ISA Server 2004 - Service Pack 3

  • Article

Microsoft Internet Security and Acceleration (ISA) Server 2004 Service Pack 3 (SP3) provides the latest updates to ISA Server 2004 Standard Edition and Enterprise Edition, with increased security, new features, and enhanced functionality. In addition, this service pack provides improved troubleshooting options, designed to help you identify and resolve ISA Server configuration issues.

Since ISA Server 2004 was released to manufacturing, two previous service packs have been released:

  • ISA Server 2004 Service Pack 1 (SP1) provided enhanced stability of the ISA Server services and administration tool in a number of scenarios for ISA Server 2004 Standard Edition. For details about ISA Server 2004 SP1, see Release Notes.
  • ISA Server 2004 Service Pack 2 (SP2) offered improved and more efficient communication between branch offices over Hypertext Transfer Protocol (HTTP), providing a foundation for the Microsoft Branch Office Solution, improvements in the Cache Array Routing Protocol (CARP) mechanism, and new certificate alerts. For details about ISA Server 2004 SP2, see "List of issues fixed in Microsoft Internet Security and Acceleration Server 2004 Service Pack 2" at Microsoft Help and Support.

Service packs are cumulative. ISA Server 2004 SP3 contains all the fixes that are included in previous service packs and hotfixes, together with any new fixes. For details about all the fixes released for ISA Server 2004 prior to SP3, see "Downloads for Microsoft ISA Server 2004" at the Microsoft TechNet Web site.

This document describes the features introduced in ISA Server 2004 SP3. For other important information about this release, read the Release Notes.

Service Pack 3 features

ISA Server 2004 SP3 includes the following new features and improved functionality:

  • Improvements to the ISA Server Management console with the addition of a new Troubleshooting node
  • Enhanced log viewing functionality
  • Additional log filtering functionality
  • Diagnostic logging, including over 200 new diagnostic logging events
  • Integration with the Microsoft ISA Server Best Practices Analyzer Tool
  • Support for publishing Microsoft Exchange Server 2007 with ISA Server 2004

The following sections provide an overview and configuration steps for these features.

Troubleshooting page

  • The Troubleshooting page provides a central location to find diagnostic and troubleshooting tools and information.
  • To open the Troubleshooting page:
  • In the console tree of ISA Server Management, click the Troubleshooting node.

The links on the Troubleshooting page provide quick access to these features and sources of information:

  • Use the ISA Server Best Practices Analyzer   If the ISA Server Best Practices Analyzer is already installed on the ISA Server computer, clicking this link opens the ISA Server Best Practices Analyzer. If the ISA Server Best Practices Analyzer is not yet installed, clicking this link opens the ISA Server Best Practices Analyzer properties page, providing a direct link to the ISA Server Best Practices Analyzer download site.

  • View ISA Server Alerts   Clicking this link takes you to the Alerts tab in the Monitoring node, where you can see the latest alerts triggered by ISA Server.

  • View ISA Server Logging   Clicking this link takes you to the Logging tab in the Monitoring node, where you can view the latest log entries and create log filter definitions to run new log queries.

  • Configure Diagnostic Logging   Clicking this link opens the Diagnostic logging properties, where you can specify which types of events are logged. Diagnostic logging events provide information about how ISA Server performs rule evaluation, Web proxy access, and authentication processes. These events are useful for troubleshooting, and are shown in Event Viewer. More than 200 new diagnostic logging events were created for ISA Server 2004 SP3.

  • Read ISA Server Documents and Troubleshooting Guides   Clicking this link navigates to the Troubleshooting page on the ISA Server TechNet Web site.

    Note

    The links on the Help tab provide access to troubleshooting topics in product Help.

Enhanced log viewing functionality

ISA Server 2004 SP3 provides additional log viewing functionality, making it easier for you to view and interpret the log query results.

These enhancements include a description pane for improved viewing of the log data, and the ability to apply color text to differentiate log entries according to Action type.

Log viewer description pane

ISA Server 2004 introduced the Logging tab, with two panes in the log viewer: the log filter definition pane, displaying the current log filter definition, and the results pane displaying the current log query results. ISA Server 2004 SP3 introduces an additional pane, the description pane, providing additional information about each log entry. The formatting of the data fields in the description pane also makes it easier to view and interpret the log data for the selected entry.

To view the description for a log entry:

  • In the results pane, select the row for the log entry. The details for that entry are shown in the description pane.

When copying a log entry from a row in the results pane to a text editor, the formatting of the data makes it difficult to read and print the information. When copying from the description pane, the formatting of the data is maintained, making it easier to read and improving the way the information appears when printed.

To copy and paste a log entry description:

  • In the description pane, highlight the text to select it, and then press CTRL+C to copy. Press CTRL+V to paste the text into Notepad or any other text editor.

The Arrow buttons in the log viewer let you close and open the log filter definition and the description panes. The number of lines shown in the results pane are either increased or reduced, depending on the states (opened or closed) of the other two panes.

To open or close the log filter definition pane:

  • Click the Arrow button at the bottom of the log filter definition pane.

To open or close the description pane:

  • Click the Arrow button at the top of the description pane.

Log text coloring

In the released version of ISA Server 2004, all rows in the log viewer results pane were presented identically, making it difficult to distinguish between the various types of log entries (for example, denied versus allowed). In high load systems, this issue was exacerbated, making it difficult to analyze the log entries. The log text coloring tool color-codes the results shown in the log viewer based on Action type, making it easier to identify log entries that may indicate problems in the network.

A default color scheme is applied automatically, or you can define your own log text color scheme.

Defining your log text color scheme

To define log text colors

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab.

  2. On the Tasks tab, click Define Log Text Colors.

  3. In the Define Log Text Colors dialog box, click the Color button for the Action type you would like to change.

  4. In the Color dialog box, select a color, and then click Save.

  5. Click OK to apply the changes and close the Define Log Text Colors dialog box.

Exporting and importing a color scheme

After you define the text colors, you can save the color scheme by exporting it to an .xml file.

To export a color scheme

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab.

  2. On the Tasks tab, click Define Log Text Colors.

  3. In the Define Log Text Colors dialog box, click the Export Color Scheme button.

  4. In the Export Color Definitions dialog box, select the folder and file name, and then click Save.

To import a color scheme

To import a color scheme

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab.

  2. On the Tasks tab, click Define Log Text Colors.

  3. In the Define Log Text Colors dialog box, click the Import Color Scheme button.

  4. In the Import Color Definitions dialog box, select the folder and file name, and then click Load.

Additional log filter functionality

ISA Server 2004 SP3 provides additional log filtering operators. In addition, the options to save and reuse log filter definitions have been enhanced.

New log filtering operators

Each line in the log filter definition is comprised of three operators: Filter by, Condition, and Value. Service Pack 3 provides two new condition operators: Not One Of and One Of. Depending on the selected Filter by operator, these conditions let you narrow the scope of your query results according to multiple IP addresses, protocols, strings, or networks.

Not One Of condition operator

When a Not One Of condition is selected, and a query is run, only log entries that do not match any of the values specified in the Values field will appear in the log viewer.

For example, if you want to query the logs for specific protocol usage, but do not want results for specific protocols returned in the query, you can exclude them by using the Not One Of condition. To run the query, you would set the Filter by field to Protocol and the Condition field to Not One Of. Then in the Value field, select the protocols to exclude from the log query. Log entries matching the Not One Of condition will not be shown in the query results.

One Of condition operator

When a One Of condition is selected, and a query is run, only log entries matching at least one of the values specified in the Values field will appear in the log viewer.

For example, if you want to query the log files to find all the log entries for traffic to specific destination IP addresses, set your Filter by field to Destination IP and the Condition field to One Of. Then in the Value field, type the list of destination IP addresses. Only log entries matching at least one of the IP addresses will be shown in the query results.

Note

Not One Of and One Of conditions are available only when the Filter by operator supports their usage.
Multiple values are entered as text separated by a semicolon (;). For some conditions, values are selected from a list of known values.

Saving and loading a log filter definition

In the released version of ISA Server 2004, log filter definitions could be exported and imported from the Tasks tab. ISA Server 2004 SP3 introduces Save and Load options for log filter definitions, available from the Tasks tab and from within the Edit Filter dialog box, making it easier to create multiple log filter definitions that can be used and reused as needed. In addition, in ISA Server 2004 SP3, if you customize the results pane view, such as adding or removing columns, the custom settings are saved with the log filter definition.

To save a log filter definition

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab.

  2. On the Tasks tab, click Edit Filter and continue with this procedure. (Alternately, on the Tasks tab, click Save Filter Definition.)

  3. In the Edit Filter Definition dialog box, create the filter definition, and then click the Save Filter button.

  4. In the Export Filter Definitions dialog box, specify the folder and file name, and then click Save.

To load a log filter definition

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab.

  2. On the Tasks tab, click Edit Filter and continue with this procedure. (Alternately, on the Tasks tab, click Load Filter Definition.)

  3. In the Edit FilterDefinition dialog box, create the filter definition, and then click the Load Filter button.

  4. In the Import Filter Definitions dialog box, select the folder and file name, and then click Load.

Diagnostic logging

Diagnostic logging provides over 200 new events about the status of your ISA Server computer, as well as configuration and policy issues. The information in the diagnostic logging events provide details about the processes ISA Server uses to evaluate rules and Web requests based on the firewall policy and ISA Server configuration, explaining why rules are matched or not matched to a specific packet.

The diagnostic logging options in the Diagnostic Logging properties page let you select the types of events that will be logged. You can enable diagnostic logging for the following types of events:

  • Firewall policy access   Provides diagnostic events about firewall policy rule evaluation. These events describe specific reasons why a rule was or was not matched to a packet. These events include Web proxy access, describing how incoming and outgoing Web requests are handled by ISA Server.
  • Authentication issues   Provides information about the ISA Server authentication process.

Diagnostic logging events are written to the Microsoft Windows® event log in the ISA Server Diagnostics folder.

Configuring diagnostic logging

To configure diagnostic logging

  1. In ISA Server Management, in the Troubleshooting node, click Configure Diagnostic Logging.

  2. On the Diagnostic Logging page, select the types of events you would like logged.

  3. Click the Start Logging button. After you click the Start Logging button, the button label changes to Stop Logging.

To stop diagnostic logging

  1. In ISA Server Management, in the Troubleshooting node, click Configure Diagnostic Logging.

  2. On the Diagnostic Logging page, click Stop Logging. After you click the Stop Logging button, the button label changes to Start Logging.

Viewing diagnostic logging events

Diagnostic logging events can be viewed in Windows Event Viewer. Diagnostic logging events can also be viewed in ISA Diagnostic Logging Viewer, if it is installed on the computer. ISA Diagnostic Logging Viewer lets you sort and filter diagnostic logging events according to specific parameters, such as source or destination IP address. For information about downloading ISA Diagnostics Logging Viewer, visit the Microsoft Download Center.

To view diagnostic logging events

  1. In ISA Server Management, in the Troubleshooting node, click Configure Diagnostic Logging.

  2. On the Diagnostic Logging page, click View Log Data.

Integration with ISA Server Best Practices Analyzer

The ISA Server Best Practices Analyzer Tool is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server 2004 Standard Edition or Enterprise Edition computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, system registry, files on disk, and other sources.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

For every issue, the ISA Server Best Practices Analyzer provides the following kinds of information:

  • Description of the test used to discover the issue
  • Recommended best practices related to the issue
  • Step-by-step procedures for fixing the issue
  • Links to more detailed information about the issue and related topics

You can use the ISA Server Best Practices Analyzer both to troubleshoot current problems and to proactively verify that the configuration of your ISA Server computer is set according to the recommended best practices.

The ISA Server Best Practices Analyzer does not change anything in your configuration, and it does not automatically send information about your configuration and settings to anyone. However, you can send the output files that contain the results of a scan to support engineers for further analysis.

Note that the ISA Server Best Practices Analyzer for ISA Server 2004 is available in English only. For information about downloading the ISA Server Best Practices Analyzer, visit the Microsoft Download Center.

Support for publishing Exchange Server 2007

  • ISA Server 2004 SP3 adds support for publishing Exchange Server 2007 with ISA Server 2004.
  • When publishing Exchange Server 2007 with ISA Server 2004, note the following:
  • When publishing using Exchange Server 2007, we recommend you configure attachment blocking on the Exchange server, instead of enabling attachment blocking in the ISA Server 2004 Web listener. For more information about configuring attachment blocking on Exchange Server 2007, see Exchange Server 2007 product Help.
  • If your ISA Server firewall policy already includes a Web publishing rule for Exchange Server, you cannot modify the existing rule to publish Exchange Server 2007. You must delete the existing rule and run the Web Publishing Wizard to create a new rule.
  • For authentication to succeed, the Exchange Client Access server must be configured for Basic authentication. For details about configuring the Exchange Client Access server, see Exchange Server 2007 product Help. Note that with Basic authentication selected, the following Exchange 2007 features will not function as expected:
    • Outlook Web Access 2007 Web Part. Outlook Web Access 2007 Web Part requires Integrated Windows authentication configured on the /owa/* directory.
    • Proxying between Exchange Client Access servers in different Active Directory sites. This requires the configuration of Integrated Windows authentication on the Exchange Client Access servers. For more information about proxying Exchange Client Access servers, see the Exchange Server 2007 product documentation.
  • For details about publishing Microsoft Office Outlook® Web Access with ISA Server 2004, see "How to publish a Microsoft Exchange server for Outlook Web Access in ISA Server 2006 or ISA Server 2004" at Microsoft Help and Support.