Module 10: Monitoring
ISA Server 2004
Overview
Monitoring Overview
Configuring Alerts
Configuring Session Monitoring
Configuring Logging
Configuring Reports
Monitoring Connectivity
Monitoring Services and Performance
Lesson: Monitoring Overview
Why Implement Monitoring?
ISA Server Monitoring Components
Designing a Monitoring and Reporting Strategy
Using the ISA Server Dashboard for Monitoring
Why Implement Monitoring?
Use monitoring to:
Use monitoring to:
Monitor traffic between networks to ensure that only
legitimate traffic passes between networks
Troubleshoot network connectivity between ISA
Server clients, servers, and networks
Collect information about attacks and to detect attacks
as they occur
Plan future modifications to the ISA Server or Internet
access infrastructure
Monitor traffic between networks to ensure that only
legitimate traffic passes between networks
Troubleshoot network connectivity between ISA
Server clients, servers, and networks
Collect information about attacks and to detect attacks

as they occur
Plan future modifications to the ISA Server or Internet
access infrastructure
ISA Server Monitoring Components
Components Explanation
Alerts
Monitors ISA Server for configured events and then
performs actions when the specified events occur
Sessions
Provides information on the current client sessions
Logging
Provides detailed archived information about the
Web Proxy, Microsoft Firewall service, or SMTP
Message Screener
Reports
Summarizes information about the usage patterns
on ISA Server
Connectivity
Monitors connections from ISA Server to any other
computer or URL on any network
Performance
Monitors server performance in real time, create a
log file of server performance or configure
performance alerts
Designing a Monitoring and Reporting Strategy
When: Determine:
Monitoring real-
time information
Which events should trigger an alert
The event threshold before the alert is triggered

The information that you need to monitor server
performance
Collecting long-
term information
The information you need to monitor server
performance over time
The information you need to monitor server
usage
The information you need to monitor security
events
Developing a
response
strategy
How to respond to the critical events that occur
on the ISA Server
Using the ISA Server Dashboard for Monitoring
Monitor
connections
Monitor
connections
Monitor
alerts
Monitor
alerts
Monitor
sessions
Monitor
sessions
Monitor
traffic

Monitor
traffic
Lesson: Configuring Alerts
What Is an Alert?
How to Configure Alert Definitions
How to Configure Alert Events and Conditions
How to Configure Alert Actions
Alert Management Tasks
What Is an Alert?
An alert is:
An alert is:
A notification of an event or action that has occurred
on ISA Server
Triggered according to the conditions and trigger
thresholds specified for the event associated with
the alert
A notification of an event or action that has occurred
on ISA Server
Triggered according to the conditions and trigger
thresholds specified for the event associated with
the alert
When a server event takes place and records an alert:
When a server event takes place and records an alert:
The ISA Server Management console displays the alert
in the Alerts view
An entry appears in the alerts view that lists column
headings such as type of alert, the date and time,
status, and category
The ISA Server Management console displays the alert
in the Alerts view

An entry appears in the alerts view that lists column
headings such as type of alert, the date and time,
status, and category
How to Configure Alert Definitions
How to Configure Alert Events and Conditions
Define the
trigger
thresholds
Define the
trigger
thresholds
Define
subsequent
alerts
Define
subsequent
alerts
Define the event
that will trigger
the alert
Define the event
that will trigger
the alert
Define specific
conditions for
the event
Define specific
conditions for
the event
How to Configure Alert Actions

Configure
e-mail action
Configure
e-mail action
Define a
program to run
Define a
program to run
Define other
alert actions
Define other
alert actions
Alerts are managed by performing the following tasks:
Alerts are managed by performing the following tasks:
Alert Management Tasks
Reset registered alerts
Reset registered alerts
Acknowledge registered alerts
Acknowledge registered alerts
When you configure an alert to stop the ISA Server
Firewall Service, ISA Server goes into a lockdown mode.
While in lockdown mode, ISA Server blocks most
network traffic
When you configure an alert to stop the ISA Server
Firewall Service, ISA Server goes into a lockdown mode.
While in lockdown mode, ISA Server blocks most
network traffic
Practice: Configuring and Managing Alerts
Creating a New Alert Definition
Modifying an Existing Alert Definition

Internet
Den-ISA-01
Den-DC-01Den-Clt-01
Gen-Web-01
Lesson: Configuring Session Monitoring
What Is Session Monitoring?
About Managing Sessions
How to Configure Session Filtering
What Is Session Monitoring?
Session monitoring:
Session monitoring:
Provides real-time information about client sessions
hosted through ISA Server
Includes information on:

When the session was established

The session type

The source network

The client user name and computer name
Provides the ability to immediately stop any unwanted
sessions
Provides real-time information about client sessions
hosted through ISA Server
Includes information on:

When the session was established


The session type

The source network

The client user name and computer name
Provides the ability to immediately stop any unwanted
sessions
About Managing Sessions
Use these options
to manage sessions
Use these options
to manage sessions
Right click session
to disconnect
Right click session
to disconnect
How to Configure Session Filtering
Add multiple filters
Add multiple filters
Configure
filters to view
specific sessions
Configure
filters to view
specific sessions
Practice: Configuring Session Monitoring
Monitoring Sessions
Applying a Session Filter
Internet
Den-ISA-01

Den-DC-01Den-Clt-01
Gen-Web-01
Lesson: Configuring Logging
What Is Logging?
Log Storage Options
How to Configure Logging
How to View ISA Server Logs
How to Configure Log Filter Definitions
The logging feature:
The logging feature:
Provides extended log storage to generate reports,
analyze trends, or investigate security issues
Can be configured to provide Firewall logging, Web
proxy logging, and SMTP message screener logging
Provides a log viewer to assist in monitoring and
analyzing server activity for MSDE-based logs
Provides extended log storage to generate reports,
analyze trends, or investigate security issues
Can be configured to provide Firewall logging, Web
proxy logging, and SMTP message screener logging
Provides a log viewer to assist in monitoring and
analyzing server activity for MSDE-based logs
What Is Logging?
Log Storage Options
Log storage option: Explanation:
MSDE
Logs can be viewed in the log viewer
Default format for Web proxy and
Firewall Service logs
SQL database

Logs can be stored on separate server
Logs can be analyzed by using
database tools
File
Logs can be stored in W3C or ISA
Server format
Only available format for SMTP
message screener logs
The MSDE and log files are stored by default in the ISALogs folder,
which is located in the ISA Server installation folder
The MSDE and log files are stored by default in the ISALogs folder,
which is located in the ISA Server installation folder
How to Configure Logging
Configure log
storage format
Configure log
storage format
Configure the
information
captured in the logs
Configure the
information
captured in the logs
How to View ISA Server Logs
How to Configure Log Filter Definitions
Configure filters
to view specific log entries
Configure filters
to view specific log entries
Add multiple filters

Add multiple filters