each rule, to create sufficient yet precise log data. Specifically, you might want to disable logging for the Default Rule. Then, create another deny rule. Enable logging for this rule, so that you track unwanted traffic. Similarly, you may want to disable logging for rules that apply to network basic input/output system (NetBIOS) and Dynamic Host Configuration Protocol (DHCP), depending on your organizational needs.
  • Logging may attract attacks because it uses a large amount of I/O and CPU resources. ISA Server 2006 provides a network protection flood resiliency feature, which can specify that denied traffic will not be logged if a "denied requests per second" limit is reached. For more information, see "ISA Server Network Protection Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Reports

With ISA Server reporting, you can create a permanent record of common usage patterns, and summarize and analyze log information. For example, you can determine:

  • Who is accessing sites, and which sites are being accessed.
  • Which protocols and applications are being used most often.
  • General traffic patterns.
  • Cache ratio.
  • Security monitoring. For example, you can generate reports that track malicious attempts to access internal resources. Similarly, by tracking the number of connections to a published server, or the traffic to the server, you might identify an attempt at denial of service.

ISA Server reports are based on log summaries derived from the Web Proxy and Firewall logs. The Dailysum.exe program, installed with ISA Server, is responsible for summarizing the log data. By default, Dailysum.exe runs as follows:

  • Daily. Dailysum.exe runs each day at 00:30 (12:30 A.M.).
  • Monthly. At the beginning of each month, Dailysum.exe creates a monthly summary that summarizes all the past month's daily summaries. At least 35 daily summaries are saved, and at least 13 monthly summaries are saved.

Dailysum.exe runs even if no reports are configured to run. You can disable this default setting, or modify when Dailysum.exe runs. Two log summaries are saved: one with a daily summary and one with a monthly summary. Summaries are saved in database files (.ils files), by default in the ISASummaries folder, in the ISA Server installation folder. When a report is created, all relevant summary databases are combined into a single report database, and the report is created.

Generating Reports

You can customize content to include in a report. ISA Server provides the following predefined report types that you can use, or modify if required:

  • Summary. A Summary content report includes summarized information about network traffic usage, sorted by application. These reports are most relevant to the network administrator or the person managing or planning a company's Internet connectivity.
  • Web Usage. A Web Usage content report displays information about frequent Web users, common responses, and browsers. These reports are most relevant to the network administrator or the person managing or planning a company's Internet connectivity. It shows how the Web is being used in a company.
  • Application Usage. An Application Usage content report illustrates Internet application usage information about top users, client applications, and destinations.
  • Traffic and Utilization. A Traffic and Utilization content report shows total Internet usage by application, protocol, and direction. These reports also show average traffic and peak simultaneous connections, cache hit ratio, errors, and other statistics.
  • Security. A Security content report lists attempts to breach network security.
  • You can customize the different report types, and specify a sort order, with the following types of criteria.
Report criteria Details Report types

Top protocols

Limit report to a specific number of the most highly used protocols during the report period.

Summary report

Application Usage report

Web Usage report

Top users

Limit report to include a specific number of users who generated the most traffic.

Summary report

Application Usage report

Web Usage report

Top sites

Limit report to include a specific number of the top sites visited.

Summary report

Web Usage report

Cache hit ratio

Include the ratio between the number of Web object requests and the number served from the cache.

Summary report

Traffic and Utilization report

Object types

Limit report to include a specific number of the most frequently requested object types.

Web Usage report

Browsers

Limit report to include a specific number of the most frequently used client browsers.

Web Usage report

Operating systems

Limit report to include a specific number of the most frequently used client operating systems.

Web Usage report

Application Usage report

Destinations

Limit report to include a specific number of the most frequently requested destinations in the client request.

Application Usage report

Client applications

Limit report to include a specific number of the client applications with the highest network traffic.

Application Usage report

Dropped packets

Limit report to include a specific number of the clients with the highest number of dropped packets.

Security report

Authorization failures

Limit report to include a specific number of the clients causing the highest number of authorization failures.

Security report

To generate a report, ISA Server runs the ISARepGen.exe application, installed with ISA Server. You can create the following reports from the log summaries:

  • Generate a one-time report. You create a one-time report using the New Report Wizard. The report created will be run only once, when the wizard completes. To generate a one-time report, from the Monitoring node, click the Reports tab, and then on the Tasks tab, click Generate a New Report.
  • Configure a recurring report. You can schedule automated reports on a daily, weekly, monthly, or yearly basis. You configure recurring reports using the New Report Job Wizard. You specify the period of activity that the report will cover, and when and how often the report is generated. To generate a recurring report job, from the Monitoring node, click the Reports tab, and then on the Tasks tab, click Create and Configure Report Jobs.

The following table summarizes the settings you specify when running the New Report Wizard to create a single one-time report, or when running the New Report Job Wizard to create a scheduled recurring report.

Property Details Report type

Report name

Specify name for report.

One-time report and recurring report

Report Content

Select content type. By default, all content types are selected.

One-time report and recurring report

Report Period

Specify a start date and end date for the report. Reports are based on log summaries created daily, so the end date specified in the report should be at least one day earlier than the current date.

One-time report only

Report Job Schedule

Specify when a recurring report runs:

  • Daily
  • Weekly
    You can specify multiple days of the week so that reports cover part of the week, or select a single day so that the report covers an entire week.
  • Monthly
    Specify dates.

Recurring report only

Report Publishing

Specify a directory to which the report should be published, and credentials if required. The account specified must have write permissions to the specified folder.

One-time report and recurring report

Send E-mail Notification

Specify that an e-mail message should be sent to notify that a report has been generated. Configure the SMTP server, and the e-mail addresses of the sender and the recipients. You can specify that a link to the completed report should be included in the mail.

One-time report and recurring report

The following traffic is not included in reports generated by ISA Server:

  • Traffic for which the Action field in the log equals Established or Allowed.
  • Proxy authentication queries. This type of traffic is identified in the log as having the LogType field equal to Web Proxy and the destination either ms_proxy_intra_array_auth_query or ms_proxy_auth_query.
  • Establishment and termination of virtual private network (VPN) sessions. This type of traffic is identified in the log as having the ClientAgent field equal VPN remote access or VPN remote site.
  • (ISA Server 2006 Enterprise Edition only.) Traffic for which the Object source field in the log equals Member. When Cache Array Routing Protocol (CARP) is configured, each client Web request appears twice in the log. The first request is from the client to the first ISA Server computer. The second request is from the second ISA Server computer to the actual Web server.

Generating Reports in ISA Server 2006 Enterprise Edition

In Enterprise Edition, reports are generated by collating information from the log summaries on each array member. Note the following:

  • In a workgroup deployment, you must enable Authenticate using this account on the Intra-array Credentials tab of the array properties page, and specify a user account that is defined on all array members.
  • We recommend that you minimize the number of reports to be saved to a Configuration Storage server. Each report saved to a Configuration Storage server is replicated to all of the other Configuration Storage servers in the enterprise. If you do not limit the number of reports that are saved, you will increase bandwidth usage for replication, as well as the amount of storage used enterprise-wide for reports. Instead, publish reports on another computer on the network.

Viewing and Publishing Reports

You can view a report by double-clicking the report name in ISA Server Management. The report is displayed in Microsoft Internet Explorer®. The report can be viewed only on the computer running ISA Server Management. On any other computer, the report shows either empty data, or a page with empty frames and a message that the "Page cannot be displayed."

Note the following about data displayed in the report:

  • Requests are calculated only when the connection is terminated.
  • Bytes are counted for every line in the log.

To make reports more readily available, you can publish them to a shared folder. The published reports are stored in a folder named Report_Job_Name_(Start dateEnd date). For example, if you publish the report job named DailyReports, scheduled to run from December 1, 2006 through December 15, 2006, the published reports folder will be named DailyReports_(12.1.2006—12.15.2006).

To view the report, double-click the file named report.htm located in the published folder. This has links to all the report types generated. Everyone who needs access to the reports should have Read permissions to this folder. In this way, others can view the reports without accessing the ISA Server computer and ISA Server Management. When a report is published, several report files and the associated graphics are saved to the specified published folder.

When you publish any report, the ISARepGen.exe process must have Write permissions to the publishing folder. You can configure the credentials that ISARepGen.exe uses to create reports.

By default, the Local System account is used. Note, however, that if you publish reports to a different computer, the Local System account credentials are actually passed as the (ISA Server) computer account. The computer account must have permissions to write to the network shared folder.

If ISA Server is installed in workgroup mode, ISARepGen.exe uses the Unauthenticated account. In this case, we recommend that you specify user credentials when publishing reports to another computer.

Appendix A: Alert Definitions

The following table summarizes the ISA Server predefined alert definitions.

Alert definition Description Event Additional conditions

Access to Configuration Storage server is blocked (Enterprise Edition only)

As a result of changes made to the configuration, access to the Configuration Storage server is blocked.

Access to Configuration Storage server is blocked

Any connection failure

Account name resolution failed (Enterprise Edition only)

The Configuration Agent is unable to resolve the account specified for administration.

Account name resolution failed

None

Alert action failure

The action associated with this alert fails.

Alert action failure

None

Application filter not registered

The application filter is not registered on this server.

Application filter not registered

None

Array member status verification failed (Enterprise Edition only)

Array member status verification failed. Virtual private network (VPN) tunnels may not be established.

Array member status verification failed

None

Array member status verification succeeded (Enterprise Edition only)

ISA Server successfully verified the array member's status. VPN tunnels can be established.

Array member status verification succeeded

None

Array-level policy rule was deleted (Enterprise Edition only)

The enterprise policy does not permit some types of array-level policy rules.

Array-level policy rule was deleted

None

Broken reference in cross-array configuration (Enterprise Edition only)

The ISA Server Control service detected a reference to a rule element that does not exist in a Web publishing rule defined in an array.

Broken reference in cross-array configuration

None

Cache container initialization error

The cache container initialization fails, and the container is ignored.

Cache container initialization error

None

Cache container recovery complete

The recovery of a single container is complete.

Cache container recovery complete

Any

Cache file resize failure

The operation to reduce the size of the cache file fails.

Cache file resize failure

None

Cache initialization failure

The Web cache proxy is disabled because of global failure.

Cache initialization failure

None

Cache permissions insufficient

When you configure a drive for caching, a cache file, Dir1.cdat, is created in the drive:\urlcache folder. This alert definition indicates that the Network Services account does not have sufficient permissions for the root folder and the Urlcache folder on one or more cache drives. Verify that the Network Services account has at least List Folder and Read permissions for the root folder, and Read permission for the Urlcache folder on all cache drives.

Cache permissions insufficient

None

Cache restoration completed

The cache content restoration is complete.

Cache restoration completed

Any

Cache write error

There is a failure in writing content to the cache.

Cache write error

None

Cached object discarded

During cache recovery, an object with conflicting information is detected. The object is ignored.

Cached object ignored

None

Certificate on ISA Server about to expire

A certificate on ISA Server is nearing its expiration date.

Certificate on ISA Server about to expire

None

Certificate on ISA Server invalid

There is a validity problem with a certificate used by ISA Server to establish a Secure Sockets Layer (SSL) connection with a client.

Certificate on ISA Server invalid

None

Code page invalid

One or more code pages are invalid, or the applicable conversion tables are not installed.

Code page invalid

None

Component load failure

There is a failure to load an extension component.

Component load failure

Any component

Compression by unsupported method

A response compressed by an unsupported method (indicated in the HTTP Content-Encoding header) was received. ISA Server only supports GZIP compression.

Compression by unsupported method

None

Compression failure

ISA Server failed to compress the content of a response.

Compression failure

None

Compression failure (allocated memory exhausted)

The compression filter cannot handle a response because the memory allocated for compression is in use.

Compression failure (allocated memory exhausted)

None

Compression failure (decompression failed)

ISA Server was unable to decompress the content of a response.

Compression failure (decompression failed)

None

Compression failure (filter misconfiguration)

The compression filters are configured incorrectly. Both filters must be in the same state, either enabled or disabled.

Compression failure (filter misconfiguration)

None

Concurrent TCP connection from one IP address limit exceeded

The number of concurrent TCP connections allowed from an IP address is exceeded.

Per-client network traffic limit

Concurrent TCP connections from one IP address

Concurrent TCP connections from one IP address limit exceeded

Configuration Agent removed overlapping ranges (Enterprise Edition only)

The ISA Server Configuration Agent has removed ranges from the included enterprise network, because they overlap with another array network.

Configuration Agent removes overlapping ranges

None

Configuration changes cannot be loaded by ISA Server services (Enterprise Edition only)

ISA Server fails to load the new configuration. When a new configuration is saved, ISA Server will renew its attempt to apply the changes.

Configuration changes cannot be loaded by ISA Server services

None

Configuration changes overload (Enterprise Edition only)

Continuous or excessive changes to the configuration are detected. This may indicate an attack on the Configuration Storage server.

Configuration changes overload

None

Configuration error

An error occurs while reading configuration information.

Configuration error

None

Connection limit exceeded

A user or an IP address exceeds its connection limit.

Connection limit exceeded

None

Connection limit for a rule was exceeded

The number of connections per second allowed for a rule is exceeded.

Connection limit for a rule was exceeded

None

Credentials delegation failure

ISA Server attempts to delegate credentials but the published Web site rejects the credentials.

Credentials delegation failure

None

Credentials delegation using Kerberos constrained delegation failure

ISA Server fails to delegate credentials using Kerberos constrained delegation to a published Web site.

Credentials delegation using Kerberos constrained delegation failure

None

Cross-array link translation configuration inconsistency (Enterprise Edition only)

Cross-array link translation includes this array. However, link translation is disabled at the array level. Links to this array will not be translated and will be broken.

Cross-array link translation configuration inconsistency

None

Denied connections per minute from one IP address limit exceeded

The number of denied connections per minute allowed from one IP address is exceeded.

Per-client network traffic limit

Denied connections per minute from one IP address limit exceeded

DHCP anti-poisoning intrusion detection disabled

The Dynamic Host Configuration Protocol (DHCP) anti-poisoning intrusion detection mechanism is disabled.

DHCP anti-poisoning intrusion detection disabled

None

Dial-on-demand failure

There is a failure to create a dial-on-demand connection, because there is no answer or the line is busy.

Dial-on-demand failure

None

DNS intrusion

A host name overflow, length overflow, or zone transfer attack occurs.

DNS intrusion

All DNS intrusions

DNS zone transfer intrusion

A zone transfer attack occurs.

DNS intrusion

DNS zone transfer intrusions

Event log failure

There is a failure to log the event information to the system event log. This alert is disabled by default.

Event log failure

None

Firewall communication failure

There is a failure in communication between the Firewall client and the ISA Server service.

Client/server communication failure

None

Free disk space limit exceeded

The free disk space limit for log storage is exceeded.

Log storage limits

Free disk space limit exceeded

FTP filter initialization warning

The File Transfer Protocol (FTP) filter fails to parse the allowed FTP commands. Verify that the commands are stored in the correct format. Each command should be no more than four characters, and each command should be separated from the previous one with a space character.

FTP filter initialization warning

None

Global denied packets rate limit

The number of denied TCP and non-TCP packets per second exceeds the allowed limit.

Global denied packets rate limit

None

Host ID assigned to this server is not valid (Enterprise Edition only)

This server has the same host ID as another server. This is not a valid configuration. A valid host ID is unique to each server in the array, within the range 2–32. The Firewall service cannot start until the server is assigned a valid host ID.

Host ID assigned to this server is not valid

None

HTTP requests from one IP address limit exceeded

The number of HTTP requests per minute from one IP address exceeds the specified limit.

Per-client network traffic limit

HTTP requests from one IP address limit exceeded

Intra-array configuration error (Enterprise Edition only)

The ISA Server intra-array configuration is invalid.

Intra-array configuration error

None

Intrusion detected

An intrusion is attempted by an external user.

Intrusion detected

Any intrusion

Invalid configuration settings

Configuration settings cannot be applied.

Invalid configuration settings

Any failure

Invalid CRL found

A client certificate is revoked due to an invalid or missing certificate revocation list (CRL). The CRL may have expired, and ISA Server is unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled, and that there is connectivity to the CRL distribution points.

Invalid CRL found

None

Invalid DHCP offer

The DHCP offer IP address is not valid.

Invalid DHCP offer

None

Invalid dial-on-demand credentials

Invalid dial-on-demand credentials are detected.

Invalid dial-on-demand credentials

None

Invalid network adapter configuration

The network adapter is configured with several IP addresses that belong to several networks. This is an illegal configuration.

Invalid network adapter configuration

None

IP spoofing

The IP packet source address is not valid.

IP spoofing

None

ISA Server cannot connect to the Configuration Storage server (Enterprise Edition only)

ISA Server cannot connect to the Configuration Storage server. The configuration, currently stored on the local computer, remains in effect.

ISA Server cannot connect to the Configuration Storage server

None

ISA Server computer restart is required

Changes made to the configuration only take effect after restarting the computer.

ISA Server computer restart is required

None

ISA Server computer switched Configuration Storage servers (Enterprise Edition only)

ISA Server switches from one Configuration Storage server to the other due to a change in the configuration, connectivity issues, or Configuration Storage server availability.

ISA Server computer switched Configuration Storage servers

Any reason for switching between servers

ISA Server VPN tunnel redistribution is recommended (Enterprise Edition only)

The VPN tunnels are not distributed evenly among the ISA Server computers in the array.

ISA Server VPN tunnel redistribution is recommended

None

LDAP server recovered

The connection to the LDAP server is restored.

LDAP server recovered

None

LDAP server unavailable

The LDAP server requested did not respond.

LDAP server unavailable

None

Link translation configuration insecure

The Web listener used in a Web publishing rule specifies an HTTP connection to clients, but the rule is configured with an HTTPS connection to the published server or Web farm. HTTPS links will be translated to HTTP links.

Link translation configuration insecure

None

Link translation configuration invalid

One or more link translation mappings are invalid. Link translation mappings must be between 4 and 2,057 bytes. Invalid mappings are ignored.

Link translation configuration invalid

None

Link translation redirection unpublished site contains invalid character

The URL of a site specified in the list of unpublished sites for link translation redirection contains one or more non-ANSI characters.

Link translation redirection unpublished site contains invalid character

None

Link translation redirection unpublished site length invalid

The length of the URL for a site specified in the list of unpublished sites for link translation redirection is invalid.

Link translation redirection unpublished site length invalid

None

Local NLB configuration change

The Microsoft Firewall service identifies changes to the local Network Load Balancing (NLB) configuration or state. Changes to the NLB configuration or state are supported only through the ISA Server administrator. Any local changes will be overridden.

Local NLB configuration change

None

Log deletion failure

Log deletion, according to configuration, fails.

Log deletion failure

None

Log failure

One of the service logs fails.

Log failure

Any ISA Server service

Log storage limits

One or more of the log storage limits is reached.

Log storage limits

Any

Logging resumed

One of the services resumes logging following a previous failure.

Logging resumed

Any ISA Server service

Low non-paged pool

The size of the free non-paged pool fell below the system-defined minimum.

Low non-paged pool

None

Low non-paged pool recovered

The size of the free non-paged pool exceeds the system-defined minimum.

Low non-paged pool recovered

None

Misconfigured alert

An alert definition contains an invalid property.

Misconfigured alert

None

Network configuration changed

A network configuration change that affects ISA Server is detected.

Network configuration changed

Any network configuration change

Network interface card (NIC) enabled

NIC disabled

IP added or removed

Network connected

Network disconnected

Network addresses modified

NLB configuration failure

There is a failure to configure Network Load Balancing to work with ISA Server.

NLB configuration failure

None

NLB inconsistent configuration detected (Enterprise Edition only)

Network Load Balancing inconsistency is found on some networks. Traffic might not be routed properly.

NLB inconsistent configuration detected (Enterprise Edition only)

None

NLB is draining and stopping (Enterprise Edition only)

Network Load Balancing is draining and stopping due to a request by the administrator.

NLB is draining and stopping (Enterprise Edition only)

None

NLB possible reduced load balancing performance (Enterprise Edition only)

Network Load Balancing performance may be impaired due to a failure to resolve a Web server name.

NLB possible reduced load balancing performance (Enterprise Edition only)

None

NLB shutdown - Firewall service not responding (Enterprise Edition only)

Network Load Balancing on the local computer is stopped because the Firewall service has stopped responding.

NLB shutdown - Firewall service not responding (Enterprise Edition only)

None

NLB shutdown - Firewall service stopped (Enterprise Edition only)

Network Load Balancing on the local computer is stopped because the Firewall service is stopped.

NLB shutdown - Firewall service stopped (Enterprise Edition only)

None

NLB started (Enterprise Edition only)

Network Load Balancing on the local computer is started.

NLB started (Enterprise Edition only)

None

NLB stopped - configuration failure (Enterprise Edition only)

The Firewall service fails to apply Network Load Balancing configuration. NLB on the local computer will be disabled.

NLB stopped - configuration failure (Enterprise Edition only)

None

NLB stopped - network adapter problem (Enterprise Edition only)

There is no suitable network adapter for Network Load Balancing on some networks. NLB on the local computer will be stopped.

NLB stopped - network adapter problem (Enterprise Edition only)

None

NLB stopped - NLB integration is unavailable (Enterprise Edition only)

Network Load Balancing integration cannot be configured on this server.

NLB stopped - NLB integration is unavailable (Enterprise Edition only)

None

NLB stopped - RRAS service not responding (Enterprise Edition only)

Network Load Balancing on the local computer is stopped because Routing and Remote Access is not responding.

NLB stopped - RRAS service not responding (Enterprise Edition only)

None

NLB stopped - VPN static address pool is empty (Enterprise Edition only)

Network Load Balancing on the local computer is stopped because the VPN static address pool on this computer is empty.

NLB stopped - VPN static address pool is empty (Enterprise Edition only)

None

NLB stopped manually (Enterprise Edition only)

Network Load Balancing on the local computer is stopped manually by the administrator.

NLB stopped manually (Enterprise Edition only)

None

No available ports

Network sockets are not created because there are no available ports.

No available ports

None

No connectivity

ISA Server fails to establish a connection to the requested server.

No connectivity

None

Non-TCP sessions from one IP address limit exceeded

The number of non-TCP sessions allowed from one IP address is exceeded.

Per-client network traffic limit

Non-TCP sessions from one IP address limit exceeded

OS component conflict

There is a conflict with one of the operating system components: IP network address translation (NAT) editor, Internet Connection Sharing (ICS), or Routing and Remote Access.

Operating system component conflict

Any operating system component conflict

Oversized UDP packet

ISA Server drops a User Datagram Protocol (UDP) packet because it exceeds the maximum UDP packet size. For more information, see the ISA Server COM property: UdpBufferSize.

Oversized UDP packet

None

Pending DNS requests resource usage limit exceeded

The percentage of threads used for pending Domain Name System (DNS) requests out of the total number of available threads exceeds the system-defined maximum.

Pending DNS requests resource usage limit exceeded

None

Pending DNS requests resource usage limit within limits

The percentage of threads used for pending DNS requests out of the total number of available threads is now below the system-defined maximum, and connections that require DNS name resolution can be accepted.

Pending DNS requests resource usage limit within limits

None

POP intrusion

A Post Office Protocol (POP) buffer overflow is detected.

POP intrusion

None

Propagate configuration change failed (Enterprise Edition only)

A change to the configuration in the central storage cannot be propagated to the ISA Server computer.

Propagate configuration change failed

None

Published server certificate expiration warning

A certificate on a server published by ISA Server is nearing its expiration date.

Published server certificate expiration warning

None

Published Web server name not resolvable

ISA Server cannot resolve the name of a published Web server. All requests handled by the Web published rule will be denied.

Published Web server name not resolvable

None

Quarantined VPN Clients network changes

A user is removed from the Quarantined VPN Clients network. This alert is disabled by default.

Quarantined VPN Clients network changes

Quarantined user changed state

RADIUS server recovered

The connection to the RADIUS server was restored.

RADIUS server recovered

None

RADIUS server unavailable

The RADIUS server requested did not respond.

RADIUS server unavailable

None

Report summary generation failure

An error is received while generating a report summary from log files.

Report summary generation failure

None

Resource allocation failure

There is a resource allocation failure. For example, the system is out of memory.

Resource allocation failure

None

Revert to last known configuration failed (Enterprise Edition only)

The ISA Server Configuration Agent is unable to revert to the last known configuration.

Revert to last known configuration failed (Enterprise Edition only)

None

Revert to last known configuration succeeded (Enterprise Edition only)

The ISA Server Configuration Agent successfully reverts the configuration.

Revert to last known configuration succeeded (Enterprise Edition only)

None

Routing (chaining) failure

ISA Server fails to route the request to an upstream server.

Routing (chaining) failure

None

Routing (chaining) recovery

ISA Server resumes routing to an upstream server.

Routing (chaining) recovery

None

RPC filter - bind failure

A remote procedure call (RPC) filter cannot use the defined port because it is already in use.

RPC filter - bind failure

None

RPC filter - connectivity changed

The connectivity to the publishing RPC service <server name> changed. <additional key>

RPC filter - connectivity changed

Any

Server publishing failure

The server publishing rule is configured incorrectly.

Server publishing failure

Incorrect rule configuration

Server publishing is not applicable

The server publishing rule cannot be applied.

Server publishing is not applicable

Rule cannot be applied

Server publishing recovery

The server publishing rule can now be applied.

Server publishing recovery

None

Service initialization failure

There is a service initialization failure.

Service initialization failure

Any ISA Server service

Service not responding

An ISA Server service terminates or stops functioning unexpectedly.

Service not responding

Any ISA Server service

Service shutdown

A service stops properly. <%service name%>

Service shutdown

Any ISA Server service

Service started

A service starts properly. <%service name%>

Service started

Any ISA Server service

Slow connectivity

ISA Server encounters a slow connection to the requested server.

Slow connectivity

None

SMTP filter encountered an invalid bare CR or LF

Bare carriage return/line feed (CR/LF) may pose a security risk. The connection has been terminated.

SMTP filter event

Bare CR/LF terminator

SMTP filter encountered an invalid DATA terminator

Some character combinations in DATA may pose a security risk. The connection has been terminated.

SMTP filter event

Invalid DATA termination

SMTP filter event

A Simple Mail Transfer Protocol (SMTP) command rule is violated.

SMTP filter event

Any

SOCKS configuration failure

The port specified in SOCKS properties is in use by another protocol.

SOCKS configuration failure

None

SSL connection failure with published server (name mismatch)

ISA Server failed to establish an SSL connection with a published server. There is a name mismatch.

SSL connection failure with published server

None

SSL connection failure with published server (no trust)

ISA Server failed to establish an SSL connection with a published server. There is a domain trust issue.

SSL connection failure with published server (no trust)

None

SSL connection failure with published server (server certificate not valid)

ISA Server failed to establish an SSL connection with a published server. A server certificate is not valid.

SSL connection failure with published server (server certificate not valid)

None

SSL connection failure with published server (unknown reason)

ISA Server failed to establish an SSL connection with a published server.

SSL connection failure with published server (unknown reason)

None

SYN attack

ISA Server detects a SYN attack.

SYN attack

None

TCP connections per minute from one IP address limit exceeded

The number of TCP connections per minute allowed from one IP address is exceeded.

Per-client network traffic limit

TCP connections per minute from one IP address limit exceeded

The Configuration Agent has restored its connection with the Configuration Storage server (Enterprise Edition only)

The Configuration Agent restores its connection to the Configuration Storage server. Changes made during the disconnection time are now be applied to the service.

The Configuration Agent has restored its connection with the Configuration Storage server

None

The configuration was reloaded (Enterprise Edition only)

The configuration reloads. The Configuration Agent recovers from the error and successfully reloads the configuration information.

The configuration was reloaded

None

The response was rejected because a compressed response was not requested

The response was rejected because a compressed response was not requested. ISA Server blocks compressed HTTP responses when it does not request compression.

The response was rejected because a compressed response was not requested

None

Total log size limit exceeded

The log storage total size limit is exceeded.

Log storage limits

Total log size limit exceeded

Undefined account for intra-array authentication (Enterprise Edition only)

For intra-array authentication when array members are in a workgroup, the intra-array account must be defined and enabled. Some features, such as VPN, Cache Array Routing Protocol (CARP), and reporting, will not work unless the intra-array account is properly configured.

Undefined account for intra-array authentication

None

Unregistered event

An unregistered event is raised.

Unregistered event

None

Unresolvable remote gateway address on a VPN network

A remote gateway address specified for a VPN site-to-site network cannot be resolved. As a result, a VPN connection cannot be established to the remote network. In ISA Server 2006 Enterprise Edition, if the network used for the VPN connection from the remote server is enabled for NLB, VPN traffic may be picked up by the wrong array member, and not by the intended server.

Unresolvable remote gateway address on a VPN network

None

Unresolvable server name

A server name cannot be resolved to an IP address.

Unresolvable server name

None

Upload new configuration to services failed (Enterprise Edition only)

The ISA Server Configuration Agent is unable to upload the configuration to the ISA Server services.

Upload new configuration to services failed (Enterprise Edition only)

None

Upstream chaining credentials

The upstream chaining credentials are incorrect.

Upstream chaining credentials

None

VPN connection failure

VPN client connection attempt fails.

VPN connection failure

None

Web farm servers unavailable

A Web published rule stopped forwarding requests to a Web farm because there are currently no servers in the Web farm that can accept requests.

Web farm servers unavailable

None

Web filter not registered

The Web filter is not registered on this server.

Web filter not registered

None

Windows NLB is not installed (Enterprise Edition only)

Network Load Balancing is not installed on this computer. NLB configuration cannot be applied or monitored.

Windows NLB is not installed (Enterprise Edition only)

None

Windows user-based policy in workgroup (Enterprise Edition only)

The applied policy contains one or more policy rules specifying Windows-based user authentication. The ISA Server array is in a workgroup. Windows-based user authentication cannot be applied to an ISA Server array in a workgroup.

Windows user authentication in workgroup

None

WMI service connection was lost (Enterprise Edition only)

The connection to the Microsoft Windows® Management Instrumentation (WMI) service was lost. For NLB to function properly, a continuous connection to the WMI service is required. To ensure proper NLB functionality, do the following: Stop NLB by typing NLB stop at a command prompt. Then stop the Firewall service. Verify that the WMI service is running, and then restart the Firewall service. When the Firewall service is restarted, NLB will restart.

WMI service connection was lost

None