ISA Server Operations Guide

Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that helps protect your mission critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business.

This document discusses some of the different ISA Server operations activities, and when these activities should be performed. This document assumes that ISA Server has already been installed, configured, and is properly running in your environment. This document does not cover installing, configuring, or troubleshooting ISA Server. It covers what an ISA Server administrator should check on a daily, weekly, monthly, and quarterly basis to assist in keeping ISA Server running as expected. The information in this document can also help the ISA Server administrator plan for future growth.

For more information about installing, configuring, and troubleshooting ISA Server 2006, see the Microsoft ISA Server TechCenter at the Microsoft TechNet Web site.

Operations

Your ISA Server operations activities occur at different frequencies:

• Daily
• Weekly
• Monthly
• Quarterly

Daily

On a daily basis, you should check the items in the following sections to make sure that your users are able to access the resources they require through ISA Server. The items should be checked at least on a daily basis, to ensure that ISA Server computers and the surrounding environment are functioning properly.

Resource availability

Because ISA Server enables you to provide secure access to the Internet and secure access to internal resources, you should check that these resources are available on a daily basis. For example, if you are publishing an internal Web site so users can access the site remotely and the Web server is accidentally turned off, users will be unable to access this resource. When things do not work properly, it might not be an ISA Server issue. In addition to checking that internal resources are working, verify that the servers and services required by ISA Server to provide access to the necessary resources required by your users are also functioning.

Internet access

If you have configured ISA Server to protect users when they are surfing the Internet through ISA Server, you want to make sure the Internet is accessible by using one of the following methods:

• Manually test Internet connectivity from an internal workstation:
  1. From your workstation, open Microsoft Internet Explorer® and browse to a public Web site, such as https://www.microsoft.com.
  2. If access to a site fails, try another site because the first site might be unavailable.
  3. If access to multiple sites fails, test Internet access to these sites from ISA Server.
     For more information about troubleshooting Internet access, see "Troubleshooting Web Access for Internal Clients" at the Microsoft TechNet Web site.
• Configure ISA Server connectivity verifiers to test Internet connectivity. Manually testing Internet connectivity can be time-consuming. You can configure ISA Server to check connectivity to specific URLs, and if connectivity fails, ISA Server generates an ISA Server alert. To configure connectivity verifiers:
  1. Configure a connectivity verifier in the ISA Server Management console to check access to public Web sites. We recommend creating multiple connectivity verifiers to test connectivity to multiple sites because one site might be unavailable temporarily.
  2. On a daily basis, check the Dashboard in ISA Server Management to see the status of configured connectivity verifiers. If the status of all configured Internet connectivity verifiers is failed, you should check the connection to the Internet.
     For more information about troubleshooting Internet access, see "Troubleshooting Web Access for Internal Clients" at the Microsoft TechNet Web site.

The following is a list of benefits of using ISA Server connectivity verifiers:

• In addition to automating checking Internet connectivity, an ISA Server alert is generated each time a connectivity verifier fails, providing you with the time of day and frequency that a connectivity verifier has failed.
• ISA Server alerts can be configured to send an e-mail message, run a program, report to an event log, stop selected services, and start selected services after a specific number of failures. This can provide you with advanced warning that you are experiencing Internet connectivity issues. Instead of users informing you of an issue, you can inform users that a known issue is being handled.
• When a server responds to the connectivity verifier but not within the specified time-out period, ISA Server will generate a Slow Connectivity alert. The default threshold for a new connectivity verifier is 5,000 milliseconds or 5 seconds. If the default is not long enough, you can either lengthen the time-out period or configure the connectivity verifier not to generate an alert when the server response is not within the specified time-out.

Availability of published servers

If ISA Server is configured to publish internal servers so users can access internal resources remotely, make sure that these servers are available by using one of the following methods:

• Manually test connectivity to each published server:
  1. For a published Web server, from your workstation, open Internet Explorer and browse to the internal site name configured when you published the Web site, such as https://www.corp.contoso.com.
     
  2. If you have published non-Web server protocols, use the associated client application to connect to the server. For example, if you published a Domain Name System (DNS) server, open the DNS Microsoft Management Console (MMC) snap-in and connect to the DNS server's IP address.
• Configure ISA Server connectivity verifiers to test connectivity to internal resources. Manually testing connectivity to internal resources can be time-consuming. You can configure ISA Server to check connectivity to the specified internal URLs or servers, and if connectivity fails, ISA Server generates an ISA Server alert. To configure connectivity verifiers:
  1. Configure a connectivity verifier in ISA Server Management to check access to internal resources.
  2. On a daily basis, check the Dashboard in ISA Server Management to see the status of configured connectivity verifiers. If the status indicates connectivity problems, select the Alerts tab to see which connectivity verifier has failed.
     
• If Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007 is installed in your environment, configure MOM 2005or System Center Operations Manager 2007 to monitor internal resources. MOM and System Center Operations Manager utilize management packs to enhance the intelligent operations management for a variety of server applications.
  For more information about MOM 2005, see the Microsoft Operations Manager Web site.
  For more information about System Center Operations Manager 2007, see the Microsoft System Center Operations Manager Web site.

If you are unable to manually connect to the published server or if the connectivity verifier fails, confirm that the published server is available and running properly.

For a list of benefits of using connectivity verifiers, see the list of benefits in Internet access earlier in this document.

Availability of authentication servers

One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific users. By default, ISA Server can authenticate users against local accounts on the ISA Server computer. ISA Server can communicate with Active Directory® directory service servers (for Microsoft Windows® authentication), with RSA authentication managers (for RSA SecurID authentication), with Remote Authentication Dial-In User Service (RADIUS) servers, and with Lightweight Directory Access Protocol (LDAP) (for Web publishing only).

When the selected authentication method is not available, users are not granted access to the requested resource. For more information about the different authentication methods supported by ISA Server, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.

On a daily basis, you should check that the authentication methods that ISA Server requires are available using one of the following methods:

• Manually test connectivity to the authentication servers:
  • If Active Directory has been selected as the authentication method, in most cases, when you log on to your computer, you have tested if Active Directory is available and running.
  • For RSA SecurID and RADIUS authentication, see the vendor's product documentation about how to test that the authentication services are available.
  • For LDAP authentication, you can use the LDP.exe tool to test the connectivity to the LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES%\Support Tools.
• Configure ISA Server connectivity verifiers to test connectivity to the required authentication servers. Manually testing connectivity to the authentication servers can be time-consuming. You can configure ISA Server to check connectivity to the specified authentication servers, and if connectivity fails, ISA Server generates an ISA Server alert. To configure connectivity verifiers:
  1. Configure a connectivity verifier in ISA Server Management to check connectivity to authentication servers.
  2. On a daily basis, check the Dashboard in ISA Server Management to see the status of configured connectivity verifiers. If the status indicates connectivity problems, select the Alerts tab to see which server has failed.
     
• If MOM 2005or System Center Operations Manager 2007 is installed in your environment, configure MOM 2005or System Center Operations Manager 2007 to monitor Active Directory, RSA, and RADIUS servers. MOM and System Center Operations Manager utilize management packs to enhance the intelligent operations management for a variety of server applications.
  For more information about MOM 2005, see the Microsoft Operations Manager Web site.
  For more information about System Center Operations Manager 2007, see the Microsoft System Center Operations Manager Web site.

For a list of benefits of using connectivity verifiers, see the list of benefits in Internet access earlier in this document.

Cache

The following are the main benefits to enabling cache:

• Faster Internet user access   Web requests are served from the cache instead of requiring a connection to a remote Internet server. In Web publishing scenarios, reverse caching speeds up access for Internet users requesting Web content from corporate Web servers published by ISA Server.
• Reduced traffic on the Internet connection   Because frequently requested objects are served from the cache, bandwidth is saved on the Internet connection. In Web publishing scenarios, reverse caching reduces the load on the published Web server.

For more information about ISA Server cache, see "Caching and CARP in ISA Server 2006" at the Microsoft TechNet Web site.

When caching is enabled on your ISA Server computers, you should check on a daily basis that Web requests are being served by the cache directly instead of making a request to the Internet. To make sure Web requests are being delivered by cache content directly, check ISA Server logging:

1. In ISA Server Management, select the Logging page on the Monitoring node.
2. Edit the existing filter to show HTTP traffic only.
3. Add the following columns to the log results pane: Object Source and Cache Information. The Object Source column indicates the source that was used to retrieve the current object, and the Cache Information column indicates the reason why an object was or was not cached.
4. When a Web request is delivered by cache content, the Object Source for the request will be Cache. How caching is configured determines how many Web requests are delivered from cache instead of from the Internet.
   

As shown in the preceding screen shot, not every Web request is cached. HTTP defines several ways for a Web server to specify how long a document can be cached before it expires, or not to cache the page. To determine why an object was not delivered from cache, record the value in the Cache Information column and look up the value in the "Web Proxy: Cache Information Log Values" section in "ISA Server Logging Fields and Values" at the Microsoft TechNet Web site.

Services

You should check the status of services on your ISA Server computer to confirm that the required services show Started, especially the services that are configured to start automatically when the computer is started. Use one of the following methods:

• Open the Services MMC snap-in to view the status of all services running on the ISA Server computer. From a command prompt, run services.msc to open the Services snap-in.
• You can also check the status, and start and stop the following ISA Server services from the Services tab on the Monitoring node in ISA Server Management:
• Microsoft Firewall
• Microsoft ISA Server Job Scheduler
• Routing and Remote Access
• Network Load Balancing (ISA Server Enterprise Edition)
• Microsoft Data Engine
  
• If MOM 2005or System Center Operations Manager 2007 is installed in your environment, configure MOM 2005 or System Center Operations Manager 2007 to monitor services running on the ISA Server computer.
  For more information about MOM 2005, see the Microsoft Operations Manager Web site.
  For more information about System Center Operations Manager 2007, see the Microsoft System Center Operations Manager Web site.

Event Viewer

On a daily basis, you should check the event logs for all of your ISA Server computers for any unusual Warning and Error events. ISA Server events are logged to the Application log in Event Viewer.

From a command prompt, run eventvwr.msc to open the Event Viewer MMC snap-in.

You can filter event logs to show only the event types you select. For example, to only view Warning and Error event types, you can create a filter that only shows Warning and Error event types.

For more information about Event Viewer, see Microsoft Windows Server® 2003 product Help.

For additional information about specific events and error messages, see the Events and Message Center at the Microsoft TechNet Web site.

To view information about a specific event

1. Select Internet Security and Acceleration Server for the Microsoft product field.

2. Enter the event ID in the ID field or enter additional information, and click Go.

   

Daily backups

If you are running daily backups of your servers, confirm that the backup finished successfully. To determine the status of each backup job, refer to your vendor's product documentation.

For more information about backing up your ISA Server computer, see "How to Back Up and Restore an ISA Server Enterprise Configuration" at the Microsoft TechNet Web site.

Dashboard

On a daily basis, you should check the Dashboard tab on the Monitoring node. If a warning or error status icon appears, your attention is needed. For additional information, open the required tab on the Monitoring node.

Alerts

Confirm the status of ISA Server alerts from the Dashboard tab on the Monitoring node. An OK status icon indicates that there are no alerts that have not been acknowledged or reset. An error status icon indicates that there are alerts that need your attention. Go to the Alerts tab to view more information and to acknowledge or reset the alerts.

Weekly

On a weekly basis, check the items described in the following sections.

Disk space

Check the amount of free disk space on all drives on the ISA Server computers in your environment. If a computer runs out of disk space or logging fails, ISA Server goes into lockdown mode. If free disk space is low, you should back up files that are not needed and then delete these files.

When in lockdown mode, the following functionality applies:

• The Firewall Packet Filter Engine (fweng) applies the firewall policy.
• Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.
• No incoming traffic is allowed, unless a system policy rule that specifically allows the traffic is enabled. The one exception is Dynamic Host Configuration Protocol (DHCP) traffic, which is always allowed. DHCP requests on User Datagram Protocol (UDP) port 67 are allowed from the Local Host network to all networks, and DHCP replies on UDP port 68 are allowed back in.
• The following system policy rules are still applicable:
  • Allow Internet Control Message Protocol (ICMP) from trusted servers to the local host.
  • Allow remote management of the firewall using MMC (RPC through port 3847).
  • Allow remote management of the firewall using Remote Desktop Protocol (RDP).
• VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
• Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode.
• ISA Server does not trigger any alerts.

When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.

To configure a low disk space alert, see "How To: Configure a Low Disk Space Alert by Using the Performance Logs and Alerts Feature in Windows Server 2003" at the Microsoft Support Web site.

If MOM 2005or System Center Operations Manager 2007 is installed in your environment, you can configure low disk space alerts for the ISA Server computer.

For more information about MOM 2005, see the Microsoft Operations Manager Web site.

For more information about System Center Operations Manager 2007, see the Microsoft System Center Operations Manager Web site.

Reports

With ISA Server reporting, you can create a permanent record of common usage patterns, and summarize and analyze log information. Reports can be scheduled to be generated on a daily, weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a Web server or file server, making the reports available to users who do not have access rights to ISA Server Management.

Schedule reports to run on a weekly basis and review these reports to analyze application and traffic patterns. Reporting provides you with historical information that is helpful when evaluating performance issues. For example, if users are stating that the Internet is slow, you can look at current and historical Traffic and Utilization reports, and see if a large increase in HTTP traffic has occurred. With the reports, you have the information and can explain the reason for the slow response.

Create and delete ISA Server rules

When rules are added to a firewall, they are sometimes added without prior planning, because users need something immediately so that a new project can start. If the rules are not created quickly, project delays may occur. A new rule is typically added as the first rule, so that you can verify that the rule works and that no other rule will block the new rule. If the new rule allows access and is the first rule, it takes precedence over a current rule that may not allow access. As a result, users who should not have access will now be allowed access.

To properly manage a firewall, follow a schedule for making changes to the firewall. Advise your users that required changes to ISA Server will be made on a specific day of the week and emphasize the importance of this policy. There will be exceptions to this rule, but the exceptions should be infrequent. Gather from your users the information that you need to create the ISA Server rule. Consider creating a form that is required to be filled out for any new firewall rule requests. This provides you with a written record of the request.

Several days before you are scheduled to make the changes, review the change requests. Confirm that you have the required information, review the existing firewall policy, determine where the new rule will be located, and evaluate if an existing rule needs to be modified.

For more information about firewall policy design, see "Best Practices Firewall Policy for ISA Server 2006" at the Microsoft TechNet Web site.

Monthly

On a monthly basis, check the items described in the following sections.

Backup and restore testing

Take time to develop a backup and restore plan, and then test your backup and restore plan, to be sure it is working. Testing your backup and restore strategy on a monthly basis confirms that the plan works, that your backups are valid, and that you can restore as expected.

For more information about backing up your ISA Server computer, see "How to Back Up and Restore an ISA Server Enterprise Configuration" at the Microsoft TechNet Web site.

Performance Logs and Alerts

The Performance Logs and Alerts MMC snap-in is a tool that can be used to help with monitoring and troubleshooting. This document does not discuss how to use Performance Logs and Alerts to help with troubleshooting. This document discusses how to use Performance Logs and Alerts to help monitor and analyze your ISA Server computers.

For proper ISA Server analysis, you need to create a baseline of your ISA Server computer performance. After ISA Server has been installed and configured properly, you should create a baseline by creating and saving a counter log over a two-week period using a time interval of between five and ten minutes.

To create a performance counter log, see "Create a counter log" at the Microsoft TechNet Web site.

A monthly counter log should be created using the same time interval of between five and ten minutes. At the end of each month, the performance counter log should be analyzed against the baseline counter log. This analysis should help you foresee when you will need to make changes to your environment as the company grows.

After major changes have been made to an environment, a new baseline counter log should be created.

For a complete list of the ISA Server performance objects and counters, see "Performance Counters" at the Microsoft TechNet Web site.

Reports

With ISA Server reporting, you can create a permanent record of common usage patterns, and summarize and analyze log information. Reports can be scheduled to be generated on a daily, weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a Web server or file server, making the reports available to users who do not have access rights to ISA Server Management.

Configure ISA Server to generate built-in reports automatically on a monthly basis. ISA Server has the following built-in reports:

• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security

Review these reports to analyze application usage patterns, traffic patterns, and security incident patterns for month-to-month usage, such as from June to July of the same year and from June of this year to June of last year.

For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features in ISA Server 2006" at the Microsoft TechNet Web site.

Security updates

Microsoft typically releases security hotfixes on the first Tuesday of every month. Review released hotfixes and determine if the hotfix is required for ISA Server computers.

Quarterly

On a quarterly basis, check the items described in the following sections.

Rules and configuration analysis

After changes are made to your ISA Server configuration and changes occur in the environment, rules that were required a few months ago may no longer be needed. Or, a rule may have been added quickly to meet a project deadline, but was not put in the correct location for optimum performance.

On a quarterly basis, review the existing ISA Server configuration. This review should include the following:

• Review the Remote Management Computers computer set (and Enterprise Remote Management Computers computer set if you are running ISA Server Enterprise Edition). If you have allowed remote management of your ISA Server computers, verify that only the required computers, address ranges, and subnets are included in the Remote Management Computers computer set (and the Enterprise Remote Management Computers computer set). Remove any entries that are no longer required. All computers included in these computer sets can remotely manage the ISA Server computers when the Microsoft Management Console (MMC) and Terminal Server system policies are enabled. These policies are part of the Remote Management group.
• Review access and publishing rules. Make sure that all access and publishing rules are still required. Rules that are no longer needed should be disabled for a few months, and then at the next quarterly rules analysis, you can delete the disabled rules. You might also want to change the name of the rule, indicating that the rule can be deleted next quarter. If you are not sure if a rule is still needed and logging is enabled for the rule, you can query the logs for the rule name to determine when the last time the rule appeared in the logs.
• Review networks and network rules. Review the existing networks and network rules that are currently configured. Remove any networks that no longer exist.
• Review the site-to-site VPN configuration. Review existing site-to-site VPN connections and confirm that each one is still required and used.

Certificate review

Certificates are important in ISA Server publishing scenarios and ISA Server deployments in a workgroup environment. If these certificates expire, a warning message is displayed when users attempt to connect to the ISA Sever computer, or the ISA Server computer cannot connect to the published server or to the Configuration Storage server (in ISA Server Enterprise Edition) to retrieve and apply policy updates.

Check the expiration date on all certificates on the ISA Server computer and the published Web servers on a quarterly basis. This will provide you with enough time to renew the certificate before it expires.

To check the expiration date on the installed certificates, do one of the following:

• Use the Microsoft ISA Server Best Practices Analyzer Tool:
  1. Download and run the ISA Server Best Practices Analyzer Tool on your ISA Server computers. To download the ISA Server Best Practices Analyzer, see "Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer Tool" at the Microsoft Download Center Web site. The ISA Server Best Practices Analyzer checks the expiration date of the certificates on the ISA Server computer and the published Web servers. The ISA Server Best Practices Analyzer shows a warning message when a certificate is expiring within the next two weeks and an error message when a certificate has expired.
  2. Renew certificates that have expired or are going to expire according to the instructions of the issuing certification authority.
• Use the Certificates MMC snap-in:
  1. Open the Certificates MMC snap-in for the Computer account on the ISA Server computer and internal Web server.
  2. Expand the Personal folder and select the Certificates folder.
  3. Double-click the Expiration Date column to sort the certificates based upon expiration dates.
     
  4. Renew certificates that have expired or are expiring according to the instructions of the issuing certification authority.

When you are running ISA Server Enterprise Edition in a mixed workgroup/domain environment, check the certificate installed on the Configuration Storage server. This certificate is stored in the Certificates folder of the ISASTGCTRL service.

Reports

With ISA Server reporting, you can create a permanent record of common usage patterns, and summarize and analyze log information. Reports can be scheduled to be generated on a daily, weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a Web server or file server, making the reports available to users who do not have access rights to ISA Server Management.

Configure ISA Server to generate built-in reports automatically on a quarterly basis. ISA Server has the following built-in reports:

• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security

Review these reports to analyze application usage patterns, traffic patterns, and security incident patterns for quarter-to-quarter usage, such as from the first quarter to the second quarter and from the second quarter of this year to last year's second quarter.

For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features in ISA Server 2006" at the Microsoft TechNet Web site.