ISA Server 2004 Monitoring Features

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: June 16, 2004

On This Page

Overview
Monitoring Scenarios
Appendix A: Logging Fields

Overview

Microsoft® Internet Security and Acceleration (ISA) Server 2004 provides a range of monitoring tools to help you track network status and ISA Server traffic, making it easier to ensure that your network is running as expected, and to begin troubleshooting where necessary. The key monitoring features include:

  • Dashboard. The ISA Server Dashboard summarizes monitoring information about sessions, alerts, services, reports, connectivity, and general system health. The Dashboard provides you with a quick view on how your network is functioning.

  • Alerts. ISA Server alerts notify you when specified events occur. You can configure alert definitions to trigger a series of actions when an event occurs. The ISA Server alert service acts as a dispatcher and as an event filter. It is responsible for catching events, checking whether certain conditions are met, and taking corresponding actions.

  • Sessions. You can view all active connections. From a Session view, you can sort or disconnect individual or groups of sessions. In addition, you can filter the entries in the session's interface to focus on the sessions of interest using the built-in sessions filtering facility.

  • Services. You can use the Services view in monitoring to check the status of ISA Server services, and to stop and start the Microsoft Firewall service, Microsoft ISA Server Job Scheduler service, and the Microsoft Data Engine service.

  • Reports. You can use the reporting features to summarize and analyze usage patterns, and to monitor the security of your network.

  • Connectivity. You can use connectivity verifiers to check connections to a specific computer name, IP address, or Uniform Resource Locator (URL). Use the following methods to determine connectivity: Ping, Transmission Control Protocol (TCP) connect to a port, or Hypertext Transfer Protocol (HTTP) GET.

  • Logging. You can view firewall and Web Proxy logs in real time. You can query the log files using the built-in log query facility. Microsoft Data Engine (MSDE) logs can be queried for information contained in any field recorded in the logs.

These monitoring features can be accessed from the Monitoring node in ISA Server Management, as shown in the following figure.

isamnt01.gif

The Dashboard

The Dashboard view is available in the Monitoring node of ISA Server Management. The default Dashboard view displays the following information:

  • Connectivity. Checks connectivity from ISA Server to other computers (or URLs) defined by the system administrator.

  • Alerts. Lists the events that have occurred on the ISA Server computer.

  • Services. Lists the active services on the ISA Server computers that are currently running.

  • Sessions. Lists active client sessions.

  • Reports. Lists the latest reports run on the system.

  • System Performance. Displays performance information about the ISA Server computer.

The Dashboard view is shown in the following figure.

isamnt02.gif

For more information about other monitoring features, see ISA Server online Help.

Monitoring Scenarios

In ISA Server 2000, a network sniffer or Network Monitor (netmon) was used to troubleshoot common network issues that can now be diagnosed using the built-in monitoring tools. The following section provides a few examples of how ISA Server monitoring features can be used to diagnose issues. In the examples that follow, the simple network configuration shown in the following figure will be used.

isamnt03.gif

Using Connectivity Verifiers

You can set up connectivity verifiers to monitor important network servers.

Creating a DNS Verifier

Create a DNS verifier to monitor the status of the local DNS server using the following steps.

  1. In the Monitoring node of ISA Server Management, click the Connectivity tab.

  2. In the tasks pane, click Create New Connectivity Verifier.

  3. In the New Connectivity Verifier Wizard, specify a name for the verifier, and then click Next.

    isamnt04.gif

  4. In the Connectivity Verification Details page, configure the verifier. Specify a server name, IP address, or URL, and specify a category for the verifier. Select a verification method. Click Next, and then click Finish to complete the wizard.

    isamnt05.gif

    After the DNS verifier has been created, you can monitor the server using the Connectivity tab of the Dashboard.

    isamnt06.gif

    Note

    When choosing a verification method, establishing a TCP connection to port 53 is preferable to sending a ping request. This is because it guarantees that you are connecting to the service rather that using the local cache, Hosts file, lmhosts, or WINS for name resolution.

Creating an Active Directory Verifier

The same method for creating a DNS verifier can be used to create a verifier to ensure that Active Directory is responding. In this case, you select LDAP.

isamnt07.gif

Logging

You can view past logs, monitor in real time, and filter logs based on expressions. This capability makes the logging feature useful as a real-time troubleshooting tool. You can filter logs in real-time, and select a section of time recorded by the current log files. You can run a query by selecting a number of filter expressions, and save the filter for future use. For example, to monitor a specific user€™s Web browsing activity, use the following steps.

  1. In the Monitoring node of ISA Server Management, click the Logging tab.

    isamnt08.gif

  2. On the details pane, click Edit Filter. In Filter by, select Client Username, in Condition, select Equals, and in Value, add the user name you want to monitor. Then click Add To List.

    isamnt09.gif

  3. Click Start Query.

    isamnt10.gif

    The query will then run, allowing you to monitor real-time traffic for the user. Note that to monitor the user, your access rules must require the user to authenticate.

    isamnt11.gif

You can copy the results of a query to the Clipboard and then paste them into an application such as an Excel spreadsheet. For more information about the log viewer, see ISA Server online Help.

Troubleshooting Scenarios

This section explains how to troubleshoot when a website is not available and when SMTP e-mail messages are not flowing through ISA Server.

Scenario 1: Website Not Available

In this scenario, an external Web server is not available to network users. Monitoring features can help you identify the problem, by using the following steps.

  1. In the Monitoring tab of ISA Server Management, click the Connectivity tab.

  2. In the tasks pane, click Create New Connectivity Verifier.

  3. In the New Connectivity Verifier Wizard, specify a name for the verifier, and then click Next.

  4. Specify the name of the website that is not available, and select Send an HTTP "GET" request.

    isamnt12.gif

  5. Monitor the Connectivity tab as ISA Server checks the URL.  

    isamnt13_big.gif

    In this, case a DNS resolution failure has caused the issue.

    isamnt14_big.gif

  6. On the Alerts tab, a more detailed error message may be seen.

    isamnt15.gif

Specifying the IP Address

Alternatively, if you know the IP address of the website that cannot be reached, you can specify that in the wizard.

isamnt16.gif

When the HTTP GET fails, the following message is displayed in the Alerts tab.

isamnt17.gif

This indicates that there is no answer to the ISA Server HTTP Get requests from the website.

When you run a log query for that period of time, you see the following.

isamnt18_big.gif

This indicates that you were able to establish an HTTP connection. (ISA Server is not blocking the request, and there is connectivity.) Because there was no answer to the GET request, this indicates the computer is responding, but the website may be unavailable.  

Scenario 2: SMTP E-Mail Messages Are Not Flowing Through ISA Server

Another common scenario is when SMTP e-mail messages are not flowing to an Exchange or SMTP server. In this case, you specify a TCP connection to SMTP port 25 for the connectivity verifier.

isamnt19.gif

You can use a verifier to check communications with the Internal server or External server. You can also check whether there is connectivity from the ISA Server computer.

If neither side indicates connectivity errors, check the Logging tab.

isamnt20.gif

To create an SMTP logging filter, use the following steps.

  1. In the Monitoring node of ISA Server Management, select the Logging tab.

  2. On the details pane, click Edit Filter.

    isamnt21.gif

  3. To log all SMTP traffic do one of the following:

    • In Filter by, select Destination Port, and in Condition, select Equals. Then in Value, specify 25.

    • Alternatively, in Filter by, select Protocol, and in Condition, select Equals. Then in Value, select SMTP.

  4. Click Add to list, and then click Start query.

Try to send SMTP mail, and monitor the Logging tab. In this example, the query shows that ISA Server is letting traffic through.

isamnt22_big.gif

If ISA Server is blocking SMTP traffic, you will see that the rule is blocked in the log, as follows.

isamnt23_big.gif

If there is no rule allowing SMTP traffic, you may see the following.

isamnt24_big.gif

This shows that ISA Server has denied the traffic. In this case, there is no rule defined. The result code field and error code may provide more details about the reason for the failure.

Appendix A: Logging Fields

The following table lists the fields and descriptions available in logging.

Descriptive name

Description

Log Time

The time (in local time format of the server) of the event.

Destination Host IP

The network IP address for the remote computer that provides service to the current connection.

Destination Port

The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.

Protocol

The application protocol used for the connection. Common values are HTTP, File Transfer Protocol (FTP), Gopher, and Secure Hypertext Transfer Protocol (HTTPS).

Action

The action taken for the packet. Action status can include Denied Connection, Closed Connection, or Established Connection.

Rule

The name of the rule that was applied. If no rule matches, the Default Deny Rule will be indicated as the rule. If traffic is dropped before getting to the rules engine, no rule will be specified in the log.

Client IP

The IP address of the requesting client.

Client Username

The account of the user making the request. If ISA Server access control is not being used, ISA Server uses anonymous access. It also indicates whether the username is authenticated.

Source Network

Indicates the source network as defined in the Configuration node on the Networks tab.

Destination Network

The destination network as defined in the Configuration node on the Networks tab.

HTTP Method

The application method used. For Web Proxy, common values are GET, PUT, POST, and HEAD.

URL

The Uniform Resource Locator, which is the address of a file or resource on the Internet.

Original Client IP

The IP address that distinguishes reverse secondary connections.

Client Agent

The client application type sent by the client in the HTTP header.

Authenticated Client

Indicates whether the client has been authenticated with ISA Server (Web log only).

Service

The name of the service that is logged.

Server Name

The name of the server that created the log.

Referring Server

If ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request.

Destination Host Name

The domain name for the remote computer that provides service to the current connection.

Transport

The transport protocol used for the connection. Common values are TCP and User Datagram Protocol (UDP).

MIME Type

The Multipurpose Internet Mail Extensions (MIME) type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used, or that a valid MIME type was not defined or supported by the remote computer.

Object Source

The source that was used to retrieve the current object. This field applies only to the Web Proxy service log.

Source Proxy

If an upstream proxy is used, this indicates the proxy server that sent the request.

Destination Proxy

If a downstream proxy server is used, this indicates the proxy server where the packet was forwarded. If no downstream proxy server is used, it records the IP address of the next hop router, along with the source IP port on the ISA Server side.

Bidirectional

Indicates whether the protocol is sending data only, or sending data and expecting data back. UDP broadcasts will show NO, but UDP requests (such as DNS queries) will show YES, because a return port would need to be opened dynamically.

Client Host Name

The name of the client computer.

Filter Information

The HTTP filter information.

Network Interface

The primary IP address of the interface that received the traffic.

Raw IP Header

The raw IP header of the packet.

Raw Payload

The raw data of the packet.

Source Port

The port number that reported the record reported by the Firewall service. A port of 0€? is reported for Web requests.

Processing Time

The total time, in milliseconds, that is needed by ISA Server to process the current connection.

Bytes Sent

The number of bytes sent from the internal client to the external server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer, or that no bytes were sent to the remote computer.

Bytes Received

The number of bytes sent from the external computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer, or that no bytes were received from the external computer.

Result Code

This field can be used to indicate:

For values less than 100, a Windows (Win32) error code.

For values between 100 and 1,000, an HTTP status code.

For values between 10,000 and 11,004, a Winsock error code.

Cache Info

This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy service log.

Error Info

A Web proxy error number. The possible values are:

#define ERROR_INFO_IO_RECV_FROM_CLIENT 0x00000001

#define ERROR_INFO_IO_SEND_TO_CLIENT 0x00000002

#define ERROR_INFO_IO_SEND_TO_SERVER 0x00000004

#define ERROR_INFO_IO_RECV_FROM_SERVER 0x00000008

#define ERROR_INFO_DEST_IS_MEMBER 0x00000010

#define ERROR_INFO_CLIENT_IS_MEMBER 0x00000020

#define ERROR_INFO_DURING_CONNECT 0x00000040  

Log Record type

The service that logged the record, for example Firewall or Web Proxy Filter.