Module 10: Monitoring ISA Server 2004

Overview

Monitoring Overview

Configuring Alerts

Configuring Session Monitoring

Configuring Logging

Configuring Reports

Monitoring Connectivity

Monitoring Services and Performance

Lesson: Monitoring Overview

Why Implement Monitoring?

ISA Server Monitoring Components

Designing a Monitoring and Reporting Strategy

Using the ISA Server Dashboard for Monitoring

Why Implement Monitoring?

Use monitoring to:Use monitoring to:

Monitor traffic between networks to ensure that only legitimate traffic passes between networks

Troubleshoot network connectivity between ISA Server clients, servers, and networks

Collect information about attacks and to detect attacks as they occur

Plan future modifications to the ISA Server or Internet access infrastructure

Monitor traffic between networks to ensure that only legitimate traffic passes between networks

Troubleshoot network connectivity between ISA Server clients, servers, and networks

Collect information about attacks and to detect attacks as they occur

Plan future modifications to the ISA Server or Internet access infrastructure

ISA Server Monitoring Components

Components Explanation

AlertsMonitors ISA Server for configured events and then performs actions when the specified events occur

Sessions Provides information on the current client sessions

LoggingProvides detailed archived information about the Web Proxy, Microsoft Firewall service, or SMTP Message Screener

ReportsSummarizes information about the usage patterns on ISA Server

ConnectivityMonitors connections from ISA Server to any other computer or URL on any network

PerformanceMonitors server performance in real time, create a log file of server performance or configure performance alerts

Designing a Monitoring and Reporting Strategy

When: Determine:

Monitoring real-time information

Which events should trigger an alert

The event threshold before the alert is triggered

The information that you need to monitor server performance

Collecting long-term information

The information you need to monitor server performance over time

The information you need to monitor server usage

The information you need to monitor security events

Developing a response strategy

How to respond to the critical events that occur on the ISA Server

Using the ISA Server Dashboard for Monitoring

Monitorconnections

Monitorconnections Monitor

alertsMonitoralerts

MonitorsessionsMonitor

sessions

Monitortraffic

Monitortraffic

Lesson: Configuring Alerts

What Is an Alert?

How to Configure Alert Definitions

How to Configure Alert Events and Conditions

How to Configure Alert Actions

Alert Management Tasks

What Is an Alert?

An alert is:An alert is:A notification of an event or action that has occurred on ISA Server

Triggered according to the conditions and trigger thresholds specified for the event associated withthe alert

A notification of an event or action that has occurred on ISA Server

Triggered according to the conditions and trigger thresholds specified for the event associated withthe alert

When a server event takes place and records an alert:When a server event takes place and records an alert:

The ISA Server Management console displays the alert in the Alerts view

An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category

The ISA Server Management console displays the alert in the Alerts view

An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category

How to Configure Alert Definitions

How to Configure Alert Events and Conditions

Define thetrigger

thresholds

Define thetrigger

thresholds

Definesubsequent

alerts

Definesubsequent

alerts

Define the eventthat will trigger

the alert

Define the eventthat will trigger

the alert

Define specificconditions for

the event

Define specificconditions for

the event

How to Configure Alert Actions

Configuree-mail action

Configuree-mail action

Define aprogram to run

Define aprogram to run

Define otheralert actionsDefine otheralert actions

Alerts are managed by performing the following tasks:Alerts are managed by performing the following tasks:

Alert Management Tasks

Reset registered alertsReset registered alerts

Acknowledge registered alertsAcknowledge registered alerts

When you configure an alert to stop the ISA Server Firewall Service, ISA Server goes into a lockdown mode. While in lockdown mode, ISA Server blocks most network traffic

When you configure an alert to stop the ISA Server Firewall Service, ISA Server goes into a lockdown mode. While in lockdown mode, ISA Server blocks most network traffic

Practice: Configuring and Managing Alerts

Creating a New Alert Definition

Modifying an Existing Alert Definition

Internet

Den-ISA-01

Den-DC-01Den-Clt-01

Gen-Web-01

Lesson: Configuring Session Monitoring

What Is Session Monitoring?

About Managing Sessions

How to Configure Session Filtering

What Is Session Monitoring?

Session monitoring:Session monitoring:Provides real-time information about client sessions hosted through ISA Server

Includes information on:

When the session was establishedThe session typeThe source networkThe client user name and computer name

Provides the ability to immediately stop any unwanted sessions

Provides real-time information about client sessions hosted through ISA Server

Includes information on:

When the session was establishedThe session typeThe source networkThe client user name and computer name

Provides the ability to immediately stop any unwanted sessions

About Managing Sessions

Use these optionsto manage sessionsUse these options

to manage sessionsRight click session

to disconnectRight click session

to disconnect

How to Configure Session Filtering

Add multiple filtersAdd multiple filters

Configurefilters to view

specific sessions

Configurefilters to view

specific sessions

Practice: Configuring Session Monitoring

Monitoring Sessions

Applying a Session Filter

Internet

Den-ISA-01

Den-DC-01Den-Clt-01

Gen-Web-01

Lesson: Configuring Logging

What Is Logging?

Log Storage Options

How to Configure Logging

How to View ISA Server Logs

How to Configure Log Filter Definitions

The logging feature:The logging feature:

Provides extended log storage to generate reports, analyze trends, or investigate security issues

Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging

Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs

Provides extended log storage to generate reports, analyze trends, or investigate security issues

Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging

Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs

What Is Logging?

Log Storage Options

Log storage option: Explanation:

MSDELogs can be viewed in the log viewer

Default format for Web proxy and Firewall Service logs

SQL databaseLogs can be stored on separate server

Logs can be analyzed by using database tools

File

Logs can be stored in W3C or ISA Server format

Only available format for SMTP message screener logs

The MSDE and log files are stored by default in the ISALogs folder, which is located in the ISA Server installation folder

The MSDE and log files are stored by default in the ISALogs folder, which is located in the ISA Server installation folder

How to Configure Logging

Configure logstorage formatConfigure logstorage format

Configure theinformation

captured in the logs

Configure theinformation

captured in the logs

How to View ISA Server Logs

How to Configure Log Filter Definitions

Configure filters to view specific log entries

Configure filters to view specific log entries

Add multiple filtersAdd multiple filters

Lesson: Configuring Reports

What Are Reports?

How to Configure the Report Summary Database

How to Generate a Report

How to Create a Recurring Report Job

How to View Reports

How to Publish Reports

What Are Reports?

Use reporting to summarize and analyze:Use reporting to summarize and analyze:Who is accessing the Internet, as well as which web sites are being accessed

Which protocols and applications are being used most often

General traffic patterns

The cache hit ratio

Who is accessing the Internet, as well as which web sites are being accessed

Which protocols and applications are being used most often

General traffic patterns

The cache hit ratio

Reports can be generated immediately

Reports need to be scheduled to generate on a recurring basis

Reports can be generated immediately

Reports need to be scheduled to generate on a recurring basis

How to Configure the Report Summary Database

Select to enablelog summaries

Select to enablelog summaries

Configure numberof saved summariesConfigure number

of saved summaries

Configure summaryfiles location

Configure summaryfiles location

How to Generate a Report

Configure the content to include in

the report

Configure the content to include in

the report Configure the time period included in the report

Configure the time period included in the report Configure where

the report will be stored

Configure wherethe report will

be stored

How to Create a Recurring Report Job

Configure thecontent to include

in the recurring report

Configure thecontent to include

in the recurring report

Configure whenthe recurringreport will run

Configure whenthe recurringreport will run

How to View Reports

Reports can be viewed:Reports can be viewed:

Only on the computer running ISA Server Management

By double-clicking the report name in the Report view of ISA Server Management

Only on the computer running ISA Server Management

By double-clicking the report name in the Report view of ISA Server Management

How to Publish Reports

You can publish reports to a shared folder where users without ISA Server Management installed can view the reports

You can publish reports to a shared folder where users without ISA Server Management installed can view the reports

Practice: Configuring Reports

Generating a Report

Creating a Recurring Report Job

Den-Msg-01Internet

Den-ISA-01

Den-DC-01

Gen-Web-01

Lesson: Monitoring Connectivity

How Does Connectivity Monitoring Work?

Configuring Connectivity Monitoring

How Does Connectivity Monitoring Work?

Connectivity monitoring:Connectivity monitoring:

Uses connectivity verifiers to monitor connections from ISA Server to other servers or URLs

Can be configured to use any of the following in connection methods:

Ping to check for simple network connectivity TCP connection to verify that a service is running on

the destination server HTTP GET request to verify that a Web server is

running on the destination server

Uses connectivity verifiers to monitor connections from ISA Server to other servers or URLs

Can be configured to use any of the following in connection methods:

Ping to check for simple network connectivity TCP connection to verify that a service is running on

the destination server HTTP GET request to verify that a Web server is

running on the destination server

Configuring Connectivity Monitoring

Configure the timeout forthe connection attempt

Configure the timeout forthe connection attempt

Configure the URLor server to connect to

Configure the URLor server to connect to

Configure the methodused to test connectivity

Configure the methodused to test connectivity

Practice: Configuring Connectivity Monitoring

Configuring Connectivity Monitoring

Den-ISA-01

Den-DC-01Internet

Gen-Web-01

Lesson: Monitoring Services and Performance

Monitoring ISA Server Services

Performance Monitoring with ISA Server

Monitoring ISA Server Services

Performance Monitoring with ISA Server

Performance Objects Explanation

ISA Server Firewall Engine

Includes performance counters to monitor connections and throughput for the firewall engine

ISA Server CacheIncludes performance counters to monitor the memory, disk, and URL activity associated with the cache as well as cache performance

ISA Server Firewall Service

Includes counters to monitor Firewall service connections and associated services such as DNS. This object monitors only Firewall client connections

ISA Server Web Proxy Service

Includes counters to monitor the number of users and the rate at which ISA Server transfers data for Web Proxy clients to remote and upstream servers

Monitoring the ISA Server counters as well as other performance counters to determine server performance and bottlenecks

Monitoring the ISA Server counters as well as other performance counters to determine server performance and bottlenecks

Lab: Monitoring ISA Server 2004

Exercise 1: Testing the Alerts Feature

Exercise 2: Testing the Reporting Feature

Exercise 3: Testing the Connectivity Monitoring Feature

Internet

Den-ISA-01

Den-DC-01Den-Msg-01

Gen-Web-01