Professional Documents
Culture Documents
Microsoft Corporation
Published: May, 2007
1
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, FrontPage, Visual Studio, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
ISA Server Operations Guide
Operations
Daily
Resource availability
Internet access
Availability of published servers
Availability of authentication servers
Cache
Services
Event Viewer
Daily backups
Dashboard
Alerts
Weekly
Disk space
Reports
Create and delete ISA Server rules
Monthly
Backup and restore testing
Performance Logs and Alerts
Reports
Security updates
Quarterly
Rules and configuration analysis
Certificate review
Reports
3
ISA Server Operations Guide
Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that
helps protect your mission critical applications from Internet-based threats. ISA Server enables
your business to do more, with secure access to Microsoft applications and data. Secure your
Microsoft application infrastructure by protecting your corporate applications, services, and data
across all network layers with stateful packet inspection, application-layer filtering, and
comprehensive publishing tools. Streamline your network with simplified administrator and user
experiences through a unified firewall and virtual private network (VPN) architecture. Safeguard
your information technology environment to reduce security risks and costs, and help eliminate
the effects that malicious software and attackers have on your business.
This document discusses some of the different ISA Server operations activities, and when these
activities should be performed. This document assumes that ISA Server has already been
installed, configured, and is properly running in your environment. This document does not cover
installing, configuring, or troubleshooting ISA Server. It covers what an ISA Server administrator
should check on a daily, weekly, monthly, and quarterly basis to assist in keeping ISA Server
running as expected. The information in this document can also help the ISA Server administrator
plan for future growth.
For more information about installing, configuring, and troubleshooting ISA Server 2006, see the
Microsoft ISA Server TechCenter at the Microsoft TechNet Web site.
Operations
Your ISA Server operations activities occur at different frequencies:
• Daily
• Weekly
• Monthly
• Quarterly
Daily
On a daily basis, you should check the items in the following sections to make sure that your
users are able to access the resources they require through ISA Server. The items should be
checked at least on a daily basis, to ensure that ISA Server computers and the surrounding
environment are functioning properly.
Note:
There are many methods or techniques that can be used to achieve these tasks. This
document describes several methods. If you have another method that works for you,
4
continue to use it. If you have suggestions for additional methods, send an e-mail
message to ISA Server Documentation Feedback.
Resource availability
Because ISA Server enables you to provide secure access to the Internet and secure access to
internal resources, you should check that these resources are available on a daily basis. For
example, if you are publishing an internal Web site so users can access the site remotely and the
Web server is accidentally turned off, users will be unable to access this resource. When things
do not work properly, it might not be an ISA Server issue. In addition to checking that internal
resources are working, verify that the servers and services required by ISA Server to provide
access to the necessary resources required by your users are also functioning.
Internet access
If you have configured ISA Server to protect users when they are surfing the Internet through ISA
Server, you want to make sure the Internet is accessible by using one of the following methods:
• Manually test Internet connectivity from an internal workstation:
a. From your workstation, open Microsoft Internet Explorer® and browse to a public
Web site, such as http://www.microsoft.com.
b. If access to a site fails, try another site because the first site might be unavailable.
c. If access to multiple sites fails, test Internet access to these sites from ISA Server.
For more information about troubleshooting Internet access, see "Troubleshooting Web
Access for Internal Clients" at the Microsoft TechNet Web site.
• Configure ISA Server connectivity verifiers to test Internet connectivity. Manually testing
Internet connectivity can be time-consuming. You can configure ISA Server to check
connectivity to specific URLs, and if connectivity fails, ISA Server generates an ISA Server
alert. To configure connectivity verifiers:
a. Configure a connectivity verifier in the ISA Server Management console to check
access to public Web sites. We recommend creating multiple connectivity verifiers to test
connectivity to multiple sites because one site might be unavailable temporarily.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status
of configured connectivity verifiers. If the status of all configured Internet connectivity
verifiers is failed, you should check the connection to the Internet.
5
For more information about troubleshooting Internet access, see "Troubleshooting Web
Access for Internal Clients" at the Microsoft TechNet Web site.
The following is a list of benefits of using ISA Server connectivity verifiers:
• In addition to automating checking Internet connectivity, an ISA Server alert is generated
each time a connectivity verifier fails, providing you with the time of day and frequency that a
connectivity verifier has failed.
• ISA Server alerts can be configured to send an e-mail message, run a program, report to
an event log, stop selected services, and start selected services after a specific number of
failures. This can provide you with advanced warning that you are experiencing Internet
connectivity issues. Instead of users informing you of an issue, you can inform users that a
known issue is being handled.
• When a server responds to the connectivity verifier but not within the specified time-out
period, ISA Server will generate a Slow Connectivity alert. The default threshold for a new
connectivity verifier is 5,000 milliseconds or 5 seconds. If the default is not long enough, you
can either lengthen the time-out period or configure the connectivity verifier not to generate
an alert when the server response is not within the specified time-out.
6
Note:
For more information about configuring connectivity verifiers, see the ISA Server product
Help.
b. If you have published non-Web server protocols, use the associated client application
to connect to the server. For example, if you published a Domain Name System (DNS)
server, open the DNS Microsoft Management Console (MMC) snap-in and connect to the
DNS server's IP address.
• Configure ISA Server connectivity verifiers to test connectivity to internal resources.
Manually testing connectivity to internal resources can be time-consuming. You can configure
ISA Server to check connectivity to the specified internal URLs or servers, and if connectivity
fails, ISA Server generates an ISA Server alert. To configure connectivity verifiers:
7
a. Configure a connectivity verifier in ISA Server Management to check access to
internal resources.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status
of configured connectivity verifiers. If the status indicates connectivity problems, select
the Alerts tab to see which connectivity verifier has failed.
8
Availability of authentication servers
One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific
users. By default, ISA Server can authenticate users against local accounts on the ISA Server
computer. ISA Server can communicate with Active Directory® directory service servers (for
Microsoft Windows® authentication), with RSA authentication managers (for RSA SecurID
authentication), with Remote Authentication Dial-In User Service (RADIUS) servers, and with
Lightweight Directory Access Protocol (LDAP) (for Web publishing only).
When the selected authentication method is not available, users are not granted access to the
requested resource. For more information about the different authentication methods supported
by ISA Server, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.
On a daily basis, you should check that the authentication methods that ISA Server requires are
available using one of the following methods:
• Manually test connectivity to the authentication servers:
• If Active Directory has been selected as the authentication method, in most cases,
when you log on to your computer, you have tested if Active Directory is available and
running.
• For RSA SecurID and RADIUS authentication, see the vendor's product
documentation about how to test that the authentication services are available.
• For LDAP authentication, you can use the LDP.exe tool to test the connectivity to the
LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES
%\Support Tools.
• Configure ISA Server connectivity verifiers to test connectivity to the required
authentication servers. Manually testing connectivity to the authentication servers can be
time-consuming. You can configure ISA Server to check connectivity to the specified
authentication servers, and if connectivity fails, ISA Server generates an ISA Server alert. To
configure connectivity verifiers:
a. Configure a connectivity verifier in ISA Server Management to check connectivity to
authentication servers.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status
of configured connectivity verifiers. If the status indicates connectivity problems, select
the Alerts tab to see which server has failed.
9
• If MOM 2005or System Center Operations Manager 2007 is installed in your
environment, configure MOM 2005or System Center Operations Manager 2007 to monitor
Active Directory, RSA, and RADIUS servers. MOM and System Center Operations Manager
utilize management packs to enhance the intelligent operations management for a variety of
server applications.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft
System Center Operations Manager Web site.
For a list of benefits of using connectivity verifiers, see the list of benefits in Internet access earlier
in this document.
Cache
The following are the main benefits to enabling cache:
• Faster Internet user access Web requests are served from the cache instead of
requiring a connection to a remote Internet server. In Web publishing scenarios, reverse
caching speeds up access for Internet users requesting Web content from corporate Web
servers published by ISA Server.
10
• Reduced traffic on the Internet connection Because frequently requested objects are
served from the cache, bandwidth is saved on the Internet connection. In Web publishing
scenarios, reverse caching reduces the load on the published Web server.
For more information about ISA Server cache, see "Caching and CARP in ISA Server 2006" at
the Microsoft TechNet Web site.
Note:
Caching is not enabled by default. If you want to take advantage of ISA Server caching,
you must enable this feature.
When caching is enabled on your ISA Server computers, you should check on a daily basis that
Web requests are being served by the cache directly instead of making a request to the Internet.
To make sure Web requests are being delivered by cache content directly, check ISA Server
logging:
1. In ISA Server Management, select the Logging page on the Monitoring node.
2. Edit the existing filter to show HTTP traffic only.
3. Add the following columns to the log results pane: Object Source and Cache
Information. The Object Source column indicates the source that was used to retrieve the
current object, and the Cache Information column indicates the reason why an object was or
was not cached.
4. When a Web request is delivered by cache content, the Object Source for the request
will be Cache. How caching is configured determines how many Web requests are delivered
from cache instead of from the Internet.
11
Note:
For information about how to modify the default filter conditions to display data that meets
specific criteria in the log viewer, see the "Querying the Logs" section in "Monitoring,
Logging, and Reporting Features in ISA Server 2006" at the Microsoft TechNet Web site.
As shown in the preceding screen shot, not every Web request is cached. HTTP defines several
ways for a Web server to specify how long a document can be cached before it expires, or not to
cache the page. To determine why an object was not delivered from cache, record the value in
the Cache Information column and look up the value in the "Web Proxy: Cache Information Log
Values" section in "ISA Server Logging Fields and Values" at the Microsoft TechNet Web site.
Services
You should check the status of services on your ISA Server computer to confirm that the required
services show Started, especially the services that are configured to start automatically when the
computer is started. Use one of the following methods:
• Open the Services MMC snap-in to view the status of all services running on the ISA
Server computer. From a command prompt, run services.msc to open the Services snap-in.
• You can also check the status, and start and stop the following ISA Server services from
the Services tab on the Monitoring node in ISA Server Management:
• Microsoft Firewall
12
• Microsoft ISA Server Job Scheduler
• Routing and Remote Access
• Network Load Balancing (ISA Server Enterprise Edition)
• Microsoft Data Engine
Event Viewer
On a daily basis, you should check the event logs for all of your ISA Server computers for any
unusual Warning and Error events. ISA Server events are logged to the Application log in Event
Viewer.
From a command prompt, run eventvwr.msc to open the Event Viewer MMC snap-in.
You can filter event logs to show only the event types you select. For example, to only view
Warning and Error event types, you can create a filter that only shows Warning and Error event
types.
For more information about Event Viewer, see Microsoft Windows Server® 2003 product Help.
13
For additional information about specific events and error messages, see the Events and
Message Center at the Microsoft TechNet Web site.
14
Daily backups
If you are running daily backups of your servers, confirm that the backup finished successfully. To
determine the status of each backup job, refer to your vendor's product documentation.
For more information about backing up your ISA Server computer, see "How to Back Up and
Restore an ISA Server Enterprise Configuration" at the Microsoft TechNet Web site.
Dashboard
On a daily basis, you should check the Dashboard tab on the Monitoring node. If a warning or
error status icon appears, your attention is needed. For additional information, open the required
tab on the Monitoring node.
Alerts
Confirm the status of ISA Server alerts from the Dashboard tab on the Monitoring node. An OK
status icon indicates that there are no alerts that have not been acknowledged or reset. An error
status icon indicates that there are alerts that need your attention. Go to the Alerts tab to view
more information and to acknowledge or reset the alerts.
15
Weekly
On a weekly basis, check the items described in the following sections.
Disk space
Check the amount of free disk space on all drives on the ISA Server computers in your
environment. If a computer runs out of disk space or logging fails, ISA Server goes into lockdown
mode. If free disk space is low, you should back up files that are not needed and then delete
these files.
When in lockdown mode, the following functionality applies:
• The Firewall Packet Filter Engine (fweng) applies the firewall policy.
• Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing
connection is established, that connection can be used to respond to incoming traffic. For
example, a DNS query can receive a DNS response, on the same connection.
• No incoming traffic is allowed, unless a system policy rule that specifically allows the
traffic is enabled. The one exception is Dynamic Host Configuration Protocol (DHCP) traffic,
16
which is always allowed. DHCP requests on User Datagram Protocol (UDP) port 67 are
allowed from the Local Host network to all networks, and DHCP replies on UDP port 68 are
allowed back in.
• The following system policy rules are still applicable:
• Allow Internet Control Message Protocol (ICMP) from trusted servers to the local
host.
• Allow remote management of the firewall using MMC (RPC through port 3847).
• Allow remote management of the firewall using Remote Desktop Protocol (RDP).
• VPN remote access clients cannot access ISA Server. Similarly, access is denied to
remote site networks in site-to-site VPN scenarios.
• Any changes to the network configuration while in lockdown mode are applied only after
the Firewall service restarts and ISA Server exits lockdown mode. For example, if you
physically move a network segment and reconfigure ISA Server to match the physical
changes, the new topology is in effect only after ISA Server exits lockdown mode.
• ISA Server does not trigger any alerts.
When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as
previously. Any changes made to the ISA Server configuration are applied after ISA Server exits
lockdown mode.
To configure a low disk space alert, see "How To: Configure a Low Disk Space Alert by Using the
Performance Logs and Alerts Feature in Windows Server 2003" at the Microsoft Support Web
site.
If MOM 2005or System Center Operations Manager 2007 is installed in your environment, you
can configure low disk space alerts for the ISA Server computer.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft System
Center Operations Manager Web site.
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Schedule reports to run on a weekly basis and review these reports to analyze application and
traffic patterns. Reporting provides you with historical information that is helpful when evaluating
performance issues. For example, if users are stating that the Internet is slow, you can look at
current and historical Traffic and Utilization reports, and see if a large increase in HTTP traffic has
17
occurred. With the reports, you have the information and can explain the reason for the slow
response.
Monthly
On a monthly basis, check the items described in the following sections.
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Configure ISA Server to generate built-in reports automatically on a monthly basis. ISA Server
has the following built-in reports:
• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security
Review these reports to analyze application usage patterns, traffic patterns, and security incident
patterns for month-to-month usage, such as from June to July of the same year and from June of
this year to June of last year.
For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features
in ISA Server 2006" at the Microsoft TechNet Web site.
Security updates
Microsoft typically releases security hotfixes on the first Tuesday of every month. Review
released hotfixes and determine if the hotfix is required for ISA Server computers.
19
Quarterly
On a quarterly basis, check the items described in the following sections.
Certificate review
Certificates are important in ISA Server publishing scenarios and ISA Server deployments in a
workgroup environment. If these certificates expire, a warning message is displayed when users
attempt to connect to the ISA Sever computer, or the ISA Server computer cannot connect to the
published server or to the Configuration Storage server (in ISA Server Enterprise Edition) to
retrieve and apply policy updates.
Check the expiration date on all certificates on the ISA Server computer and the published Web
servers on a quarterly basis. This will provide you with enough time to renew the certificate before
it expires.
20
To check the expiration date on the installed certificates, do one of the following:
• Use the Microsoft ISA Server Best Practices Analyzer Tool:
a. Download and run the ISA Server Best Practices Analyzer Tool on your ISA Server
computers. To download the ISA Server Best Practices Analyzer, see "Microsoft Internet
Security and Acceleration (ISA) Server Best Practices Analyzer Tool" at the Microsoft
Download Center Web site. The ISA Server Best Practices Analyzer checks the
expiration date of the certificates on the ISA Server computer and the published Web
servers. The ISA Server Best Practices Analyzer shows a warning message when a
certificate is expiring within the next two weeks and an error message when a certificate
has expired.
b. Renew certificates that have expired or are going to expire according to the
instructions of the issuing certification authority.
• Use the Certificates MMC snap-in:
a. Open the Certificates MMC snap-in for the Computer account on the ISA Server
computer and internal Web server.
b. Expand the Personal folder and select the Certificates folder.
c. Double-click the Expiration Date column to sort the certificates based upon
expiration dates.
d. Renew certificates that have expired or are expiring according to the instructions of
the issuing certification authority.
When you are running ISA Server Enterprise Edition in a mixed workgroup/domain environment,
check the certificate installed on the Configuration Storage server. This certificate is stored in the
Certificates folder of the ISASTGCTRL service.
21
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Configure ISA Server to generate built-in reports automatically on a quarterly basis. ISA Server
has the following built-in reports:
• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security
Review these reports to analyze application usage patterns, traffic patterns, and security incident
patterns for quarter-to-quarter usage, such as from the first quarter to the second quarter and
from the second quarter of this year to last year's second quarter.
For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features
in ISA Server 2006" at the Microsoft TechNet Web site.
22