CHAPTER 10

                             TROUBLESHOOTING ISA SERVER

 

 

 

Lesson 1:  Troubleshooting Tools in ISA Server

 

These troubleshooting tools include features specific to ISA Server as well as common

TCP/IP commands and Microsoft Windows 2000 utilities.

 

 

Troubleshooting Tools

 

When unexpected problems arise in your ISA Server installation, you can take advantage

of a range of troubleshooting tools to determine the cause.

 

• ISA Server Reports
• Event Viewer
• Performance Monitor
• Netstat
• Telnet
• Network Monitor
• The Routing Table

 

 

Check the following:

 

• Obvious, cables and connections
• On user or several having the same problem
• New policy implemented or new software
• Check hardware
• DHCP online?
• Any new policies applied.

 

NOTE:  Pool performance resulting from a low cache hit ratio can be remedied by configuring

more frequent or extensive download jobs after hours, or by lengthening the TTL parameters

in the Cache Configuration Properties dialog box.

 

 

 

=====================================================================

 

winisa10.html                                                   PAGE 2                                                   2002/06/02

 

 

 

 

 

Event Viewer

 

When you are troubleshooting an error related to the function of an ISA Server service,

you should look in Event viewer.

 

 

Performance Monitor

 

Troubleshooting successfully with ISA Server Performance Monitor requires you to establish

baselines of counters before problems occur. You will need something to compare to.

 

 

Netstat

 

Netstat is a command-line tool that is useful for troubleshooting security and connectivity problems.  

By typing Netstat at the command line, you can check your ISA server computer’s port

configuration and see every connection being made to and from your computer.

 

 

-a:   Output of all listening ports in addition to all active connections.

-n:  Addresses and port numbers are not converted to names.

-p:  TCP command will print an output of all active TCP connections and listening ports.

 

 

Finally, Netstat can be used to diagnose attacks on your system.

 

 

Telnet

 

By specifying the port number, telnet 10.10.10.104 9999.  A command-line tool also.

 

 

Network Monitor  (packet based)

 

This means that for most network traffic, Network Monitor displays virtually all information

associated with network sessions, including source and destination ports and addresses,

server responses, and traffic payloads. 

 

 

 

=====================================================================

 

winisa10.html                                                   PAGE 3                                                   2002/06/02

 

 

 

 

Only use locally NOT remotely.

 

If L2TP is unavailable on the remote VPN server, your users will experience a delay while

attempting to connect through both protocols Network Monitor thus allows you to find

out when the L2TP connection is not working.

 

 

 

Routing Table

 

Type routeprint.   *** Try and learn how to add to a routing table, using the route add command ***

 

Or you can add to the routing table Start/Programs/Administrative tools/Routing and Remote Access.

 

 

 

Lesson Summary:

 

•   Event Viewer is useful in that it displays all event messages generated by the ISA

Server services.

•   The ISA Server Performance Monitor can help resolve problems related to network

usage, hardware and configuration.

•   Network Monitor is used to capture and display the contents of frames that a Windows

2000 server receives from the LAN.

 

 

 

Lesson 2:  Troubleshooting Strategies in ISA Server

 

When you experience unexpected behavior in ISA Server, you can begin troubleshooting by

determining whether the error is user-based or packet-based.

 

 

Tools such as ping and tracert may function properly even in these conditions.

 

Authentication

 

Similarly, Integrated Windows authentication is incompatible with Netscape browsers because

Netscape cannot pass user credentials in NTLM format.

 

SecureNAT client (no authentication, anyone can be a SecureNAT UNIX, etc.  No additional

software to use.

 

The alternative authentication methods available to ISA Server include:  Basic, Digest and

Client Certificate.  Client uses SSL. 

 

 

• Basic:  Compatible, quick, name and password clear text.
• Digest:  Windows 2000 only, encryption and passwords.
• Client Certificate:  More secure than other methods, SSL, Mutual authentication.

 

 

 

=====================================================================

 

winisa10.html                                                   PAGE 4                                                   2002/06/02

 

 

 

 

There are three types:

 

• SecureNAT
• Web Proxy
• Firewall

 

 

 

Troubleshooting Packet-based Access Problems

 

If ping and tracert fail use the following:

 

•   With packet filtering enabled.
•   Create a protocol rule to allow all IP traffic for any request, and ensure that you

have a site and content rule allowing access to all sites and content groups.

•   Return all application filters and routing rules to default settings.
•   Verify that you have defined the local address table LAT
•   Enable IP routing in the IP Packet Filters properties.

 

 

On the ISA Server computer, make sure that no default gateway is defined for the internal

interface.

 

If you still cannot gain access, reboot the ISA Server computer.  If this does not fix the problem,

the network problems may not be related to your ISA Server configuration.

 

For applications that are not able to use a proxy se5rver, you must configure the client for

SecureNAT or run on the Firewall Client software.  After reconfiguring the client, not any

changes in behavior.  If you use the Firewall Client software and access fails when you enable

automatic discovery, you can assume that automatic discovery is improperly configured.

 

 

VPN Network Considerations

 

Next, make sure that you have configured the client as a secure network address

translation SecureNAT client and not a firewall client.

 

 

ISA needs:

 

• Lots of RAM
• Lots of CPU
• Licensing/ Processor and per user.

 

 

 

=====================================================================

 

winisa10.html                                                   PAGE 5                                                   2002/06/02

 

 

 

 

Lesson Summary:

 

•   A good way to begin troubleshooting an access problem in ISA Server is to

determine whether the problem is user-based or packet-based.

•   In addition, if you want access policy rules configured for specific users and

groups to apply to Web sessions, you should verify that your array properties

have been configured to require authentication for outgoing Web requests.

•   Additional troubleshooting consideration for VPN connections include verifying

that VPN clients are configured as SecureNAT clients, that routing and Remote

Access is started, that the proper demand-dial interfaces are created for the VPN,

and that two IP packet filters are enabled for each authentication protocol selected

for the VPN.