Module 10: Monitoring ISA Server 2004

Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring Reports Monitoring Connectivity Monitoring Services and Performance

Lesson: Monitoring Overview Why Implement Monitoring? ISA Server Monitoring Components Designing a Monitoring and Reporting Strategy Using the ISA Server Dashboard for Monitoring

Why Implement Monitoring? Use monitoring to: Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between ISA Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the ISA Server or Internet access infrastructure Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between ISA Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the ISA Server or Internet access infrastructure

ISA Server Monitoring Components ComponentsExplanation Alerts Monitors ISA Server for configured events and then performs actions when the specified events occur Sessions Provides information on the current client sessions Logging Provides detailed archived information about the Web Proxy, Microsoft Firewall service, or SMTP Message Screener Reports Summarizes information about the usage patterns on ISA Server Connectivity Monitors connections from ISA Server to any other computer or URL on any network Performance Monitors server performance in real time, create a log file of server performance or configure performance alerts

Designing a Monitoring and Reporting Strategy When:Determine: Monitoring real- time information Which events should trigger an alert The event threshold before the alert is triggered The information that you need to monitor server performance Collecting long- term information The information you need to monitor server performance over time The information you need to monitor server usage The information you need to monitor security events Developing a response strategy How to respond to the critical events that occur on the ISA Server

Using the ISA Server Dashboard for Monitoring Monitor connections Monitor connections Monitor alerts Monitor alerts Monitor sessions Monitor sessions Monitor traffic Monitor traffic

Lesson: Configuring Alerts What Is an Alert? How to Configure Alert Definitions How to Configure Alert Events and Conditions How to Configure Alert Actions Alert Management Tasks

What Is an Alert? An alert is: A notification of an event or action that has occurred on ISA Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert A notification of an event or action that has occurred on ISA Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert When a server event takes place and records an alert: The ISA Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category The ISA Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category

How to Configure Alert Definitions

How to Configure Alert Events and Conditions Define the trigger thresholds Define the trigger thresholds Define subsequent alerts Define subsequent alerts Define the event that will trigger the alert Define the event that will trigger the alert Define specific conditions for the event Define specific conditions for the event

How to Configure Alert Actions Configure action Configure action Define a program to run Define other alert actions

Alerts are managed by performing the following tasks: Alert Management Tasks Reset registered alerts Acknowledge registered alerts When you configure an alert to stop the ISA Server Firewall Service, ISA Server goes into a lockdown mode. While in lockdown mode, ISA Server blocks most network traffic

Practice: Configuring and Managing Alerts Creating a New Alert Definition Modifying an Existing Alert Definition Internet Den-ISA-01 Den-DC-01Den-Clt-01 Gen-Web-01

Lesson: Configuring Session Monitoring What Is Session Monitoring? About Managing Sessions How to Configure Session Filtering

What Is Session Monitoring? Session monitoring: Provides real-time information about client sessions hosted through ISA Server Includes information on:  When the session was established  The session type  The source network  The client user name and computer name Provides the ability to immediately stop any unwanted sessions Provides real-time information about client sessions hosted through ISA Server Includes information on:  When the session was established  The session type  The source network  The client user name and computer name Provides the ability to immediately stop any unwanted sessions

About Managing Sessions Use these options to manage sessions Use these options to manage sessions Right click session to disconnect Right click session to disconnect

How to Configure Session Filtering Add multiple filters Configure filters to view specific sessions Configure filters to view specific sessions

Practice: Configuring Session Monitoring Monitoring Sessions Applying a Session Filter Internet Den-ISA-01 Den-DC-01Den-Clt-01 Gen-Web-01

Lesson: Configuring Logging What Is Logging? Log Storage Options How to Configure Logging How to View ISA Server Logs How to Configure Log Filter Definitions

The logging feature: Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs What Is Logging?

Log Storage Options Log storage option:Explanation: MSDE Logs can be viewed in the log viewer Default format for Web proxy and Firewall Service logs SQL database Logs can be stored on separate server Logs can be analyzed by using database tools File Logs can be stored in W3C or ISA Server format Only available format for SMTP message screener logs The MSDE and log files are stored by default in the ISALogs folder, which is located in the ISA Server installation folder

How to Configure Logging Configure log storage format Configure log storage format Configure the information captured in the logs Configure the information captured in the logs

How to View ISA Server Logs

How to Configure Log Filter Definitions Configure filters to view specific log entries Configure filters to view specific log entries Add multiple filters

Lesson: Configuring Reports What Are Reports? How to Configure the Report Summary Database How to Generate a Report How to Create a Recurring Report Job How to View Reports How to Publish Reports

What Are Reports? Use reporting to summarize and analyze: Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis

How to Configure the Report Summary Database Select to enable log summaries Select to enable log summaries Configure number of saved summaries Configure number of saved summaries Configure summary files location Configure summary files location

How to Generate a Report Configure the content to include in the report Configure the time period included in the report Configure where the report will be stored Configure where the report will be stored

How to Create a Recurring Report Job Configure the content to include in the recurring report Configure the content to include in the recurring report Configure when the recurring report will run Configure when the recurring report will run

How to View Reports Reports can be viewed: Only on the computer running ISA Server Management By double-clicking the report name in the Report view of ISA Server Management Only on the computer running ISA Server Management By double-clicking the report name in the Report view of ISA Server Management

How to Publish Reports You can publish reports to a shared folder where users without ISA Server Management installed can view the reports

Practice: Configuring Reports Generating a Report Creating a Recurring Report Job Den-Msg-01 Internet Den-ISA-01 Den-DC-01 Gen-Web-01

Lesson: Monitoring Connectivity How Does Connectivity Monitoring Work? Configuring Connectivity Monitoring

How Does Connectivity Monitoring Work? Connectivity monitoring: Uses connectivity verifiers to monitor connections from ISA Server to other servers or URLs Can be configured to use any of the following in connection methods:  Ping to check for simple network connectivity  TCP connection to verify that a service is running on the destination server  HTTP GET request to verify that a Web server is running on the destination server Uses connectivity verifiers to monitor connections from ISA Server to other servers or URLs Can be configured to use any of the following in connection methods:  Ping to check for simple network connectivity  TCP connection to verify that a service is running on the destination server  HTTP GET request to verify that a Web server is running on the destination server

Configuring Connectivity Monitoring Configure the timeout for the connection attempt Configure the timeout for the connection attempt Configure the URL or server to connect to Configure the URL or server to connect to Configure the method used to test connectivity Configure the method used to test connectivity

Practice: Configuring Connectivity Monitoring Configuring Connectivity Monitoring Den-ISA-01 Den-DC-01 Internet Gen-Web-01

Lesson: Monitoring Services and Performance Monitoring ISA Server Services Performance Monitoring with ISA Server

Monitoring ISA Server Services

Performance Monitoring with ISA Server Performance ObjectsExplanation ISA Server Firewall Engine Includes performance counters to monitor connections and throughput for the firewall engine ISA Server Cache Includes performance counters to monitor the memory, disk, and URL activity associated with the cache as well as cache performance ISA Server Firewall Service Includes counters to monitor Firewall service connections and associated services such as DNS. This object monitors only Firewall client connections ISA Server Web Proxy Service Includes counters to monitor the number of users and the rate at which ISA Server transfers data for Web Proxy clients to remote and upstream servers Monitoring the ISA Server counters as well as other performance counters to determine server performance and bottlenecks

Lab: Monitoring ISA Server 2004 Exercise 1: Testing the Alerts Feature Exercise 2: Testing the Reporting Feature Exercise 3: Testing the Connectivity Monitoring Feature Internet Den-ISA-01 Den-DC-01Den-Msg-01 Gen-Web-01