Contents
Overview 1
Planning a Monitoring and
Reporting Strategy 2
Monitoring Intrusion Detection 3
Monitoring ISA Server Activity 14
Analyzing ISA Server Activity by
Using Reports 19
Monitoring Real-Time Activity 27
Testing the ISA Server Configuration 32
Lab A: Monitoring and Reporting 34
Review 41

Module 8: Monitoring
and Reporting

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr.
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels,
Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)

Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart



Module 8: Monitoring and Reporting iii

Instructor Notes
This module provides students with the knowledge and skills to monitor
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 activities by
using alerts, logging, reporting, and real-time monitoring.
After completing this module, students will be able to:

Plan a strategy for monitoring and reporting ISA Server activities.

Configure alerts to monitor intrusion detection.

Configure logging to monitor ISA Server activity.

Use reports to analyze ISA Server activity.


Monitor ISA Server computer activity.

Test the ISA Server configuration.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the following materials:

Microsoft PowerPoint
®
file 2159A_08.ppt.

The file C:\MOC\2159a\Labfiles\Lab09\portscan.cmd.

Preparation Tasks
To prepare for this module, you should:

Read all of the materials for this module.

Complete the lab.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and
provide the answers.

Read “Configure Monitoring and Reporting,” “Monitoring and Reporting,”
“Event Messages,” and “Performance Counters” in ISA Server Help.


Read Module 8, "Monitoring and Optimizing Performance in
Windows 2000," in Course 2152B, Implementing Microsoft Windows
®
2000
Professional and Server.

Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc.

Presentation:
45 Minutes

Lab:
30 Minutes
iv Module 8: Monitoring and Reporting

Instructor Setup for Lab
Lab A: Monitoring and Reporting

To prepare for the lab:
1. Open a command prompt window.
2. At the command prompt, type cd C:\MOC\2159a\Labfiles\Lab8
3. When a student asks you during the lab to perform a simulated port scan
attack, type portscan ip_address (where ip_address is the IP address of the
student’s ISA Server computer on the classroom network), and then press
ENTER.

Module 8: Monitoring and Reporting v

Module Strategy

Use the following strategy to present this module:

Planning a Monitoring and Reporting Strategy
Begin the module by describing the guidelines to consider when planning a
monitoring and reporting strategy.

Monitoring Intrusion Detection
When describing the different types of network intrusion, do not explain
each attack in detail, but use one or two of them as examples. Emphasize
that although ISA Server generates events when an intrusion attack occurs,
ISA Server generates alerts only if you specifically configure ISA Server to
do so. Do not cover all of the ISA Server events in detail. Instead, refer
students to ISA Server Help for more information about specific events.

Monitoring ISA Server Activity
Explain that logging to a database can centralize ISA Server logs and secure
the log data. Emphasize that logging both allowed packets and blocked
packets can cause a considerable load on the server and that you should
enable logging for allowed packets for diagnostic purposes only.

Analyzing ISA Server Activity by Using Reports
Explain that ISA Server reports require summaries of saved logs and that
you can create an ISA Server report only after ISA Server has created at
least one daily summary. Emphasize that if a server belongs to a multi-
server array, the administrator generating the reports must have the
appropriate permissions on each ISA Server computer in the array. Briefly
display an example of each report format to illustrate the contents of the
reports.

Monitoring Real-Time Activity

Explain that the ISA Server real-time monitoring feature enables you to
centrally monitor ISA Server computer activity, including the current
sessions. Point out the ISA Server Performance Monitor on the Microsoft
ISA Server menu.

Testing the ISA Server Configuration
Explain that after configuring ISA Server, it is recommended that you test
your configuration to ensure that ISA Server correctly enforces the security
settings. Explain that you can use a third-party intrusion detection system or
the applications that are included with Windows 2000 to test the ISA Server
configuration.

vi Module 8: Monitoring and Reporting

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Perform a full installation of ISA Server manually.

Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the ISA Server administration tools manually.

Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all
ISA Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the Firewall Client manually.


Important
Module 8: Monitoring and Reporting vii

Setup Requirement 4
The lab in this module requires that the all ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure the default gateway manually.

Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure Internet Explorer manually.

Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol

(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure IIS manually.

Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet
by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.

Create the rule manually.

Setup Requirement 8
The lab in this module requires that packet filtering be enabled on the
ISA Server computer. To prepare student computers to meet this requirement,
perform one of the following actions:

Complete Module 6, “Configuring the Firewall,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.


Enable packet filtering manually.

viii Module 8: Monitoring and Reporting

Lab Results
Performing the lab in this module introduces the following configuration
changes:

Intrusion detection is enabled.

Alerts are configured for port scanning.

Reports are created.

The ISA Server computer is published as a Network News Transfer Protocol
(NNTP) server.

The ISA Server client computer is published as a Simple Mail Transfer
Protocol (SMTP) and Internet Message Access Protocol (IMAP) server.


Module 8: Monitoring and Reporting 1

Overview

Planning a Monitoring and Reporting Strategy

Monitoring Intrusion Detection

Monitoring ISA Server Activity


Analyzing ISA Server Activity by Using Reports

Monitoring Real-Time Activity

Testing the ISA Server Configuration

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Without a monitoring and reporting strategy in place for a Microsoft
®
Internet
Security and Acceleration (ISA) Server 2000 computer, network administrators
may be unaware of important events or trends, be confronted with a profusion
of false alerts, or configure logs and reports that do not monitor the appropriate
activities. By using alerts, logs, reports, and real-time monitoring effectively,
network administrators can better manage the activities that can compromise
the security or the performance of an ISA Server computer. In addition,
network administrators can use specialized assessment tools to monitor network
security.
After completing this module, you will be able to:

Plan a strategy for monitoring and reporting ISA Server activities.

Configure alerts to monitor intrusion detection.

Configure logging to monitor ISA Server activity.


Use reports to analyze ISA Server activity.

Monitor ISA Server computer activity.

Test the ISA Server configuration.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about monitoring ISA Server
activities by using alerts,
logging, reporting, and real-
time monitoring.
2 Module 8: Monitoring and Reporting

Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect
Categorize the information that you need to collect
Determine what information is most critical
Determine what information is most critical
Document your strategy
Document your strategy
Create a schedule for regular review of logs
Create a schedule for regular review of logs
Design a plan for archiving logs
Design a plan for archiving logs

Create a strategy for how to respond to critical events
Create a strategy for how to respond to critical events

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Consider the following guidelines when you plan a monitoring and reporting
strategy:

Categorize the information that you need to collect, including the following
items:
• Real-time alerts
• Trends of performance
• Trends of security-related events

Determine the information that is the most critical, and then:
• Configure real-time alerting for only the most critical issues.
• Review the logs frequently for events that may signal serious issues and
that may require prompt, but not immediate, attention.
• Review all of the logs for important trends. Ensure that your summary
reports capture the information that is the most important to you.

Document your strategy.

Create a strategy for how to respond to critical events, such as:
• Network security breaches.
• Denial of services attacks.
• Unusual usage patterns.


Create a schedule for regular review of the logs.

Design a plan for archiving the logs.
• You can use archived logs to discover trends, to investigate the source of
future alerts, or for legal purposes.

Topic Objective
To describe guidelines to
consider when planning a
monitoring and reporting
strategy.
Lead-in
Consider the following
guidelines when you plan a
monitoring and reporting
strategy.
Module 8: Monitoring and Reporting 3





Monitoring Intrusion Detection

IP Packet–Level Attacks

Application–Level Attacks

Configuring Intrusion Detection


ISA Server Events

Configuring Alerts

Configuring Advanced Alert Properties

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server includes an integrated intrusion detection system. You can set an
alert to trigger when the intrusion system detects an attack or a specific system
event. ISA Server can implement intrusion detection at both the Internet
Protocol (IP) packet level and the application level.
You can also configure actions for the system to perform when the intrusion
system detects an attack on a computer in your network. These actions can
include sending an e-mail message or a page to the administrator, stopping the
Microsoft Firewall service, writing to the system event log, or running a
program or script.

Although alerts are an important tool for monitoring intrusion
attempts, you can also use the alerting capabilities of ISA Server as part of a
more comprehensive monitoring strategy. For example, you can configure
alerts so that ISA Server notifies you when an ISA Server service shuts down
unexpectedly.

Topic Objective
To identify the topics related

to monitoring intrusion
detection.
Lead-in
ISA Server includes an
integrated intrusion
detection system.
Delivery Tip
Remind students that
although this course
presents alerting in the
context of intrusion
detection, students can also
use alerting for other
purposes.
Important
4 Module 8: Monitoring and Reporting

IP Packet–Level Attacks

All Ports Scan Attack

IP Half Scan Attack

Land Attack

Ping of Death Attack

UDP Bomb Attack

Windows Out-of-Band Attack


*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
At the IP packet level, ISA Server can detect the following attacks:

All ports scan attack. Occurs when an intruder attempts to gain access to
more than the preconfigured number of ports. The administrator specifies a
threshold for ports, which then determines the number of ports that are
available for access. Intruders use port scanning to find open ports on a
computer. Open ports represent entry points into a computer and an attacker
may subsequently attempt attacks through one or more of these ports.

IP half scan attack. Occurs when an intruder makes repeated attempts to
connect to a destination computer and the TCP packets contain certain flags.
This action can indicate that an attacker is probing for open ports, while
evading logging by the system.

Land attack. Occurs when an intruder establishes a Transmission Control
Protocol (TCP) connection with a spoofed source IP address and port
number that matches a destination IP address and port number. Spoofing
refers to tricking a computer to provide information to allow unauthorized
access by using a false IP address. A land attack can cause computers that
are running certain TCP implementations to stop responding, which denies
service to legitimate users.

Ping of death attack. Occurs when an intruder adds a large amount of data
to an Internet Control Message Protocol (ICMP) echo request packet. This

attack can cause computers that are running certain TCP implementations to
stop responding, which denies service to legitimate users.
Topic Objective
To describe the types of
attacks that ISA Server can
detect at the IP packet level.
Lead-in
At the IP packet level,
ISA Server can detect the
following attacks.
Delivery Tip
Point out that all attacks at
the IP packet level attempt
intrusion by using a single
IP packet or a connection
sequence.
Do not explain each attack
in detail, but use one or two
of them as examples.
Module 8: Monitoring and Reporting 5


UDP bomb attack. Occurs when an intruder attempts to send an illegal User
Datagram Protocol (UDP) packet. A UDP packet that is constructed with
illegal values in certain fields will cause computers that are running some
older operating systems to crash when the packet is received.

Windows out-of-band attack. Occurs when an intruder attempts an out-of-
band, denial-of-service attack against a computer that is protected by
ISA Server. A denial-of-service attack is an attempt to disable a computer or

network. This attack can cause the computer to stop responding or to lose
network connectivity.

6 Module 8: Monitoring and Reporting

Application–Level Attacks

DNS Hostname Overflow

DNS Length Overflow

DNS Zone Transfer from Privileged Ports (1–1024)

DNS Zone Transfer from High Ports (Above 1024)

POP Buffer Overflow

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
At the application level, ISA Server can detect the following attacks:


DNS hostname overflow. Occurs when a Domain Name System (DNS)
response for a host name exceeds a certain fixed length. This attack can
cause improperly written applications that do not check the length of the
host names to overflow the internal buffers when copying the host name.
This attack can allow a remote attacker to execute arbitrary commands on a

targeted computer.

DNS length overflow. Occurs when an IP address contains a length field
with a value larger than 4 bytes. This attack can cause improperly written
applications that perform DNS lookups to overflow the internal buffers.
This attack can allow a remote attacker to execute arbitrary commands on a
targeted computer.

DNS zone transfer from privileged ports (1–1024). Occurs when a computer
uses a DNS client application to transfer zones from an internal DNS server.
DNS zone information should not usually be transferred to external
computers, because it may contain sensitive information about your
network. The ports between 1 and 1024 are privileged ports, which are
reserved for server applications. Typically, a zone transfer request from a
port number between 1 and 1024 indicates that the request originates from a
server application, although there is no guarantee that it originates from a
server application.

DNS zone transfer from high ports (above 1024). Is similar to a DNS zone
transfer from a privileged port. Typically, a zone transfer request from a
port number over 1024 indicates that the request originates from a client
application, although there is no guarantee that it originates from a client
application.

POP buffer overflow. Occurs when an intruder attempts to gain privileged
access to computers that are running certain versions of a Post Office
Protocol (POP) server by overflowing an internal buffer on the server.

Topic Objective
To describe the types of

attacks that ISA Server can
detect at the application
level.
Lead-in
At the application level,
ISA Server can detect the
following attacks.
Delivery Tip
Point out that all attacks at
the application level attempt
intrusion by using the
vulnerability of a specific
application, such as a DNS
service or a POP server
service.

Do not explain each attack
in detail, but use one or two
of them as examples.
Module 8: Monitoring and Reporting 7

Configuring Intrusion Detection
IP Packet Filters Properties
General
OK Cancel
Enable detection of the selected attacks:
Packet Filters PPTP
Windows out-of-band (WinNuke)
Land
Ping of death

IP half scan
UDP bomb
Port scan
Intrusion Detection
Detect after attacks on 10 well-known ports
Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see the properties for
specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet
Security Systems, Inc., Atlanta, GA, USA, www.iss.net
Apply
DNS intrusion detection filter Properties
General
OK Cancel
Filter incoming traffic for the following:
Attacks
DNS host name overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
Apply
Apply
Apply
Select Attacks
Select the options that are
required to implement your
monitoring strategy.

*****************************
ILLEGAL FOR NON

-
TRAINER USE
******************************
When you configure intrusion detection, ISA Server identifies when an attack is
attempted against your network and then performs a set of preconfigured
actions. To detect unwanted intruders, ISA Server compares network traffic and
log entries to well-known attack methods. Possible actions that you can
configure include connection termination, service termination, e-mail alerts, and
logging.

Although ISA Server generates events whenever a selected intrusion
attack occurs, ISA Server generates alerts only if you specifically configure
ISA Server to do so.

Configuring IP Intrusion Detection
To configure IP intrusion detection:
1. In ISA Management, in the console tree, expand your server or array,
expand Access Policy, right-click IP Packet Filters, and then click
Properties.
2. In the IP Packet Filters Properties dialog box, on the General tab, select
the Enable packet filtering and the Enable Intrusion detection check
boxes.
3. On the Intrusion Detection tab, select the IP packet–level intrusion options
that are required to implement your monitoring strategy, and then click OK.
Topic Objective
To describe the procedures
that you use to configure
intrusion detection.
Lead-in
When you configure

intrusion detection,
ISA Server identifies when
an attack is attempted
against your network and
then performs a set of
preconfigured actions.
Key Point
Although ISA Server
generates events whenever
a selected intrusion attack
occurs, ISA Server
generates alerts only if you
specifically configure
ISA Server to do so.
Important
8 Module 8: Monitoring and Reporting

4. If you select the Port scan check box, perform the following actions, and
then click OK:
• In the Detect after attacks on … well-known ports box, type the
maximum number of well-known ports that can be scanned before
generating an event. Well-known ports are UDP and TCP ports in the
range 0–2048. Intruders frequently scan well-known ports because most
services listen for connections on these ports. An intruder is most likely
to find vulnerable ports by scanning well-known ports.
• In the Detect after attacks on … ports box, type the total number of
ports that can be scanned before generating an alert.

Configuring the DNS Intrusion Detection Filter
The DNS intrusion detection filter intercepts and analyzes DNS traffic destined

for the internal network.
To configure the DNS intrusion detection filter:
1. In ISA Management, in the console tree, expand your server or array,
expand Extensions, and then click Application Filters.
2. In the details pane, right-click DNS intrusion detection filter, and then
click Properties.
3. On the Attacks tab, select the options that are required to implement your
monitoring strategy, and then click OK.

Configuring the POP Intrusion Detection Filter
The POP intrusion detection filter detects attempts to perform POP buffer
overflow attacks.
To configure the POP intrusion detection filter:
1. In ISA Management, in the console tree, expand your server or array,
expand Extensions, and then click Application Filters.
2. In the details pane, right-click POP intrusion detection filter, and then
click Properties.
3. On the General tab, select the Enable this filter check box, and then click
OK.

Module 8: Monitoring and Reporting 9

ISA Server Events
ISA Management
Action View
Tree
Name Description Server Event
Internet Security and Acceleration Server
Servers and Arrays
LONDON

Monitoring
Computer
Access Policy
Site and Content Rules
Protocol Rules
IP Packet Filters
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Alerts
Logs
Report Jobs
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H.323 Gatekeepers
Alert action failure The action associated with this alert fa… PHOENIX Alert action failure
Cache container initialization error The cache container initialization faile… PHOENIX Cache container initialization
Cache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery…
Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failure
Cache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failure
Cache restoration completed The cache content restoration was co… PHOENIX Cache restoration completed
Cache write error There was a failure in writing content… PHOENIX Cache write error
Cached object discarded During cache recovery, an object with… PHOENIX Cache object discarded
Component load failure Failed to load an extension component… PHOENIX Component load failure
Configuration error An error occurred while reading config… PHOENIX Configuration error

Dial-on-demand failure Failed to create a dial-on-demand con… PHOENIX Dial-on-demand failure
DNS intrusion A host name overflow, length overflow… PHOENIX DNS intrusion
Event log failure An attempt to log the event informaito… PHOENIX Event log failure
Firewall communication failure There is a failure in communication bet… PHOENIX Client/server communica..
Intrusion detecte d An intrusion was a ttempted by an exte… PHOENIX Intru sion detected
Invalid dial-on-demand credentials Dial-on-demand credentials are invalid PHOENIX Invalid dial-on-demand cr..
Invalid ODBC log credentials The specified user name or password… PHOENIX Invalid ODBC log credent…
IP packet dropped IP packet was dropped according to s… PHOENIX IP packet dropped
IP Protocol violation A packet with invalid IP options was d… PHOENIX IP Protocol violation
IP spooling The IP packet source address is not v… PHOENIX IP spo oling
Log failure One of the service logs failed PHOENIX Log failure
Missing installation component A component that was configured for t… PHOENIX Missing installation comp…
Network configuration changed A network configuration change that a… PHOENIX Network configuration ch…
No available ports Failed to create a network socket bec… PHOENIX No available ports
OS component conflict There is a conflict with one of the oper… PHOENIX Operating system comp…
Oversized UDP packet ISA Server dropped a UDP packet be… PHOENIX Oversize UDP packet
POP intrusion POP buffer overflow detected PHOENIX POP i ntrusion
Report Summary Generation Failure An error occurred while generating a r… PHOENIX Report Summary Ganer…
Intrusion detected Properties
General
OK Cancel
Events
Name:
Intrusion detected
Apply
Apply
Apply
Actions
Description An external user attempted an intrusion atta
(optional):

Enable

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Events are conditions that ISA Server can detect during its operation, such as an
intrusion attempt, a problem with a service running on an ISA Server computer,
or a communication failure. You use events when you configure an alert. An
alert defines the actions that ISA Server performs when it detects an event.
When you create an alert, you must specify an event that triggers the alert.
The following table lists some of the events that ISA Server can detect.
Event Description

DNS intrusion Indicates that a host name overflow, length
overflow, zone high port, or zone transfer attack
has occurred.
Intrusion detected Indicates that an external user attempted an
intrusion attack.
IP packet dropped

Indicates that an IP packet that is not allowed by
an access policy was dropped.
IP protocol violation Indicates that ISA Server detected and dropped a
packet with invalid IP options.
IP spoofing Indicates an IP packet source address is not
valid.
POP intrusion Detects a POP buffer overflow attack.
SOCKS request was refused Indicates that ISA Server refused a SOCKS

request due to a policy violation.
Windows Media Technology
(WMT) live stream splitting failure
Indicates that the streaming application filter
encountered an error during the WMT live
stream splitting.


For a full list of the events that are recognized by ISA Server, see
“ISA Server events” in ISA Server Help.

Topic Objective
To describe some of the
events that you use to
configure alerts.
Lead-in
When you create an alert,
you must specify the event
that triggers the alert.
Delivery Tip
Do not cover all of the
ISA Server events in detail.
Instead, point students to
the reference in the Note at
the bottom of the page.
Note
10 Module 8: Monitoring and Reporting

Configuring Alerts
Intrusion detected Properties

General
OK Cancel
Events
Send e-mail
Browse…
Browse…
Browse…
Actions
Program
SMTP server: europe.london.msft
To:
Cc:
From:
Browse…
Test
Set Account…
Set Account…
Set Account…
Select…
Select…
Select…
Select…
Select…
Select…
Apply
Run this program:
Use this account:
Report to Windows 2000 event log
Stop selected services
Start selected services

Intrusion detected Properties
General
OK Cancel
Events
Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Apply
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than minutes
ISA Administrator
ISA Administrator

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The alert service of ISA Server monitors events and then performs an action if a
specific event occurs. You can configure an alert to send an e-mail notification,
run a program, or start and stop a service. For example, you can configure
ISA Server to send you an e-mail message when a specified number of
intrusion attempts have occurred.


In addition, you can use scripts to configure advanced actions for
ISA Server. For example, you can create a program that scans the logs for the
IP address of an intruder and then creates a protocol filter that blocks
connections from the intruder’s IP address. You can then run the program
whenever ISA Server generates an alert that is based on an intrusion attempt.

Creating Alerts
To create an alert:
1. In ISA Management, in the console tree, expand your server or array,
expand Monitoring Configuration, right-click Alerts, point to New, and
then click Alert.
2. In the New Alert Wizard, type the name of the alert, and then click Next.
3. On the Events and Conditions page, select the event that will trigger the
alert. If the event allows you to specify additional conditions, select those
conditions, and then click Next.
Topic Objective
To describe the procedure
that you use to configure
alerts.
Lead-in
The alert service of
ISA Server monitors events
and then performs an action
if a specific event occurs.
Note
Module 8: Monitoring and Reporting 11

4. On the Actions page, select from the following actions, click Next, and then
click Finish:
If you select Then


Send an e-mail message Provide the name or the IP address of the Simple
Mail Transfer Protocol (SMTP) server, a recipient,
a return address, and any recipients to include on
the Cc: list. Ensure that no packet filters prevent
the ISA Server computer from communicating
with the SMTP server by using TCP port 25.
Run a program Provide the full path of the program that
ISA Server will run. If you run the program in the
security context of a user account other than the
local system account, provide the user name and
password for that account.
Report the event to a
Microsoft Windows
®
2000
event log
No further action is required.
Stop selected ISA Server
services
Select the service or services to stop. Valid choices
are the Firewall service, the Microsoft Web Proxy
service, and the Microsoft Scheduled Cache
Content Download service.
Start selected ISA Server
services
Select the service or services to start.

Viewing and Resetting Alerts
When an alert occurs, ISA Server performs the alert action and then records the

alert in the Event log. You can view all of the alerts that ISA Server issued and
the time that ISA Server issued the alert. After you view the alert, you can reset
it. Resetting an alert removes it from the list of recent events. If you configured
the alert to perform an action only after a manual reset of the alert, you must
reset the alert before ISA Server will issue the same alert again.
To view and reset an alert:
1. In ISA Management, in the console tree, under Monitoring, click Alerts.
2. In the details pane, view the alerts that have occurred.
3. To reset an alert, right-click the alert, and then click Reset.

12 Module 8: Monitoring and Reporting

Configuring Advanced Alert Properties
Intrusion detected Properties
General
Cancel
Events
Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than minutes
Choose options to
customize alert

action for the
event.
Apply
OK

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
After you create an alert, you can configure the alert properties. For example,
you can configure ISA Server to alert you by using e-mail messages only when
there are a specified number of intrusion attempts.

A large number of alert actions may cause you to overlook
important events, such as an important event log entry that appears among
many duplicate entries that are less important.

To configure advanced alert properties:
1. In ISA Management, in the console tree, expand Monitoring
Configuration, and then click Alerts.
2. In the details pane, right-click the alert, and then click Properties.
3. On the Events tab, choose one or more of the following options to
customize the alert action for an event, and then click OK:
To Do this

Specify the number of
occurrences before an alert is
issued
Select the Number of occurrences before the

alert is issued check box, and then type the
number of occurrences.
Specify the number of events
per second to occur before an
alert is issued
Select the Number of events per second before
the alert is issued check box, and type the number
of events per second.
Reissue an alert immediately
if an event recurs
Click Immediately. Selecting this option can result
in a large number of alert actions because
ISA Server performs the alert action each time that
it detects a specific event.
Topic Objective
To describe the procedure
that you use to configure
advanced alert properties.
Lead-in
After you create an alert,
you can configure the alert
properties.
Important