Monitoring, Logging, and Reporting Features in ISA Server 2006
Microsoft® Internet Security and Acceleration (ISA) Server 2006 provides a range of monitoring tools to help you track network status, create alerts to keep you up-to-date on firewall behavior, configure and view logs to track ISA Server activity, and create reports to customize and summarize log information. These features make it easier to ensure that your network is running as expected, to stay aware of attempted intrusions, to track network usage, and to begin troubleshooting where necessary.
The following table summarizes the key monitoring features that appear in the details pane of the Monitoring node in ISA Server Management.
Feature | Details |
---|---|
Dashboard |
The Dashboard summarizes information from the various monitoring tabs and ISA Server performance counters to provide a quick view of system functioning. |
Alerts |
The Alerts tab provides a list of alerts that have been triggered. Alerts are triggered when specific events occur. You can reset alerts to remove them from the Alerts tab, or indicate that you are handling alerts by acknowledging them, thus changing their status on the Alerts tab, and removing them from the Dashboard display. |
Sessions |
The Sessions tab lists all active sessions. You can sort or disconnect individual or groups of sessions. You can filter the entries in the session's interface to focus on the sessions of interest. |
Services |
The Services tab provides the status of ISA Server services. You can stop and start the Microsoft Firewall service, the Microsoft ISA Server Job Scheduler service, and the Microsoft Data Engine service. |
Configuration (Enterprise Edition) |
The Configuration tab allows you to validate that all arrays have been updated with the latest configuration information from the Configuration Storage server. |
Reports |
The Reports tab displays reports that have been created or are in the process of being created. You can use the reporting features to summarize and analyze usage patterns, and to monitor network security. You can manage existing reports, create scheduled report jobs, create one-time reports, and customize report information. |
Connectivity Verifiers |
The Connectivity Verifiers tab displays all the configured connectivity verifiers. Configure connectivity verifiers to check connections to a specific computer name, IP address, or Uniform Resource Locator (URL). Use the following methods to determine connectivity: Ping, Transmission Control Protocol (TCP) connect to a port, or Hypertext Transfer Protocol (HTTP) GET. |
Logging |
The Logging tab displays Firewall logs and Web Proxy logs in real time. You can query the log files using the built-in log query facility. |
System Performance |
The Dashboard provides a System Performance section showing the status of two of the main performance counters for ISA Server:
|
Dashboard
- The Dashboard view summarizes monitoring information about sessions, alerts, services, reports, connectivity, and general system health. The Dashboard is divided into a number of sections, providing a summary of each of the monitoring tabs, and system performance.
The Dashboard is useful to quickly identify critical issues related to ISA Server. You can use it daily to verify the status of critical servers and services. For example, you can use the Dashboard to check that the ISA Server services are available and that servers are connected. After you check the operating status, you can review any alerts, to check if any attacks have been thwarted—or if any specific problem requires your immediate attention. Each Dashboard section contains an icon. A yellow warning icon or red error icon indicates that you may want to check settings and behavior. A green icon indicates that everything is functioning as expected. You can tailor the columns for each section that appears in the Dashboard, or navigate from section titles to the relevant monitoring tab.
Alerts
ISA Server events are generated by ISA Server services when particular run-time conditions occur. The alert service of ISA Server 2006 acts as a dispatcher and event filter. It notifies you when specified events occur by triggering an alert for the event. Some events have additional conditions. In this case, both the event and the additional condition must occur before the alert is triggered.
ISA Server provides a number of predefined alerts for every type of event defined by ISA Server. The predefined alert definitions are summarized in Appendix A: Alert Definitions.
Configuring Alert Definitions
You can customize alert definitions by enabling or disabling alerts, edit existing alerts, and create new alert definitions.
During Setup, alerts are preconfigured for all events, but you may want to define additional alerts. For example, consider the preconfigured alert definition for the Network configuration changed event. As the network administrator, you might want to refine this general alert, creating two unique alert definitions:
- An alert definition for when a network is disabled.
- An alert definition for when a network is enabled.
The alert definition for the former would trigger an action to run a batch file to disconnect the computer from a load balancing cluster each time a network becomes disabled. The alert definition for the latter might be to send you an e-mail message.
Alerts with specific events take precedence over less-specific events. For example, suppose you have two alerts configured, one for Any network configuration change and the other for Network connected. When a network is connected, the alert actions for the latter will be performed.
You create an alert definition using the New Alert Configuration Wizard. The following table summarizes the alert properties you specify in the wizard.
Property | Details |
---|---|
Alert name |
Specify a unique name for the alert. |
Events and Conditions |
Specify an event that will trigger the alert. Some events allow you to specify an additional condition that must occur to trigger the alert. If an event and additional condition are configured, both must occur to trigger the alert. |
Category and Severity |
Select a category for the alert, as follows:
Select the severity of the alert:
|
Actions |
Specify the actions to be taken when the event is triggered. |
Configuring Alert Actions
You can define alerts to perform one or more of the following actions when triggered:
- Send an e-mail message.
- Run a specific action.
- Log the event in the Windows event log.
- Stop or start the Microsoft Firewall service or Scheduled Content Download service.
Alert action for sending an e-mail message
You specify the following settings when configuring an alert to send an e-mail message when it is triggered:
- Name of the SMTP server. Note the following:
- If you specify an SMTP server located on the Internal network, you must enable the system policy rule to allow this traffic. To do this, in the Remote Monitoring configuration group of the System Policy Editor, select SMTP, and then click Enable. This enables the "Allow SMTP protocol from firewall to trusted servers" system policy rule.
- If you specify an SMTP server located on the External network, you must create an access rule that allows the Local Host network to access the External network (or the network on which the SMTP server is located), using SMTP.
- E-mail address of sender.
- E-mail addresses of recipients.
Alert action for running a program
You can specify the following settings when configuring an alert to run a program when it is triggered:
- Path location of the program.
- Parameters required for running the program.
- Credentials for running the program.
Note the following:
- Use the Local Security Policy to configure user privileges.
- If you specify an alert to run a program, the program path specified must exist on the ISA Server computer, and we recommend that you use an environment variable (such as %SystemDrive%) within the path name.
- Be sure that the specified user has Logon as batch job privileges.
- When the alert action is to execute a command, the path specified for the command action must exist on the ISA Server computer. We recommend that you use environment variables (such as %SystemDrive%) within the path name.
- Do not specify an interactive program that requires user input.
The new alert will appear in the list of alert definitions.
Configuring actions for Alert Action Failure alert
Although the Alert Action Failure alert can be configured, we recommend that you do not edit properties for this alert. If the action for this alert fails, the failure is not registered anywhere, and troubleshooting will be difficult.
If you encounter this alert, check the event log for action failures. Check the event message associated with the failure, and the previous events issued before the action failure event. They may provide additional information about which action failed.
Configuring Alert Thresholds
After initial configuration of the new alert using the wizard, you can further refine settings in the property page of the alert. The following table summarizes the additional settings that can be configured on the property page of the alert.
Property | Details |
---|---|
Number of occurrences |
Specify how many times in total the event should occur before the alert is triggered. |
Number of events per second |
Specify how many times the event will occur per second before the alert is triggered. If you specify a value in the number of occurrences and the number of events per second, both limits must be reached before the alert is reissued. |
Immediately |
Specify that the alert is triggered immediately each time the threshold is reached. |
Only if the alert was manually reset |
Specify that the alert is triggered again each time the threshold is reached only if it is manually reset. |
If number of minutes since last execution is more than |
Specify that the alert is triggered again each time the threshold is reached if it was last triggered before a specified number of minutes. Then specify the number of minutes. |
Monitoring Alerts
All triggered alerts are displayed on the Alerts tab. The display shows the alert name, the time it occurred, the status, and the alert category: information, warning, and error. Information about each alert also appears in the Windows event log. You can perform the following tasks on alerts displayed in the tab:
- Set the refresh rate to specify an automatic refresh rate for alerts.
- Reset selected alerts. Resetting an alert effectively removes it from the Alerts tab.
- Acknowledge selected alerts. You can indicate that you are handling a specific event, or a group of events, by acknowledging the alerts. When you mark an alert (or group of alerts) as acknowledged, the status for those events is changed on the Alerts tab, and the alerts are no longer displayed on the Dashboard.
When the Microsoft ISA Server Control service (isactrl) is restarted or the ISA Server computer restarts, all alerts are automatically reset.
Predefined Trigger Limits
There are some events for which alerts are only triggered once a second, regardless of other settings. The following table summarizes these events.
Event | Condition |
---|---|
Connection limit exceeded |
Any |
Intrusion detected |
Windows out-of-band attack |
Intrusion detected |
IP half scan attack |
Intrusion detected |
Land attack |
Intrusion detected |
UDP bomb attack |
Intrusion detected |
Ping of death attack |
Intrusion detected |
All port scan attack |
Intrusion detected |
Well-known port scan attack |
Invalid DHCP offer |
Any |
IP spoofing |
Any |
Oversized UDP packet |
Any |
Sessions
The Sessions tab allows you to monitor active connections, where a session is the unique combination of a client's IP address and user name. The following information is displayed on the Sessions tab:
- Activation. Date and time the session began.
- Server name. The name of the ISA Server firewall.
- Session type. You can monitor connections from the following ISA Server clients: Firewall client, SecureNAT, virtual private network (VPN) client, VPN site-to-site, and Web Proxy.
- Client IP. The source IP address of the client.
- Source network. The network from which the session originated.
- Client user name. The client authenticated by ISA Server when authentication is required.
- Client host name. For Firewall clients.
- Application name. For Firewall clients. This field is not displayed by default.
Note the following:
- ISA Server 2006 does not separate session counters for all clients. Note the following:
- Web Proxy client sessions have a corresponding SecureNAT session. There is one SecureNAT session for all Web Proxy client sessions from a particular computer.
- Firewall clients have a corresponding SecureNAT session. For a computer with Firewall Client installed, there will be a SecureNAT session, as well as a Firewall client session, for that computer.
- If a computer has both Web Proxy and Firewall client sessions, there will be only one SecureNAT session for it, because it is defined per computer.
- A connection between two computers through the firewall can only belong to one session. This design affects how server publishing rule connections are displayed in the sessions list. A session is shown between the published server and the ISA Server computer. Client connections to this published server are associated with the session between the published server and ISA Server, and do not show as separate sessions.
- When ISA Server does not require authentication, all traffic from the same IP address is considered to be a single session. For example, if a Web browser opens more than one TCP connection to the same IP address, ISA Server considers the connections to be a single session.
- Web Proxy client sessions indicate the last minute of Web browser activity, even if the client is not currently browsing.
- When IP routing is disabled, traffic from users and IP addresses is listed on the Sessions tab. When IP routing is enabled, only sessions from traffic that passes using an application filter are listed.
A summary of the sessions for each client type, and the total sessions, is displayed on the Dashboard.
Configuring Sessions
You can filter session information, and then save the resultant query for future use. You can also pause and stop session monitoring, and disconnect sessions.
Filtering Sessions
ISA Server provides session filtering. For example, if a client reports problems connecting, you can filter the information on the Sessions tab to display only sessions initiated by that client. The Sessions tab displays only data for sessions that match all the expressions included in the filter. The filter expressions are combined using the logical AND operator.
To filter a session, you select a Filter by field from one of the column values displayed on the Sessions tab, and then you select a condition from one of the conditions available for the field. Then select a value. For some fields, predefined values may be available, or you can type a value. Some fields and conditions do not have values associated with them.
After you define a filter and run a query with it, you can save it for future use. It is often useful to have a set of queries, with each query used to focus on a different session type. Queries are saved as .xml files.
Pausing and Stopping Session Monitoring
You can stop session monitoring, essentially clearing the Sessions tab in ISA Server Management. When you stop session monitoring, ISA Server loses all information about any sessions that have been monitored. When you restart session monitoring, ISA Server must collect all information about active sessions.
Alternatively, you can pause monitoring. In this case, sessions displayed on the Sessions tab are not removed. However, new sessions are not added to the tab. When you resume session monitoring, ISA Server updates the Sessions tab with the relevant, new session information.
Disconnecting Sessions
The Sessions tab provides a visual indication of any potentially malicious or unwanted session activity. On the Sessions tab, you can stop the unwanted session immediately. When you stop a session, all associated connections are also closed.
Note that stopping sessions will not prevent a client from reactivating the session. Instead, you must change the firewall policy configuration, creating a rule that specifically denies access to the unwanted clients.
Services
The Services tab shows the names, status, and server uptime of a number of services running on the ISA Server firewall. Not all services are displayed and managed from this tab. Other services can be managed in Computer Management, or from a command prompt. The following table summarizes the services.
Service name | Alternate name | Managed by ISA Server Management | Managed by Computer Management |
---|---|---|---|
Microsoft Firewall |
fwsrv |
Yes |
Yes |
Microsoft ISA Server Job Scheduler |
W3Prefch |
Yes |
Yes |
Routing and Remote Access |
RemoteAccess |
Yes |
Yes |
Network Load Balancing |
NLBS |
Yes |
Yes |
Microsoft Data Engine |
MSSQL$MSFW |
Yes |
Yes (as MSSQL$MSFW) |
Microsoft ISA Server Control |
mspadmin |
No |
Yes |
Microsoft ISA Server Storage |
isastg |
No |
Yes |
ISASTGCTRL |
ISASTGCTRL |
No |
Yes |
Firewall engine |
fweng |
No |
No |
Note the following when starting and stopping services on the Services tab:
- When you stop the Microsoft Firewall service (fwsrv), the information in the cache is not deleted. However, when you restart the service, several seconds may pass before the cache is fully enabled and functional. If the service failed, ISA Server will restore the information in the cache. This will take some time, and performance may not be optimal until the cache is eventually restored.
- If the Microsoft ISA Server Job Scheduler service is stopped, you cannot run scheduled content download jobs.
- If you configure logging to use MSDE logging, when you stop the Microsoft Data Engine service, the Routing and Remote Access and Firewall services are also stopped.
- In Enterprise Edition, when integrated NLB is enabled in ISA Server Management, you can stop, start, suspend, resume, or drain-and-stop the NLB service for each server in the array.
- When VPN client access is enabled or when you create a site-to-site network to represent a remote VPN site, the Routing and Remote Access service is displayed.
Configuration
Use the Configuration tab to monitor the configuration version on each array member. It shows the server and the Configuration Storage server it is connected to, the connection status, and when it was last updated.
Connectivity Verifiers
You can verify connectivity by regularly monitoring connections from the ISA Server computer to any specific computer or URL on any network. The following table summarizes the available connectivity methods.
Connectivity method | Details | Usage |
---|---|---|
PING |
When you configure this method, ISA Server sends a Ping request (ICMP ECHO_REQUEST) to the specified server, and waits for an ICMP ECHO_REPLY. |
Use this method to verify that a server is running and can be reached by ISA Server. |
TCP connect |
When you configure this method, ISA Server tries to establish a TCP connection to a specific port on the specified server. |
Use this method to verify that a specific service is running on the server and can be reached by ISA Server. |
HTTP request |
When you configure this method, ISA Server sends an HTTP GET request and waits for the reply. |
Use this method to verify that a Web server is running and can be reached by ISA Server. |
To use one of these methods to monitor connectivity to a server, you create and configure a connectivity verifier, and place it in one of the following predefined groups: Active Directory, DHCP, DNS, Published Servers, Web (Internet), and Others. For example, suppose you publish servers running FTP, Microsoft SQL Server™, and Microsoft Exchange Server. You can create a connectivity verifier for each server, and group them all in the Published Servers group. In another scenario, you might want to validate that ISA Server has connectivity to Web sites on the External network. To do this, you might define HTTP connectivity verifiers for each Web site that you want to verify, and group them in the Web (Internet) group.
Connectivity is verified by default every 30 seconds. You can change this interval, by using the Refresh rate script, described in "Setting the Refresh Rate for Connectivity Verifiers" at the Microsoft TechNet Web site. In Enterprise Edition, the refresh rate applies to all connectivity verifiers, on all array members.
Configuring Connectivity Verifiers
Connectivity verifiers are created using the New Connectivity Verifier Wizard. The settings you specify in the wizard are summarized in the following table.
Property | Details |
---|---|
Welcome page |
Specify a unique name for the connectivity verifier. |
Connectivity Verification Details page |
Specify the following settings:
|
Note that if you select Send an HTTP "GET" request, a dialog box appears, informing you that a rule allowing HTTP or HTTPS to the specified destination must be configured. You can select to enable a default system policy rule: "Allow HTTP/HTTPS request from ISA Server to the selected servers for connectivity verifiers."
After running the New Connectivity Verifier Wizard, you can configure additional properties on the connectivity verifier properties, as follows:
- Enable or disable the connectivity verifier.
- Specify a time-out response threshold, which by default is 5,000 milliseconds. This setting specifies a time limit for the specified server to respond. By default, an alert will be triggered if the server does not response within the allocated limit.
Server Farm Connectivity Verifiers
When you create a server farm, you specify a connection method to be used when checking the connectivity status for the servers in the farm. After creating the server farm, a connectivity verifier is automatically created for the farm and appears on the Connectivity Verifiers tab. You can edit the connection method in the properties for the server farm, or from the Connectivity Verifiers tab. You cannot create or delete a connectivity verifier for a server farm directly from the Connectivity Verifiers tab.
Analyzing HTTP GET Responses
When you configure a connectivity verifier method to send an HTTP GET request, the monitored server is expected to return an HTTP response. Depending on the response, ISA Server will mark the connectivity verifier status, as detailed in the following table.
HTTP response from monitored server | Connectivity verifier status |
---|---|
1xx, 2xx, or 3xx |
OK. This is the response time in milliseconds. |
401 (Web server authentication required) |
OK. This is not considered an error, because the Web server returned the message. |
407 (proxy authentication required) |
Error (Microsoft Windows Server® 2003). This is considered an error because connectivity to the actual Web server cannot be determined. |
407 (proxy authentication required) |
Authentication required (Windows® 2000 Server). |
4xx (except 401 and 407) or 5xx |
Error. |
Request timed out |
Time-out. |
The server name could not be resolved |
Unresolved name. |
ISA Server is down |
Unable to verify. The Microsoft Firewall service is unavailable. |
Logging
By default, ISA Server logs all information for monitoring and analyzing the status of the following components:
- Web Proxy logs. ISA Server logs requests handled by Web Proxy Filter.
- Microsoft Firewall service logs. ISA Server logs traffic handled by the Microsoft Firewall service.
Each component has a separate log, and you can customize the log fields. For a complete list of log fields, see "ISA Server 2006 Logging Fields and Values" at the Microsoft TechNet Web site.
Logging Formats
Log information can be stored in one of the following formats:
- Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) database.
- SQL database
- Text file
The following table compares the logging formats, which are detailed in the following sections.
Format | Features |
---|---|
File |
Sequential logging to a text file has the following features:
|
MSDE |
Logging to a local MSDE database provides the following features:
|
SQL |
Logging to a remote SQL database provides the following features:
|
MSDE Logging
ISA Server includes the MSSQL$MSFW service, which is an instance of the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) that can be used for logging. By default, ISA Server saves logging information in MSDE databases. Each database is stored in two files, an .mdf file and an .ldf file. For each log database, two files are created: ISALOG_yyyymmdd_xxx_nnn.mdf and ISALOG_yyyymmdd_xxx_nnn.ldf, where:
- yyyy represents the year that the log database refers to.
- mm represents the month that the log database refers to.
- dd represents the day that the log database refers to.
- xxx represents the type that the log database refers to. This can be one of the following:
- FWS. Represents the Firewall log.
- WEB. Represents the Web Proxy log.
- nnn is a counter that distinguishes between log databases that refer to the same day.
ISA Server keeps a buffer in memory for 30 seconds (or until there is a 10,000 buffer entry) before writing information to the MSDE log. This number is specified by the MSDENumberOfInsertsPerBatch property of the ISA Server FPCLogs COM object. We do not recommend reducing this buffer size. Note that Web proxy requests (HTTP GET) are only logged after the request is complete.
By default, MSDE logs are saved in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. Do not select a compressed drive as the logging directory. Saving logs to a compressed directory causes severe performance degradation for MSDE, which impacts the ISA Server firewall performance.
ISA Server creates new MSDE databases as follows:
- For each log, ISA Server creates a new database every day.
- In addition, ISA Server limits MSDE logs to 1.5 GB. When a log exceeds this limit, ISA Server automatically creates a new database.
ISA Server prepares log databases for the next day in advance. When you save logs to MSDE, a database that refers to the next day always exists.
MSDE logs can be viewed in the log viewer. This provides easy access to online information about network activity. The log viewer displays all the data as if it were in a single database. You can export the data displayed in the log viewer, to save MSDE data to a text file.
Note that the MSDE instance used by ISA Server has network protocols disabled, and you cannot connect to it remotely. You can only connect using a local SQL tool, for example Enterprise Manager, OSQL, ISQL.
Text File Logging
You can save ISA Server logs to a text file, in one of the following formats:
- World Wide Web Consortium (W3C) format. W3C logs contain both data and directives, describing the version, date, and logged fields. Because the fields are described in the file, unselected fields are not logged. The tab character is used as a delimiter. Date and time are in Coordinated Universal Time (UTC).
- ISA Server format. ISA Server format contains only data with no directives. All fields are always logged. Unselected fields are logged with a dash, to indicate that they are empty. The comma character is used as a delimiter. The date and time fields are in local time as configured on the computer.
By default, log files are saved in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. We recommend that log files are stored on an NTFS partition. Using NTFS, you can compress the log files to decrease their size and reduce the amount of space they use. You may notice a decrease in performance when working with NTFS-compressed files. When you read from (access) a compressed file, Windows automatically decompresses it for you, and when you write to the file, Windows compresses it. This process may decrease your computer's performance.
ISA Server creates new databases as follows:
- For each log, ISA Server creates a new database every day.
- In addition, ISA Server limits text file logs to 2 GB. When a log exceeds this limit, ISA Server automatically creates a new database.
Moving MSDE or Text File Logs
Logs should always be stored in a safe location with tightly controlled access.
By default, MSDE logs and text file logs are stored in the %ProgramFiles%\Microsoft ISA Server\ISALogs folder. You can specify an alternative log file location, including an environment variable such as %logDirectory%. If you specify a relative directory, the log is saved in the ISALogs folder, under the ISA Server installation folder. If you specify an absolute path, the actual log folder may be different on every server. If the specified folder does not exist, ISA Server will warn you that the specified location is not valid and will try to create the folder.
For any alternative logging folder, the Network Service account must have read permissions from the root partition and any parent folder for the folder. On the logging folder itself, the following permissions are required:
- Network Service: Full Control
- System: Full Control
- Administrators: Full Control
If you change the log folder location and do not set the correct permissions, event ID 11002: Microsoft Firewall service failed to start, may be issued in Event Viewer.
If you need to copy MSDE log files from one location to another, or to move the files to another server, you must first detach the database from the current server. You should never detach a database that is currently in use. One way to determine whether a database is in use is to verify that the date included in the file name is a past date or that a database with a higher number exists for the current date. Another way is to enter the following lines at command prompts:
OSQL -S
computer_name \MSFW -E
sp_who2
go
This will list all MSDE databases that currently have open connections, and show which application and user has them locked or is using them.
To detach a database from a server, enter the following lines at command prompts:
OSQL -S
computer_name \MSFW -E
sp_detach_db
database_name
go
quit
SQL Logging
You can save log information to an SQL database. This is useful for remote logging. Configuring SQL logging consists of configuring settings on the computer running SQL Server and in ISA Server, as follows:
- Create a separate database and tables for Web Proxy logging and Microsoft Firewall service logging on the computer running SQL Server. ISA Server contains two SQL scripts to create the tables. These scripts are located in the %Program Files%\Microsoft ISA Server folder. For the Microsoft Firewall service logs, open the Fwsrv.sql file. For Web Proxy logs, open the W3proxy.sql file. You modify the script to use an existing database or create a new one. Then configure application permissions so that SQL Server accepts the data connection from the ISA Server computer. If SQL Server and ISA Server are in the same domain, use Windows authentication. If they are in untrusted domains or a workgroup scenario, you must set up a SQL Server account.
- Configure ISA Server for Web Proxy logging and Firewall logging to the SQL database. You must specify the name of the computer running SQL Server to which the information will be logging, the port number to use (1433 by default), the name of the database, and authentication method and credentials.
Note the following when configuring SQL logging:
- The system policy rule named "Allow remote logging using NetBIOS to trusted servers" must be enabled to log to an SQL database. In the System Policy Editor, verify that the enabled setting is selected for the Remote Logging (SQL) system policy configuration group to enable this rule. This rule allows SQL access from the Local Host network to all computers on the Internal network. We recommend that you modify the system policy so that this rule applies only to the specific computer running SQL Server.
- For ISA Server 2006 Standard Edition, note the following:
- In previous versions of ISA Server Standard Edition, SQL logging used ODBC. ISA Server 2006 uses direct access.
- By default, ISA Server uses a Secure Sockets Layer (SSL)-encrypted connection to the computer running SQL Server, to help secure the sensitive data in the log files. To enable this connection, you must install a root certification authority (CA) certificate on the ISA Server computer. For more information, see "How to enable SSL encryption for SQL Server 2000 if you have a valid Certificate Server" at Microsoft Help and Support.
- We recommend that you use Ethernet cards for the Peripheral Component Interconnect (PCI) bus with transfer rates of at least 100 megabits per second for communication between the ISA Server computer and the computer running SQL Server.
- For ISA Server 2006 Enterprise Edition, note the following:
- When applicable, we recommend that you use Windows authentication. In a workgroup deployment, if you configure SQL logging for Windows authentication, you should specify a local user account. This account must exist on all array members and on the computer running SQL Server. The account should also have appropriate logon permissions specified in SQL Server Security.
- If you specify a non-default port for the computer running SQL Server, do the following: Create custom UDP and a TCP protocols for the specified port. Then create an access rule from the Local Host network to the network on which the computer running SQL Server is located, allowing use of the two protocols you created.
- You can configure data encryption on the properties of Firewall logging and Web Proxy logging when connecting to an SQL database. If you configure encryption when logging to an SQL database, you must install a certificate on the computer running SQL Server. Then, update the trusted root authority on each array member to trust the server certificate.
- By default, ISA Server uses an SSL-encrypted connection to the computer running SQL Server, to help secure the sensitive data in the log files. To enable this connection, you must install a root certification authority (CA) certificate on the array members.
Querying the Logs
You can use the ISA Server log viewer to monitor and analyze traffic, and troubleshoot network activity. By default, the log viewer displays all log records for the Web Proxy log and Firewall log in real time as they occur, with each event displayed in the log viewer as soon as it is logged. To display records with the default filter, click the Logging tab, and then on the Tasks tab, select Start Query.
You can modify the default filter conditions to display data that meets specific criteria in the log viewer. The viewer displays only log data if it matches all the expressions included in the filter. The filter expressions are combined using the logical AND operator. For example, you may want all log entries currently being logged for a specific IP address. To do this, you would edit the logging filter as follows:
- Set Client IP to the relevant IP address.
- Set Log Time to Live.
When you filter the log, you can select to view the Web Proxy log, the Firewall log, or both.
All log formats allow you to filter data by Log Time. For Text logs, you can only specify the Log Time with the Live value. This is known as online viewing, and displays real-time log data. MSDE logging and SQL logging allow you to specify the Log Time with other values. This allows you to display log data that was logged during a specific time period, and not just live data. This is known as offline viewing. When offline data is displayed, the log viewer actually queries the database.
When you create a filter, you specify a criterion, a condition, and a value. You select a field on which to filter the log, and then select a condition from one of the conditions available for the field. Then select a value. For some fields, predefined values may be available, or you can type a value. Some fields and conditions do not have values associated with them.
You cannot remove the entries in the default filter, but you can select the fields that appear in the default query and make changes to the values.
The following table summarizes the criteria on which you can filter logs.
Filter by | Condition | Values and description |
---|---|---|
Action (not applicable to Web Proxy log) |
Equals Not Equals |
The action performed by the Firewall service for the current connection or session. Possible values:
|
Authenticated Client (not applicable to Firewall log) |
Equals Not Equals |
Indicates whether the client has been authenticated with ISA Server. Possible values:
|
Authentication Server |
Contains Equals Not Contains Not Equals |
Possible values:
|
Bidirectional (not applicable to Web Proxy log) |
Equals Not Equals |
Indicates whether the traffic is send/receive. Possible values:
|
Bytes Received |
Greater or Equal Less or Equal |
The number of bytes sent from the destination computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were received from the destination computer. Possible values:
|
Bytes Sent |
Greater or Equal Less or Equal |
The number of bytes sent from the source client to the destination server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were sent to the destination computer. Possible values:
|
Cache Information (not applicable to Firewall log) |
Equals Not Equals |
This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy log. Possible values:
|
Client Agent |
Contains Equals Not Contains Not Equals |
The client application type sent by the client in the HTTP header.For Microsoft Firewall service, this field includes information about the client's operating system. Possible values:
|
Client Host Name |
Contains Equals Not Contains Not Equals |
The domain name for the local computer for the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination. In the Firewall log, this field is reserved for future use. Possible values:
|
Client IP |
Equals Greater or Equal Less or Equal Not Equal |
The IP address of the requesting client. Possible values:
|
Client Username |
Contains Equals Not Contains Not Equals |
The account of the user making the request. If ISA Server access control is not being used, ISA Server uses anonymous. Possible values:
|
Destination Host Name |
Contains Equals Not Contains Not Equals |
The domain name for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination. Possible values:
|
Destination IP |
Equals Greater or Equal Less or Equal Not Equal |
The network IP address for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was sourced from the cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned. Possible values:
|
Destination Network |
Contains Equals Not Contains Not Equal |
The network that provides service to the current connection. Possible values:
|
Destination Port |
Equals Not Equal |
The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request. Possible values:
|
Destination Proxy |
Contains Equals Not Contains Not Equal |
The remote computer that provides service to the current connection. Possible values:
|
Error Information (not applicable to Firewall log) |
Equals Not Equals |
Error information. Possible values:
|
Filter Information |
Contains Equals Not Contains Not Equal |
This field includes information that a Web filter can log. For example, when the HTTP filter denies a request, the reason for the denial is stored here. Possible values:
|
GMT Log Time |
On or After On or Before |
Indicates Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), which is the log time date. Possible values:
|
HTTP Method |
Contains Equals Not Contains Not Equals |
Specifies the application method used. . Possible values that are common for the Web Proxy log:
Possible values that are common for the Firewall log:
|
HTTP Status Code |
Equals Not Equals |
Specifies the HTTP status code. Possible values:
|
Log Record Type |
Equals |
Specifies the log type to filter. Possible values:
|
Log Time |
Last 24 hours Last 30 days Last 7 days Last hour Live On or After On or Before |
The time that the logged event occurred. Possible values:
|
MIME Type (not applicable to Firewall log) |
Contains Equals Not Contains Not Equals |
The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. Possible values:
|
Network Interface (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equals |
Primary IP address of the interface that received the traffic. Possible values:
|
Object Source (not applicable to Firewall log) |
Equals Not Equals |
Indicates the source that was used to retrieve the current object. Possible values:
|
Original Client IP |
Equals Greater or Equal Less or Equal Not Equal |
The IP address of the client making the request. Possible values:
|
Processing Time (not applicable to Firewall log) |
Greater or Equal Less or Equal |
This indicates the total time, in milliseconds, that is needed by ISA Server to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed. For cache requests that were processed through Web Proxy, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client. Possible values:
|
Protocol |
Contains Equals Not Contains Not Equals |
Specifies the application protocol used for the connection. Common values are HTTP, FTP, and HTTPS. For the Firewall service, the port number is also logged. Possible values:
|
Raw IP Header (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equals |
The Raw IP header information. Possible values:
|
Raw Payload (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equals |
The raw data of the packet. Possible values:
|
Referring Server |
Contains Equals Not Contains Not Equals |
If ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request. Possible values:
|
Result Code |
Equals Not Equals |
The result code numeric ID. Possible values:
|
Rule |
Contains Equals Not Contains Not Equals |
This reflects the rule that either allowed or denied access to the request. Possible values:
|
Server Name (not applicable to Firewall log) |
Contains Equals Not Contains Not Equals |
The name of the computer running ISA Server. This is the computer name that is assigned in Microsoft Windows Server 2003 or Windows 2000 Server Possible values:
|
Service (not applicable to Firewall log) |
Equals Not Equals |
The type of request being logged. Possible values:
|
Source Network |
Contains Equals Not Contains Not Equals |
The network from which the request originated. Possible values:
|
Source Port (not applicable to Web Proxy log) |
Equals Not Equals |
The port on which the requesting client makes the request. Possible values
|
Source Proxy (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equals |
IP address representing the client computer. Possible values:
|
Transport |
Contains Equals Not Contains Not Equals |
Specifies the transport protocol used for the connection. Possible values:
|
URL (not applicable to Firewall log) |
Contains Equals Not Contains Not Equals |
This field shows the contents of the URL request. Possible values:
|
Note the following when filtering log views:
- Up to 10,000 results are displayed in the log viewer.
- ISA Server logs each request in the authentication process for a Web Proxy client. The destination IP address and port number are not logged for denied requests.
- Some log information, including IP data, Raw IP header, and Interface, is displayed only for stateless traffic that is not allowed for reasons other than a policy rule or application filter. For example, if traffic is dropped because it is considered spoofed, it is displayed.
- If no rule specifically allows the outgoing or incoming request, the rule name is logged as "Default Rule." This indicates the following:
- That the connection was denied but the denial was not due to access policy. For example:
- No network relationship is defined between the source and destination networks.
- Intrusion detection dropped the traffic as spoofed.
- The request is from a client that exceeded the maximum connection limits.
- That the connection was allowed implicitly, without a specific system policy rule or access rule to allow it. This can happen in a number of scenarios. For example, an application filter running on ISA Server may update its files from the Web, and open a connection to a Web server without a specific policy rule that allows the connection. In this case, the rule name field in the log will be empty, and not populated with "Default Rule".
- After you define a filter and run a query with it, you can save it as an .xml file for future use. It is often useful to have a set of queries, with each query used to focus on a different session type. You can then import saved filter query definitions as required.
Log Maintenance
Because ISA Server is deployed to secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQL Server connectivity issues, and others.
ISA Server summarizes the previous day's logs, and reports are based on these log summaries. Properly maintained logs help ensure that reports are accurate. For MSDE logging and text file logging, you can specify the following log maintenance settings:
- Limit total log file size. Specifies how many total gigabytes (GB) of disk space log files can use. Each log file is limited to 1.5 GB. When a log file reaches 1.5 GB, a new file is automatically created.
- Maintain free disk space. Specifies the minimum amount of disk space that must be kept free.
- Delete files older than a specified number of days
When these limits are reached, logs are maintained according to one or more of the following methods:
- Delete older log files as necessary. Specifies that when limits are reached, older files are deleted as newer files are saved.
- Discard new log entries. Specifies that when limits are reached, new entries will not be saved until limits are changed, or old files are deleted. An alert is issued to notify of this event.
- Delete log files older than. Specify how long log files are kept before being automatically deleted. To delete old files from storage, decrease this number.
- Compress log files. Specify that log files should be compressed to reduce disk space. Only available on NTFS partitions.
ISA Server checks that logs do not exceed the specified limits every 30 seconds. This means that for up to a period of 30 seconds, logs might exceed the limits. ISA Server automatically deletes logs in accordance with these settings. For accurate reporting, ensure that you allocate sufficient disk space to accommodate logs for at least a day or two. If you only configure space for less than a day, reports will be based on that portion of the day only. Note that each log component (Firewall and Web proxy) is maintained separately in accordance with settings. So for example, if the total log size for each component is set to 8 GB, then the maximum size of the combined log will be 16 GB.
SQL logs are maintained on the computer running SQL Server by the SQL Server administrator.
Attack Mitigation
When an attack occurs, many events will be logged. To continue logging despite the large number of events, follow these guidelines:
- By default, if ISA Server cannot log activity, the log failure alert is configured to stop the Microsoft Firewall service when it is generated. Consider reconfiguring this alert to send an e-mail message to an administrator's e-mail address, especially when you want to provide maximum serviceability. Also, use the ISA Server software development kit (SDK) to create a script that does not drop connections for which traffic is not logged. For example, you can use the script "Disable Firewall Service Lockdown due to Logging Failures", located at the Coding Corner. For more information about using COM properties, see ISA Server SDK Help.
- Review how you have configured logging for each rule, to create sufficient yet precise log data. Specifically, you might want to disable logging for the Default Rule. Then, create another deny rule. Enable logging for this rule, so that you track unwanted traffic. Similarly, you may want to disable logging for rules that apply to network basic input/output system (NetBIOS) and Dynamic Host Configuration Protocol (DHCP), depending on your organizational needs.
- Logging may attract attacks because it uses a large amount of I/O and CPU resources. ISA Server 2006 provides a network protection flood resiliency feature, which can specify that denied traffic will not be logged if a "denied requests per second" limit is reached. For more information, see "ISA Server Network Protection Concepts in ISA Server 2006" at the Microsoft TechNet Web site.
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and summarize and analyze log information. For example, you can determine:
- Who is accessing sites, and which sites are being accessed.
- Which protocols and applications are being used most often.
- General traffic patterns.
- Cache ratio.
- Security monitoring. For example, you can generate reports that track malicious attempts to access internal resources. Similarly, by tracking the number of connections to a published server, or the traffic to the server, you might identify an attempt at denial of service.
ISA Server reports are based on log summaries derived from the Web Proxy and Firewall logs. The Dailysum.exe program, installed with ISA Server, is responsible for summarizing the log data. By default, Dailysum.exe runs as follows:
- Daily. Dailysum.exe runs each day at 00:30 (12:30 A.M.).
- Monthly. At the beginning of each month, Dailysum.exe creates a monthly summary that summarizes all the past month's daily summaries. At least 35 daily summaries are saved, and at least 13 monthly summaries are saved.
Dailysum.exe runs even if no reports are configured to run. You can disable this default setting, or modify when Dailysum.exe runs. Two log summaries are saved: one with a daily summary and one with a monthly summary. Summaries are saved in database files (.ils files), by default in the ISASummaries folder, in the ISA Server installation folder. When a report is created, all relevant summary databases are combined into a single report database, and the report is created.
Generating Reports
You can customize content to include in a report. ISA Server provides the following predefined report types that you can use, or modify if required:
- Summary. A Summary content report includes summarized information about network traffic usage, sorted by application. These reports are most relevant to the network administrator or the person managing or planning a company's Internet connectivity.
- Web Usage. A Web Usage content report displays information about frequent Web users, common responses, and browsers. These reports are most relevant to the network administrator or the person managing or planning a company's Internet connectivity. It shows how the Web is being used in a company.
- Application Usage. An Application Usage content report illustrates Internet application usage information about top users, client applications, and destinations.
- Traffic and Utilization. A Traffic and Utilization content report shows total Internet usage by application, protocol, and direction. These reports also show average traffic and peak simultaneous connections, cache hit ratio, errors, and other statistics.
- Security. A Security content report lists attempts to breach network security.
- You can customize the different report types, and specify a sort order, with the following types of criteria.
Report criteria | Details | Report types |
---|---|---|
Top protocols |
Limit report to a specific number of the most highly used protocols during the report period. |
Summary report Application Usage report Web Usage report |
Top users |
Limit report to include a specific number of users who generated the most traffic. |
Summary report Application Usage report Web Usage report |
Top sites |
Limit report to include a specific number of the top sites visited. |
Summary report Web Usage report |
Cache hit ratio |
Include the ratio between the number of Web object requests and the number served from the cache. |
Summary report Traffic and Utilization report |
Object types |
Limit report to include a specific number of the most frequently requested object types. |
Web Usage report |
Browsers |
Limit report to include a specific number of the most frequently used client browsers. |
Web Usage report |
Operating systems |
Limit report to include a specific number of the most frequently used client operating systems. |
Web Usage report Application Usage report |
Destinations |
Limit report to include a specific number of the most frequently requested destinations in the client request. |
Application Usage report |
Client applications |
Limit report to include a specific number of the client applications with the highest network traffic. |
Application Usage report |
Dropped packets |
Limit report to include a specific number of the clients with the highest number of dropped packets. |
Security report |
Authorization failures |
Limit report to include a specific number of the clients causing the highest number of authorization failures. |
Security report |
To generate a report, ISA Server runs the ISARepGen.exe application, installed with ISA Server. You can create the following reports from the log summaries:
- Generate a one-time report. You create a one-time report using the New Report Wizard. The report created will be run only once, when the wizard completes. To generate a one-time report, from the Monitoring node, click the Reports tab, and then on the Tasks tab, click Generate a New Report.
- Configure a recurring report. You can schedule automated reports on a daily, weekly, monthly, or yearly basis. You configure recurring reports using the New Report Job Wizard. You specify the period of activity that the report will cover, and when and how often the report is generated. To generate a recurring report job, from the Monitoring node, click the Reports tab, and then on the Tasks tab, click Create and Configure Report Jobs.
The following table summarizes the settings you specify when running the New Report Wizard to create a single one-time report, or when running the New Report Job Wizard to create a scheduled recurring report.
Property | Details | Report type |
---|---|---|
Report name |
Specify name for report. |
One-time report and recurring report |
Report Content |
Select content type. By default, all content types are selected. |
One-time report and recurring report |
Report Period |
Specify a start date and end date for the report. Reports are based on log summaries created daily, so the end date specified in the report should be at least one day earlier than the current date. |
One-time report only |
Report Job Schedule |
Specify when a recurring report runs:
|
Recurring report only |
Report Publishing |
Specify a directory to which the report should be published, and credentials if required. The account specified must have write permissions to the specified folder. |
One-time report and recurring report |
Send E-mail Notification |
Specify that an e-mail message should be sent to notify that a report has been generated. Configure the SMTP server, and the e-mail addresses of the sender and the recipients. You can specify that a link to the completed report should be included in the mail. |
One-time report and recurring report |
The following traffic is not included in reports generated by ISA Server:
- Traffic for which the Action field in the log equals Established or Allowed.
- Proxy authentication queries. This type of traffic is identified in the log as having the LogType field equal to Web Proxy and the destination either ms_proxy_intra_array_auth_query or ms_proxy_auth_query.
- Establishment and termination of virtual private network (VPN) sessions. This type of traffic is identified in the log as having the ClientAgent field equal VPN remote access or VPN remote site.
- (ISA Server 2006 Enterprise Edition only.) Traffic for which the Object source field in the log equals Member. When Cache Array Routing Protocol (CARP) is configured, each client Web request appears twice in the log. The first request is from the client to the first ISA Server computer. The second request is from the second ISA Server computer to the actual Web server.
Generating Reports in ISA Server 2006 Enterprise Edition
In Enterprise Edition, reports are generated by collating information from the log summaries on each array member. Note the following:
- In a workgroup deployment, you must enable Authenticate using this account on the Intra-array Credentials tab of the array properties page, and specify a user account that is defined on all array members.
- We recommend that you minimize the number of reports to be saved to a Configuration Storage server. Each report saved to a Configuration Storage server is replicated to all of the other Configuration Storage servers in the enterprise. If you do not limit the number of reports that are saved, you will increase bandwidth usage for replication, as well as the amount of storage used enterprise-wide for reports. Instead, publish reports on another computer on the network.
Viewing and Publishing Reports
You can view a report by double-clicking the report name in ISA Server Management. The report is displayed in Microsoft Internet Explorer®. The report can be viewed only on the computer running ISA Server Management. On any other computer, the report shows either empty data, or a page with empty frames and a message that the "Page cannot be displayed."
Note the following about data displayed in the report:
- Requests are calculated only when the connection is terminated.
- Bytes are counted for every line in the log.
To make reports more readily available, you can publish them to a shared folder. The published reports are stored in a folder named Report_Job_Name_(Start date—End date). For example, if you publish the report job named DailyReports, scheduled to run from December 1, 2006 through December 15, 2006, the published reports folder will be named DailyReports_(12.1.2006—12.15.2006).
To view the report, double-click the file named report.htm located in the published folder. This has links to all the report types generated. Everyone who needs access to the reports should have Read permissions to this folder. In this way, others can view the reports without accessing the ISA Server computer and ISA Server Management. When a report is published, several report files and the associated graphics are saved to the specified published folder.
When you publish any report, the ISARepGen.exe process must have Write permissions to the publishing folder. You can configure the credentials that ISARepGen.exe uses to create reports.
By default, the Local System account is used. Note, however, that if you publish reports to a different computer, the Local System account credentials are actually passed as the (ISA Server) computer account. The computer account must have permissions to write to the network shared folder.
If ISA Server is installed in workgroup mode, ISARepGen.exe uses the Unauthenticated account. In this case, we recommend that you specify user credentials when publishing reports to another computer.
Appendix A: Alert Definitions
The following table summarizes the ISA Server predefined alert definitions.
Alert definition | Description | Event | Additional conditions |
---|---|---|---|
Access to Configuration Storage server is blocked (Enterprise Edition only) |
As a result of changes made to the configuration, access to the Configuration Storage server is blocked. |
Access to Configuration Storage server is blocked |
Any connection failure |
Account name resolution failed (Enterprise Edition only) |
The Configuration Agent is unable to resolve the account specified for administration. |
Account name resolution failed |
None |
Alert action failure |
The action associated with this alert fails. |
Alert action failure |
None |
Application filter not registered |
The application filter is not registered on this server. |
Application filter not registered |
None |
Array member status verification failed (Enterprise Edition only) |
Array member status verification failed. Virtual private network (VPN) tunnels may not be established. |
Array member status verification failed |
None |
Array member status verification succeeded (Enterprise Edition only) |
ISA Server successfully verified the array member's status. VPN tunnels can be established. |
Array member status verification succeeded |
None |
Array-level policy rule was deleted (Enterprise Edition only) |
The enterprise policy does not permit some types of array-level policy rules. |
Array-level policy rule was deleted |
None |
Broken reference in cross-array configuration (Enterprise Edition only) |
The ISA Server Control service detected a reference to a rule element that does not exist in a Web publishing rule defined in an array. |
Broken reference in cross-array configuration |
None |
Cache container initialization error |
The cache container initialization fails, and the container is ignored. |
Cache container initialization error |
None |
Cache container recovery complete |
The recovery of a single container is complete. |
Cache container recovery complete |
Any |
Cache file resize failure |
The operation to reduce the size of the cache file fails. |
Cache file resize failure |
None |
Cache initialization failure |
The Web cache proxy is disabled because of global failure. |
Cache initialization failure |
None |
Cache permissions insufficient |
When you configure a drive for caching, a cache file, Dir1.cdat, is created in the drive:\urlcache folder. This alert definition indicates that the Network Services account does not have sufficient permissions for the root folder and the Urlcache folder on one or more cache drives. Verify that the Network Services account has at least List Folder and Read permissions for the root folder, and Read permission for the Urlcache folder on all cache drives. |
Cache permissions insufficient |
None |
Cache restoration completed |
The cache content restoration is complete. |
Cache restoration completed |
Any |
Cache write error |
There is a failure in writing content to the cache. |
Cache write error |
None |
Cached object discarded |
During cache recovery, an object with conflicting information is detected. The object is ignored. |
Cached object ignored |
None |
Certificate on ISA Server about to expire |
A certificate on ISA Server is nearing its expiration date. |
Certificate on ISA Server about to expire |
None |
Certificate on ISA Server invalid |
There is a validity problem with a certificate used by ISA Server to establish a Secure Sockets Layer (SSL) connection with a client. |
Certificate on ISA Server invalid |
None |
Code page invalid |
One or more code pages are invalid, or the applicable conversion tables are not installed. |
Code page invalid |
None |
Component load failure |
There is a failure to load an extension component. |
Component load failure |
Any component |
Compression by unsupported method |
A response compressed by an unsupported method (indicated in the HTTP Content-Encoding header) was received. ISA Server only supports GZIP compression. |
Compression by unsupported method |
None |
Compression failure |
ISA Server failed to compress the content of a response. |
Compression failure |
None |
Compression failure (allocated memory exhausted) |
The compression filter cannot handle a response because the memory allocated for compression is in use. |
Compression failure (allocated memory exhausted) |
None |
Compression failure (decompression failed) |
ISA Server was unable to decompress the content of a response. |
Compression failure (decompression failed) |
None |
Compression failure (filter misconfiguration) |
The compression filters are configured incorrectly. Both filters must be in the same state, either enabled or disabled. |
Compression failure (filter misconfiguration) |
None |
Concurrent TCP connection from one IP address limit exceeded |
The number of concurrent TCP connections allowed from an IP address is exceeded. |
Per-client network traffic limit Concurrent TCP connections from one IP address |
Concurrent TCP connections from one IP address limit exceeded |
Configuration Agent removed overlapping ranges (Enterprise Edition only) |
The ISA Server Configuration Agent has removed ranges from the included enterprise network, because they overlap with another array network. |
Configuration Agent removes overlapping ranges |
None |
Configuration changes cannot be loaded by ISA Server services (Enterprise Edition only) |
ISA Server fails to load the new configuration. When a new configuration is saved, ISA Server will renew its attempt to apply the changes. |
Configuration changes cannot be loaded by ISA Server services |
None |
Configuration changes overload (Enterprise Edition only) |
Continuous or excessive changes to the configuration are detected. This may indicate an attack on the Configuration Storage server. |
Configuration changes overload |
None |
Configuration error |
An error occurs while reading configuration information. |
Configuration error |
None |
Connection limit exceeded |
A user or an IP address exceeds its connection limit. |
Connection limit exceeded |
None |
Connection limit for a rule was exceeded |
The number of connections per second allowed for a rule is exceeded. |
Connection limit for a rule was exceeded |
None |
Credentials delegation failure |
ISA Server attempts to delegate credentials but the published Web site rejects the credentials. |
Credentials delegation failure |
None |
Credentials delegation using Kerberos constrained delegation failure |
ISA Server fails to delegate credentials using Kerberos constrained delegation to a published Web site. |
Credentials delegation using Kerberos constrained delegation failure |
None |
Cross-array link translation configuration inconsistency (Enterprise Edition only) |
Cross-array link translation includes this array. However, link translation is disabled at the array level. Links to this array will not be translated and will be broken. |
Cross-array link translation configuration inconsistency |
None |
Denied connections per minute from one IP address limit exceeded |
The number of denied connections per minute allowed from one IP address is exceeded. |
Per-client network traffic limit |
Denied connections per minute from one IP address limit exceeded |
DHCP anti-poisoning intrusion detection disabled |
The Dynamic Host Configuration Protocol (DHCP) anti-poisoning intrusion detection mechanism is disabled. |
DHCP anti-poisoning intrusion detection disabled |
None |
Dial-on-demand failure |
There is a failure to create a dial-on-demand connection, because there is no answer or the line is busy. |
Dial-on-demand failure |
None |
DNS intrusion |
A host name overflow, length overflow, or zone transfer attack occurs. |
DNS intrusion |
All DNS intrusions |
DNS zone transfer intrusion |
A zone transfer attack occurs. |
DNS intrusion |
DNS zone transfer intrusions |
Event log failure |
There is a failure to log the event information to the system event log. This alert is disabled by default. |
Event log failure |
None |
Firewall communication failure |
There is a failure in communication between the Firewall client and the ISA Server service. |
Client/server communication failure |
None |
Free disk space limit exceeded |
The free disk space limit for log storage is exceeded. |
Log storage limits |
Free disk space limit exceeded |
FTP filter initialization warning |
The File Transfer Protocol (FTP) filter fails to parse the allowed FTP commands. Verify that the commands are stored in the correct format. Each command should be no more than four characters, and each command should be separated from the previous one with a space character. |
FTP filter initialization warning |
None |
Global denied packets rate limit |
The number of denied TCP and non-TCP packets per second exceeds the allowed limit. |
Global denied packets rate limit |
None |
Host ID assigned to this server is not valid (Enterprise Edition only) |
This server has the same host ID as another server. This is not a valid configuration. A valid host ID is unique to each server in the array, within the range 2–32. The Firewall service cannot start until the server is assigned a valid host ID. |
Host ID assigned to this server is not valid |
None |
HTTP requests from one IP address limit exceeded |
The number of HTTP requests per minute from one IP address exceeds the specified limit. |
Per-client network traffic limit |
HTTP requests from one IP address limit exceeded |
Intra-array configuration error (Enterprise Edition only) |
The ISA Server intra-array configuration is invalid. |
Intra-array configuration error |
None |
Intrusion detected |
An intrusion is attempted by an external user. |
Intrusion detected |
Any intrusion |
Invalid configuration settings |
Configuration settings cannot be applied. |
Invalid configuration settings |
Any failure |
Invalid CRL found |
A client certificate is revoked due to an invalid or missing certificate revocation list (CRL). The CRL may have expired, and ISA Server is unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled, and that there is connectivity to the CRL distribution points. |
Invalid CRL found |
None |
Invalid DHCP offer |
The DHCP offer IP address is not valid. |
Invalid DHCP offer |
None |
Invalid dial-on-demand credentials |
Invalid dial-on-demand credentials are detected. |
Invalid dial-on-demand credentials |
None |
Invalid network adapter configuration |
The network adapter is configured with several IP addresses that belong to several networks. This is an illegal configuration. |
Invalid network adapter configuration |
None |
IP spoofing |
The IP packet source address is not valid. |
IP spoofing |
None |
ISA Server cannot connect to the Configuration Storage server (Enterprise Edition only) |
ISA Server cannot connect to the Configuration Storage server. The configuration, currently stored on the local computer, remains in effect. |
ISA Server cannot connect to the Configuration Storage server |
None |
ISA Server computer restart is required |
Changes made to the configuration only take effect after restarting the computer. |
ISA Server computer restart is required |
None |
ISA Server computer switched Configuration Storage servers (Enterprise Edition only) |
ISA Server switches from one Configuration Storage server to the other due to a change in the configuration, connectivity issues, or Configuration Storage server availability. |
ISA Server computer switched Configuration Storage servers |
Any reason for switching between servers |
ISA Server VPN tunnel redistribution is recommended (Enterprise Edition only) |
The VPN tunnels are not distributed evenly among the ISA Server computers in the array. |
ISA Server VPN tunnel redistribution is recommended |
None |
LDAP server recovered |
The connection to the LDAP server is restored. |
LDAP server recovered |
None |
LDAP server unavailable |
The LDAP server requested did not respond. |
LDAP server unavailable |
None |
Link translation configuration insecure |
The Web listener used in a Web publishing rule specifies an HTTP connection to clients, but the rule is configured with an HTTPS connection to the published server or Web farm. HTTPS links will be translated to HTTP links. |
Link translation configuration insecure |
None |
Link translation configuration invalid |
One or more link translation mappings are invalid. Link translation mappings must be between 4 and 2,057 bytes. Invalid mappings are ignored. |
Link translation configuration invalid |
None |
Link translation redirection unpublished site contains invalid character |
The URL of a site specified in the list of unpublished sites for link translation redirection contains one or more non-ANSI characters. |
Link translation redirection unpublished site contains invalid character |
None |
Link translation redirection unpublished site length invalid |
The length of the URL for a site specified in the list of unpublished sites for link translation redirection is invalid. |
Link translation redirection unpublished site length invalid |
None |
Local NLB configuration change |
The Microsoft Firewall service identifies changes to the local Network Load Balancing (NLB) configuration or state. Changes to the NLB configuration or state are supported only through the ISA Server administrator. Any local changes will be overridden. |
Local NLB configuration change |
None |
Log deletion failure |
Log deletion, according to configuration, fails. |
Log deletion failure |
None |
Log failure |
One of the service logs fails. |
Log failure |
Any ISA Server service |
Log storage limits |
One or more of the log storage limits is reached. |
Log storage limits |
Any |
Logging resumed |
One of the services resumes logging following a previous failure. |
Logging resumed |
Any ISA Server service |
Low non-paged pool |
The size of the free non-paged pool fell below the system-defined minimum. |
Low non-paged pool |
None |
Low non-paged pool recovered |
The size of the free non-paged pool exceeds the system-defined minimum. |
Low non-paged pool recovered |
None |
Misconfigured alert |
An alert definition contains an invalid property. |
Misconfigured alert |
None |
Network configuration changed |
A network configuration change that affects ISA Server is detected. |
Network configuration changed |
Any network configuration change Network interface card (NIC) enabled NIC disabled IP added or removed Network connected Network disconnected Network addresses modified |
NLB configuration failure |
There is a failure to configure Network Load Balancing to work with ISA Server. |
NLB configuration failure |
None |
NLB inconsistent configuration detected (Enterprise Edition only) |
Network Load Balancing inconsistency is found on some networks. Traffic might not be routed properly. |
NLB inconsistent configuration detected (Enterprise Edition only) |
None |
NLB is draining and stopping (Enterprise Edition only) |
Network Load Balancing is draining and stopping due to a request by the administrator. |
NLB is draining and stopping (Enterprise Edition only) |
None |
NLB possible reduced load balancing performance (Enterprise Edition only) |
Network Load Balancing performance may be impaired due to a failure to resolve a Web server name. |
NLB possible reduced load balancing performance (Enterprise Edition only) |
None |
NLB shutdown - Firewall service not responding (Enterprise Edition only) |
Network Load Balancing on the local computer is stopped because the Firewall service has stopped responding. |
NLB shutdown - Firewall service not responding (Enterprise Edition only) |
None |
NLB shutdown - Firewall service stopped (Enterprise Edition only) |
Network Load Balancing on the local computer is stopped because the Firewall service is stopped. |
NLB shutdown - Firewall service stopped (Enterprise Edition only) |
None |
NLB started (Enterprise Edition only) |
Network Load Balancing on the local computer is started. |
NLB started (Enterprise Edition only) |
None |
NLB stopped - configuration failure (Enterprise Edition only) |
The Firewall service fails to apply Network Load Balancing configuration. NLB on the local computer will be disabled. |
NLB stopped - configuration failure (Enterprise Edition only) |
None |
NLB stopped - network adapter problem (Enterprise Edition only) |
There is no suitable network adapter for Network Load Balancing on some networks. NLB on the local computer will be stopped. |
NLB stopped - network adapter problem (Enterprise Edition only) |
None |
NLB stopped - NLB integration is unavailable (Enterprise Edition only) |
Network Load Balancing integration cannot be configured on this server. |
NLB stopped - NLB integration is unavailable (Enterprise Edition only) |
None |
NLB stopped - RRAS service not responding (Enterprise Edition only) |
Network Load Balancing on the local computer is stopped because Routing and Remote Access is not responding. |
NLB stopped - RRAS service not responding (Enterprise Edition only) |
None |
NLB stopped - VPN static address pool is empty (Enterprise Edition only) |
Network Load Balancing on the local computer is stopped because the VPN static address pool on this computer is empty. |
NLB stopped - VPN static address pool is empty (Enterprise Edition only) |
None |
NLB stopped manually (Enterprise Edition only) |
Network Load Balancing on the local computer is stopped manually by the administrator. |
NLB stopped manually (Enterprise Edition only) |
None |
No available ports |
Network sockets are not created because there are no available ports. |
No available ports |
None |
No connectivity |
ISA Server fails to establish a connection to the requested server. |
No connectivity |
None |
Non-TCP sessions from one IP address limit exceeded |
The number of non-TCP sessions allowed from one IP address is exceeded. |
Per-client network traffic limit |
Non-TCP sessions from one IP address limit exceeded |
OS component conflict |
There is a conflict with one of the operating system components: IP network address translation (NAT) editor, Internet Connection Sharing (ICS), or Routing and Remote Access. |
Operating system component conflict |
Any operating system component conflict |
Oversized UDP packet |
ISA Server drops a User Datagram Protocol (UDP) packet because it exceeds the maximum UDP packet size. For more information, see the ISA Server COM property: UdpBufferSize. |
Oversized UDP packet |
None |
Pending DNS requests resource usage limit exceeded |
The percentage of threads used for pending Domain Name System (DNS) requests out of the total number of available threads exceeds the system-defined maximum. |
Pending DNS requests resource usage limit exceeded |
None |
Pending DNS requests resource usage limit within limits |
The percentage of threads used for pending DNS requests out of the total number of available threads is now below the system-defined maximum, and connections that require DNS name resolution can be accepted. |
Pending DNS requests resource usage limit within limits |
None |
POP intrusion |
A Post Office Protocol (POP) buffer overflow is detected. |
POP intrusion |
None |
Propagate configuration change failed (Enterprise Edition only) |
A change to the configuration in the central storage cannot be propagated to the ISA Server computer. |
Propagate configuration change failed |
None |
Published server certificate expiration warning |
A certificate on a server published by ISA Server is nearing its expiration date. |
Published server certificate expiration warning |
None |
Published Web server name not resolvable |
ISA Server cannot resolve the name of a published Web server. All requests handled by the Web published rule will be denied. |
Published Web server name not resolvable |
None |
Quarantined VPN Clients network changes |
A user is removed from the Quarantined VPN Clients network. This alert is disabled by default. |
Quarantined VPN Clients network changes |
Quarantined user changed state |
RADIUS server recovered |
The connection to the RADIUS server was restored. |
RADIUS server recovered |
None |
RADIUS server unavailable |
The RADIUS server requested did not respond. |
RADIUS server unavailable |
None |
Report summary generation failure |
An error is received while generating a report summary from log files. |
Report summary generation failure |
None |
Resource allocation failure |
There is a resource allocation failure. For example, the system is out of memory. |
Resource allocation failure |
None |
Revert to last known configuration failed (Enterprise Edition only) |
The ISA Server Configuration Agent is unable to revert to the last known configuration. |
Revert to last known configuration failed (Enterprise Edition only) |
None |
Revert to last known configuration succeeded (Enterprise Edition only) |
The ISA Server Configuration Agent successfully reverts the configuration. |
Revert to last known configuration succeeded (Enterprise Edition only) |
None |
Routing (chaining) failure |
ISA Server fails to route the request to an upstream server. |
Routing (chaining) failure |
None |
Routing (chaining) recovery |
ISA Server resumes routing to an upstream server. |
Routing (chaining) recovery |
None |
RPC filter - bind failure |
A remote procedure call (RPC) filter cannot use the defined port because it is already in use. |
RPC filter - bind failure |
None |
RPC filter - connectivity changed |
The connectivity to the publishing RPC service <server name> changed. <additional key> |
RPC filter - connectivity changed |
Any |
Server publishing failure |
The server publishing rule is configured incorrectly. |
Server publishing failure |
Incorrect rule configuration |
Server publishing is not applicable |
The server publishing rule cannot be applied. |
Server publishing is not applicable |
Rule cannot be applied |
Server publishing recovery |
The server publishing rule can now be applied. |
Server publishing recovery |
None |
Service initialization failure |
There is a service initialization failure. |
Service initialization failure |
Any ISA Server service |
Service not responding |
An ISA Server service terminates or stops functioning unexpectedly. |
Service not responding |
Any ISA Server service |
Service shutdown |
A service stops properly. <%service name%> |
Service shutdown |
Any ISA Server service |
Service started |
A service starts properly. <%service name%> |
Service started |
Any ISA Server service |
Slow connectivity |
ISA Server encounters a slow connection to the requested server. |
Slow connectivity |
None |
SMTP filter encountered an invalid bare CR or LF |
Bare carriage return/line feed (CR/LF) may pose a security risk. The connection has been terminated. |
SMTP filter event |
Bare CR/LF terminator |
SMTP filter encountered an invalid DATA terminator |
Some character combinations in DATA may pose a security risk. The connection has been terminated. |
SMTP filter event |
Invalid DATA termination |
SMTP filter event |
A Simple Mail Transfer Protocol (SMTP) command rule is violated. |
SMTP filter event |
Any |
SOCKS configuration failure |
The port specified in SOCKS properties is in use by another protocol. |
SOCKS configuration failure |
None |
SSL connection failure with published server (name mismatch) |
ISA Server failed to establish an SSL connection with a published server. There is a name mismatch. |
SSL connection failure with published server |
None |
SSL connection failure with published server (no trust) |
ISA Server failed to establish an SSL connection with a published server. There is a domain trust issue. |
SSL connection failure with published server (no trust) |
None |
SSL connection failure with published server (server certificate not valid) |
ISA Server failed to establish an SSL connection with a published server. A server certificate is not valid. |
SSL connection failure with published server (server certificate not valid) |
None |
SSL connection failure with published server (unknown reason) |
ISA Server failed to establish an SSL connection with a published server. |
SSL connection failure with published server (unknown reason) |
None |
SYN attack |
ISA Server detects a SYN attack. |
SYN attack |
None |
TCP connections per minute from one IP address limit exceeded |
The number of TCP connections per minute allowed from one IP address is exceeded. |
Per-client network traffic limit |
TCP connections per minute from one IP address limit exceeded |
The Configuration Agent has restored its connection with the Configuration Storage server (Enterprise Edition only) |
The Configuration Agent restores its connection to the Configuration Storage server. Changes made during the disconnection time are now be applied to the service. |
The Configuration Agent has restored its connection with the Configuration Storage server |
None |
The configuration was reloaded (Enterprise Edition only) |
The configuration reloads. The Configuration Agent recovers from the error and successfully reloads the configuration information. |
The configuration was reloaded |
None |
The response was rejected because a compressed response was not requested |
The response was rejected because a compressed response was not requested. ISA Server blocks compressed HTTP responses when it does not request compression. |
The response was rejected because a compressed response was not requested |
None |
Total log size limit exceeded |
The log storage total size limit is exceeded. |
Log storage limits |
Total log size limit exceeded |
Undefined account for intra-array authentication (Enterprise Edition only) |
For intra-array authentication when array members are in a workgroup, the intra-array account must be defined and enabled. Some features, such as VPN, Cache Array Routing Protocol (CARP), and reporting, will not work unless the intra-array account is properly configured. |
Undefined account for intra-array authentication |
None |
Unregistered event |
An unregistered event is raised. |
Unregistered event |
None |
Unresolvable remote gateway address on a VPN network |
A remote gateway address specified for a VPN site-to-site network cannot be resolved. As a result, a VPN connection cannot be established to the remote network. In ISA Server 2006 Enterprise Edition, if the network used for the VPN connection from the remote server is enabled for NLB, VPN traffic may be picked up by the wrong array member, and not by the intended server. |
Unresolvable remote gateway address on a VPN network |
None |
Unresolvable server name |
A server name cannot be resolved to an IP address. |
Unresolvable server name |
None |
Upload new configuration to services failed (Enterprise Edition only) |
The ISA Server Configuration Agent is unable to upload the configuration to the ISA Server services. |
Upload new configuration to services failed (Enterprise Edition only) |
None |
Upstream chaining credentials |
The upstream chaining credentials are incorrect. |
Upstream chaining credentials |
None |
VPN connection failure |
VPN client connection attempt fails. |
VPN connection failure |
None |
Web farm servers unavailable |
A Web published rule stopped forwarding requests to a Web farm because there are currently no servers in the Web farm that can accept requests. |
Web farm servers unavailable |
None |
Web filter not registered |
The Web filter is not registered on this server. |
Web filter not registered |
None |
Windows NLB is not installed (Enterprise Edition only) |
Network Load Balancing is not installed on this computer. NLB configuration cannot be applied or monitored. |
Windows NLB is not installed (Enterprise Edition only) |
None |
Windows user-based policy in workgroup (Enterprise Edition only) |
The applied policy contains one or more policy rules specifying Windows-based user authentication. The ISA Server array is in a workgroup. Windows-based user authentication cannot be applied to an ISA Server array in a workgroup. |
Windows user authentication in workgroup |
None |
WMI service connection was lost (Enterprise Edition only) |
The connection to the Microsoft Windows® Management Instrumentation (WMI) service was lost. For NLB to function properly, a continuous connection to the WMI service is required. To ensure proper NLB functionality, do the following: Stop NLB by typing NLB stop at a command prompt. Then stop the Firewall service. Verify that the WMI service is running, and then restart the Firewall service. When the Firewall service is restarted, NLB will restart. |
WMI service connection was lost |
None |