CHAPTER 9

                      MONITORING AND OPTIMIZING ISA SERVER

                                                          PERFORMANCE

 

 

 

Microsoft Internet Security and Acceleration Server 2000 (ISA Server) includes many tools

for monitoring, optimizing, and tuning performance.  Alerts, logs, and reports can all be

configured through the Monitoring Configuration node in ISA Management. 

 

 

Lesson 1:  Configuring Alerts

 

The ISA Server alert service is responsible for capturing events, checking whether certain

conditions are met, and taking appropriate action.  You can use ISA Management to view

the full list of events supplied with ISA Server and to configure which actions should be

triggered when

 any of these events occur.

 

Preconfigured Alerts

 

By default, ISA Server includes 45 alerts, 39 of which are enabled.  You can view this list of alerts

in ISA Management by selecting the Alerts folder in the Monitoring Configuration node.  View at

home but do not memorize them!!!

 

NOTE:  You can also view ISA Server events in the Alert folder of the Monitoring node in ISA

Management.  However, ISA Management only shows the first occurrence of an event since the

previous shutdown.

 

Alert Conditions:  New alerts are based on existing alerts, but they normally include an additional,

more specific condition that must be met.  For example, the Domain Name System (DNS)

Intrusion alert normally has the Any DNS Intrusion condition specified as the additional

condition.

 

Event Location:  You can also configure a new alert that includes the same event and additional

condition as one of the pre-existing alerts, but that limits the detection of the event to a particular

server in the array.

 

 

Event Thresholds

 

Once an alert is configured, you can modify the alert by specifying the following threshold, which

determines when the alert action should be performed:

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 2                                                   2002/05/31

 

 

 

•   How many times per second the event should occur before issuing an alert (also called the

event frequency threshold)

•   How many events should occur before the alert is issued
•   How long to wait before issuing the alert again.

 

 

Alert Action

 

You can set one or more of the following actions to be performed when an alert condition

is met:

 

•   Send an e-mail message
•   Run a specific program
•   Log the event in the Windows 2000 Event Log
•   Stop or start any ISA Server service:  Firewall service, Web Proxy service, or

Scheduled

•  Content Download service

 

NOTE:  If you configure an e-mail action to use an external SMTP server, you must create

a static packet filter that allows the SMTP protocol.

 

 

 

Lesson Summary:

 

•   By default, ISA Server includes 45 alerts, 39 of which are enabled.  Each alert specifies an

event and four properties, including the alert condition, the event location, and alert threshold,

and the alert actions.

•   By default, all alerts only report the specified event to the Windows 2000 Event Log. 
•   However, you can also configure an alert to send an e-mail, to run a program, and to start

or stop ISA Server services.

•   By default, alerts specify the condition only needs to occur once for an alert action to take

place, and that the alert action should take place immediately.

 

 

 

Lesson 2:  Logging ISA Server Activity

 

•   ISA Server features detailed security and access logs that can be generated in standard data

formats like World Wide Web Consortium (W3C) and Open Database Connectivity (ODBC). 

•   The three logs built into ISA Server monitor activity of the Firewall service, the Web Proxy service,

and packet filtering.  New logs can be created daily, weekly, monthly or yearly.

 

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 3                                                   2002/05/31

 

 

 

 

Managing ISA Server Logs

 

ISA Server logs packet filtering activity, Firewall service activity, and Web Proxy service activity. 

By default, one new log file is generated for each service per day.

 

You can modify many of the default settings for these three service logs.  For example, you can

modify the logging format.  By default, ISA Server logs to a file in W3C format, but you can also

choose to log to a file in ISA format.

 

 

Logging to a File

 

You can save ISA Server logs to a file in either of the following formats:

 

• W3C format (universal)
• ISA Format

 

You can specify the location of a log file in the Options dialog box.

 

The default location for the log file is the ISALogs folder.  When you leave this option selected, the

log file is saved to the same location within the ISA Server installation folder on every ISA Server

computer in the array.  If you specify another folder, however, the path you specify for the log file

must exist on every server in the array.

 

IMPORTANT  It is recommended that you log to Windows NT file system (NTFS) partitions so

that the log files benefit from advanced file system features like NTFS security and data compression. 

C:\wwroot\drop

 

 

Log File Names

 

The first three letters of the service log file name indicate the service being logged.  FWS indicates

the Firewall service, WEB indicates the Web Proxy service, and IPP indicates IP packet filters.

(A file in ISA Server file format is designated by the absence of the letters EXT).

 

A monthly Firewall service log file in ISA format created on the same date would be named

FWSM20020521.log.

 

 

=====================================================================

 

winisa9.html                                                     PAGE 4                                                   2002/05/31

 

 

 

 

 

Logging to a Database

 

You can store ISA Server logs to an ODBC database instead of a file.  You configure this

option by selecting the Database radio button on the Log tab of a service log’s Properties

dialog box.

 

The root folder of the ISA Server CD-ROM includes the following sample scripts that create

tables and indexes to support database logging:

 

•   Pf.sql defines the packet filter log table called PacketFilterLog and indexes to

support table queries.

 

•   W3PROXY.sql defines the Web Proxy service log table WebProxyLog and indexes to

 support table queries.

 

•   FWSRV.sql defines the Firewall service log table called FirewallLog and indexes

to support table queries.

 

 

For example, to create a SQL Server 2000 log databased named ISALogs that can grow

to a maximum size of 100MB and a transaction log file that can grow to a maximum size of

50MB, perform the following steps:

 

 

NOTE:  Logs will truncate information, if tables not created properly, and they are not much

help if the error message is missing information.

 

 

Logging Packets

 

All packets that pass through ISA Server can be logged to the packet filter log.  You can

configure exactly which packets are logged by following these guidelines:

 

 

•   By Default, when you install ISA Server, all dropped packets are logged to the

packet filter log.

•   You can configure ISA Server to disable logging for packets that are dropped due

to any specific block-mode IP packet filter.

•   You can configure ISA Server to log all packets, allowed and dropped that are

communicated by way of ISA Server.  When you enable logging of allowed packets,

all packets that pass through ISA Server are logged in the packet filter log.

 

NOTE:  You can only log allowed packets if packet filtering is enabled.

 

 

Firewall and Web Proxy Log Fields

 

By default, the packet filters log reports nine of a possible twelve fields.  Also by default,

the Firewall service and Web Proxy Service logs report 18 of a possible 27 fields.

 

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 5                                                   2002/05/31

 

 

 

 

Packet Filter Log Fields

 

You can use the ISA server log to monitor and analyze the status of the packet filters.

 

 *** See page 370-371 ***

 

 

Lesson Summary:

 

•   Three logs are built into ISA Server that monitor the activity of ISA Server packet

filters, the firewall service, and the Web Proxy Service. 

•   By default, one new log file is generated for each service per day.
•   By default, each new log file is stored in the ISALogs folder below the ISA

Server installation folder.

•   You can save ISA Server logs either to a file or to an ODBC database.
•   ISA Server allows you to specify which fields to report to the service logs.

 

 

Lesson 3:  Creating ISA Server Reports

ISA Server can automatically generate graphical reports from information stored in the logs.

 

 

Configuring Reports

 

You can use the reporting feature of ISA Server to create reports about the Internet usage

patterns of your client users and computers.

 

 

Viewing Reports

 

Each report job actually creates a set of five reports, each of which can be viewed in a

separate folder in the Monitoring node of ISA Management page 375.  The five folders,

named Summary, Web Usage, Application Usage, Traffic & Utilization, and Security,

contain reports corresponding to each folder name.

 

 

Summary Reports

 

These Reports are most relevant to the network administrators or the person managing or

planning a company’s Internet connectivity.

 

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 6                                                   2002/05/31

 

 

 

 

Application Usage Reports

 

Application Usage reports illustrate Internet application usage in a company, including

incoming and outgoing traffic, top users, client applications, and destinations.

 

 

Traffic & Utilization Reports

 

Traffic & Utilization reports illustrate total Internet usage by application, protocol, and

direction; average traffic and peak simultaneous connections; cache hit ratio; errors and

other statistics.

 

 

NOTE:  The report will be sorted the next time you view it.

 

 

 

Configuring Report Jobs

 

You can schedule reports to be generated on a recurring basis:  daily, on specified days of the

week, or monthly.  For each report job you create, you can specify a period of time over

which the information in the logs will be collected, and the schedule by which a report based

on that period will be generated.

 

 

Report Job Credentials

 

For each report job you must configure, whether locally or remotely, a user name and password

with appropriate credentials to generate the reports on every server in the array.    In addition,

users that meet the following criteria can generate reports:

 

The user must have local administrator privileges on every ISA Server computer in the array.

The user must be able to access and launch DCOM objects on every ISA Server in the array.

 

 

Configuring Report Log Summaries

 

Reports are generated from a database that includes data collected form the ISA Server logs.

 

Scheduled reports may be created even if daily and monthly summaries are disabled.

 

NOTE:  You may specify between 35 and 999 daily summaries and between 13 and 999 monthly

summaries to save.  These minimums ensure that enough summaries will be saved to generate

monthly and yearly reports.

 

 

=====================================================================

 

winisa9.html                                                     PAGE 7                                                   2002/05/31

 

 

 

 

Report Database

 

By default, that location is the ISAReports folder of the ISA installation folder.  A typical path

is %ProgramFiles\Microsoft ISA Server\ISAReports.

 

The reports can then be viewed on the ISA Server computer on which the report database is

located.  You cannot view the reports if you run ISA Management from another ISA Server

computer in the same array.

 

 

Lesson Summary:

 

• The ISA Server reporting mechanism enable you to create graphical summaries of Internet usage.
• Every report job generates a set of five reports, each of which appears as a Web page.
• Reports are generated from a database of log summaries, which include data collected from the
• ISA Server logs.  The ISA Server reporting mechanism combines the summary logs from all the
• ISA Server computers in a given array into a database on each ISA Server.

 

 

Lesson 4:  Controlling Bandwidth

 

As communication within your network and with the Internet becomes more congested,

network performance may deteriorate.

 

Bandwidth priorities are policy elements that designate priority values between 1 and 200 for

incoming and outgoing bandwidth.  These bandwidth priorities can then be applied to specific

connections through the use of bandwidth rules.

 

 

Determining Effective Bandwidth

 

Before you create bandwidth rules, you need to specify the effective bandwidth of your

Internet connection in ISA Management so that ISA Server can properly enforce bandwidth

priorities.

 

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 8                                                   2002/05/31

 

 

 

 

Effective Bandwidth for Dial-up Connections

 

For a modem, the bandwidth depends on the modem speed, compression, and other factors. 

You can specify the effective bandwidth for a dial-up connection by modifying the dial-up

entry associated with that connection in ISA Management, as shown on page 387.

 

 

 

Effective Bandwidth for Dedicated Network Connections

 

For frame relay networks (E1/T1 or E3/T3), the maximum effective bandwidth is determined

by your wide area network (WAN) provider.  You can configure effective bandwidth for a

dedicated network connection by modifying bandwidth rules properties in ISA Management.

 

If a device used for internal communication has 100KB effective bandwidth and the external

device has 56KB, you should configure the effective bandwidth at 56KB.

 

 

Configuring Bandwidth Priorities

 

Bandwidth priorities are policy elements that define the priority level applied to connections

passing through the ISA Server computer.  These policy elements are then assigned to

bandwidth rules to prioritize specific connections or traffic types.

 

Bandwidth priorities are specified according to the following directions:

 

Outbound bandwidth.  This is the bandwidth priority allocated for requests from internal

clients for objects on the Internet.

 

Inbound bandwidth.  This is the bandwidth priority allocated for requests from external

clients for objects on the local network.

 

 

Configuring Bandwidth Rules

 

Bandwidth rules apply predefined bandwidth priorities to traffic passing through ISA Server. 

When you create a bandwidth rule, you can specify a traffic type by any combination of the

following parameters:

 

• Protocol definition
• Requesting user or source IP address
• Request destination
• Schedule
• Content rule

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 9                                                   2002/05/31

 

 

 

 

As a result, all traffic passing through ISA Server is assigned a priority of 100 unless

otherwise specified.

 

NOTE:  Before you use the New Bandwidth Rule wizard, be sure to create policy elements

for the new rule.  Depending on how you configure the rule, you may require the following

policy elements:  protocol definitions, schedules, client address sets, destination sets, content

groups, and bandwidth priorities.

 

 

Rule Order

 

For each bandwidth rule, ISA Server compares the parameters defined in the rule to the

details of the connection.  The rule numbered 1 is processed first.

 

 

Lesson Summary:

 

•   ISA Server allows you to allocate more bandwidth to specific types of network traffic

through bandwidth priorities and bandwidth rules.

•   Bandwidth priorities are policy elements that are assigned a value between 1 and 200

for incoming and outgoing bandwidth, with higher values representing high priorities.

•   ISA Server includes a default bandwidth priority element named Default Bandwidth
•   Priority, which assigns a value of 100 to both incoming and outgoing bandwidth.
•   Bandwidth rules are ordered like routing rules, with the default rule (which assigns the

default bandwidth priority to all network traffic) always processed last.

 

 

Lesson 5:  Additional Tuning and Monitoring Tools

 

You can fine tune performance in ISA Server by adjusting the server’s configuration to the

number of expected daily connections, and you can tune performance of the cache by

adjusting the amount of physical RAM used for storing Web content.

 

*** See charts 404-420 ****

 

 

 

 

=====================================================================

 

winisa9.html                                                     PAGE 10                                                 2002/05/31

 

 

 

Lesson Summary:

 

 

•   By adjusting the settings on the Performance tab of an array’s properties, you can

 tune the array’s performance to adjust to the number of daily connections you

anticipate for your site.

•   In addition to the alerting, logging and reporting features, ISA Server includes

seven performance objects, each containing multiple counters that you can use

to gather information related to ISA Server performance.

•   ISA server Performance from other Windows 2000 functions, and it has 21

counters preloaded into the System Monitor snap-in, the real-time monitoring tool.