Monitoring ISA Server 2004 Connectivity, Sessions, and Services - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید









Monitoring ISA Server 2004 Connectivity, Sessions, and Services

You can monitor connectivity between the ISA Server and other computers from the Connectivity tab. You can monitor current sessions for Firewall, Web Proxy, and SecureNAT clients from the Sessions tab. You can monitor the status of ISA Server services from the Services tab. In the following sections, we will look at each of these individually.

Configuring and Monitoring Connectivity


You can monitor the connections between the ISA Server and specific servers on any network (by server name or IP address) or between the ISA Server and a specific Web server (by URL). You can use one of three methods to verify the connectivity:



Ping: The ISA server will send a ping (ICMP ECHO_REQUEST message) to the server. When the server sends back an ECHO_REPLY message, this confirms that it is reachable by the ISA server.



TCP Connect: The ISA server will attempt to make a TCP connection to a specified port on the server. This can be used to ensure that a particular service is running on the server.



HTTP Request: The ISA server will send an HTTP GET command to the specified Web server. A response indicates that the Web server is up and running and reachable by the ISA server.



To monitor connectivity to a server by any of these methods, you need to create a connectivity verifier and place it into one of the predefined groups. The groups include:



Active Directory



DHCP



DNS



Published servers



Web (Internet)



Others



The status of each group is shown in the Dashboard view. This will allow you to quickly determine if one of the servers in the group has a problem. Then you can click the Connectivity tab for details about which server(s) in the group has the connectivity problem.

In the following sections, we'll show you how to create connectivity verifiers, how to assign them to groups, and how to monitor connectivity with the verifiers you have created.


Creating Connectivity Verifiers


The first step in monitoring connections between the ISA server and other computers is to create a connectivity verifier. To do so, click the Connectivity tab in the Monitoring node, and then click Create New Connectivity Verifier in the right task pane. This invokes the New Connectivity Verifier Wizard. On the first page of the wizard, you need to give the verifier a name (for example, if you are going to monitor the connection to a Web site, you might give it the name of the site's URL).

Next, you'll be asked to provide connectivity verification details. First, enter a server name, IP address, or URL in the Connection details field (you can also browse to a location to monitor by clicking the Browse button).

Select the group type in the drop-down box, as shown in Figure 12.24.


Figure 12.24: Entering Connectivity Verification Details

You can also select the verification method. If you are monitoring connectivity to a Web server (URL), you should select Web (Internet) as the group type and Send HTTP 'GET' request as the verification method. If you want to verify that a specific program or service is running on the server connection you will be monitoring, select Establish a TCP connection to port: and select from the available applications in the drop-down box. The port number will be entered for you, or you can choose Custom and enter the port number.

Applications from which you can choose in the drop-down box include:

AOL Instant Messenger

Chargen (TCP)

Daytime (TCP)

Discard (TCP)

DNS

Echo (TCP)

Finger

FTP

Gopher

H.323 Protocol

HTTP

HTTPS

ICA

ICQ 2000

Ident

IMAP4

IMAP5

IRC

Kerberos-Adm (TCP)

Kerberos-Adm (TCP) LDAP

LDAP GC (Global Catalog)

LDAPS

LDAPS GC (Global Catalog)

Microsoft CIFS (TCP)

Microsoft Operations Manager Agent

Microsoft SQL (TCP)

Microsoft Operations Manager Agent

Microsoft SQL (TCP)

MMS (Microsoft Media Server)

MS Firewall Control

MSN

MSN Messenger

Net2Phone Registration NetBios Session

News

NNTP

NNTPS

PNM (Progressive Networks Media)

POP2

POP3

POP3S

PPTP

Quote (TCP)

RDP (Terminal Services)

Rlogin

RPC (all interfaces)

TRSP (Real Time Streaming Protocol

SMTPS

SSH

Telnet

Time

WhoIs

The last page of the wizard summarizes your choices. Use the Back button if you want to change anything. Otherwise, click Finish.

If you have selected to verify an HTTP connection, you will see a dialog box informing you that a rule allowing HTTP or HTTPS to the specified destination must be configured in order to do this, and asking if you want to enable the system policy rule to 'allow HTTP/HTTPS requests from ISA Server to the selected servers for connectivity verifiers.' This is shown in Figure 12.25. Click Yes to enable the rule.


Figure 12.25: Enabling a Rule to allow HTTP/HTTPS Requests






Note

If you delete or disable all of the verifiers that use the HTTP method, the system policy rule to allow HTTP/HTTPS requests for connectivity verifiers will be automatically disabled as a security measure. You'll have to enable it again if you later create or enable a verifier that is configured to use HTTP.


The new connectivity verifier will be shown in the middle pane when the Connectivity tab is selected, as shown in Figure 12.26.


Figure 12.26: The New Connectivity Verifier


After you select to enable the rule, you must click Apply at the top of the console. This saves your changes and updates the configuration. You'll see a progress bar as the changes are applied, then the dialog box will advise that the changes to the configuration were successfully applied. Click OK to close the dialog box.

Now 'Verifying' will disappear from the Result column and a result time (in milliseconds) will replace it.

You can delete or disable a verifier by right clicking it and selecting Delete or Disable from the context menu. You can also export or import verifiers from this menu. Another way to perform these tasks is to highlight the selected verifier and click the appropriate task in the right task pane (Delete Selected Verifiers, Disable Selected Verifiers, Export Connectivity Verifiers or Import Connectivity Verifiers).

If you want to change any of the properties of your connectivity verifier, right-click it and select Properties from the context menu, or highlight it and click Edit Selected Verifier in the right task pane.

On the General tab of the properties box, you can change the name, enable or disable the verifier, and type an optional description. On the Properties tab, you can change the URL, server name or IP address of the connection being monitored, change the group type, or change the verification method. You can also specify a timeout response threshold (by default, 5000 msec). Finally, you can select whether to trigger an alert if the server response is not within the specified timeout period (by default, an alert is triggered), as shown in Figure 12.27.


Figure 12.27: Modifying Properties of a Connectivity Verifier


Monitoring Connectivity


Once you've configured your verifiers, you can tell at a glance whether there are any problems with the servers in a particular group by viewing the Connectivity section of the Dashboard. As you can see in Figure 12.28, the group types that have verifiers configured show a status of 'Good' as long as the connections in that group type are verified.


Figure 12.28: Monitoring Connectivity from the Dashboard

If there is a problem with one of the servers in a group, the group status will show the problem (even though other servers in the group may be connected without any problem). For example, if one of the servers in the Others group is experiencing a slow connection, this will be indicated in the Status column on the Dashboard, as shown in Figure 12.29.


Figure 12.29: Connectivity Problems Displayed on Dashboard

To determine which server has the problem, you'll need to go to the Connectivity tab. Then you'll be able to see exactly which verifier reports a problem, as shown in Figure 12.30.


Figure 12.30: The Connectivity Tab Shows Which Server Has a Problem

'Unresolved Name' is one of several status indicators that can occur for verifiers using the HTTP method. It occurs when the server's name cannot be resolved to an IP address. Other results, depending on the response from the Web server, include:



OK: This result is reported when a 401 message (Web server authentication required) is returned from the server.



Error (Windows Server 2003): This result is reported when a 407 message (proxy authentication required) is returned, because ISA Server could not verify connectivity to the actual Web server.



Authentication required (Windows 2000 Server): This result is reported when a 407 message is returned if the server is running Windows 2000.



Error: This result is reported if any 4xx message is returned (except 401 or 407) or if any 5xx message is returned.



Time-out: This result is reported if the request times out before the server responds.



Unable to verify: This result is reported if the ISA Server is down or the Firewall service is otherwise unavailable.










Tools and Traps...Why Monitor Connectivity?

When should you create connectivity verifiers, and to which servers should you monitor connectivity? If you have mission critical servers on the network (for example, your Exchange e-mail server) that have been published to make them available to external clients, you might want to create a connectivity verifier so you can easily keep tabs on whether it's working properly.

You might also want to create connectivity verifiers to some popular external Web sites that are considered reliable in terms of up-time, so you can tell at a glance if the ISA Server has connectivity to those external sites.











Monitoring Sessions


A handy feature in ISA Server 2004 is the ability to monitor real-time sessions, that is, the activity of a particular client computer (IP address) by a particular user (account name). You can monitor sessions from all three types of clients: Firewall, Web Proxy, and SecureNAT.






Note

Because ISA Server sees a session as a unique combination of a user plus an IP address, you might show more current users in the Firewall service performance counters than the number of sessions shown in the Sessions window. That's because if a new connection is made from the same IP address and the same user, it is considered part of the same session. The System Monitor denotes every connection as a current user.



Viewing, Stopping and Pausing Monitoring of Sessions


To view current sessions being conducted through the ISA Server, click the Sessions tab and you will see a list of sessions as shown in Figure 12.31.


Figure 12.31: Viewing Current Sessions

As you can see, the display shows you the following information about each session:



Date and time the session was activated



Session type (Firewall, Web Proxy, SecureNAT client, VPN client, or Remote VPN site)



Client IP address



Source network



Client user name (if authentication is required)



Client host name (for Firewall Client sessions)



Application name (for Firewall Client sessions)



Server name (name of the ISA Server)



The Server name and Application name columns are not displayed by default in Standard Edition. To display them, right-click on one of the column headers and check Server name or Application name in the context menu.






Note

Even if you have blocked anonymous connections, you may see anonymous sessions because, for performance reasons, the Web Proxy client sends the first message anonymously; the server then returns a 407 message requiring authentication, and subsequent communications include client credentials.


If you want to stop monitoring sessions, just select Stop Monitoring Sessions in the right task pane. All the sessions information will then disappear from the Sessions tab. To start monitoring again, click Start Monitoring Sessions (which only appears when you have stopped monitoring).






Warning

If you stop monitoring sessions, all the information that ISA Server had collected about sessions up to that time will be lost.


You can also stop ISA Server from adding new sessions to the display by selecting Pause Monitoring Sessions. When you do so, that selection will be replaced by Resume Monitoring Sessions. When you are paused, the sessions that were already in the display will stay there.


Monitoring Specific Sessions Using Filter Definitions


If you have many sessions going through the ISA server, it can be difficult to find the ones in which you're interested. You can use ISA Server 2004's filtering mechanism to sort the sessions data and display only sessions that meet specified criteria. If you specify multiple criteria, only the sessions that meet all of your specifications will be displayed.

To define a filter, do the following:



In the right task pane, click Edit Filter, or right-click in the middle pane and select Edit Filter from the context menu.



In the Edit Filter dialog box, select filter criteria for the Filter by field from the drop-down box, as shown in Figure 12.32.


Figure 12.32: Setting Filter Criteria



You can select to filter by any of the following:



Activation



Application name



Client host name



Client IP address



Client user name



Server name



Session type



Source network





Next, you'll need to select a condition (in this case, 'equals' or 'not equal').



In the Value field, your choices depend on which criteria you are filtering by. In our example, we chose to filter by session type, so our value choices are Firewall Client, SecureNAT, VPN Client, VPN Remote Site, or Web Proxy. We want to view all Web Proxy sessions.



Click Add to list to add your filter criteria to the list

If you want to further narrow the scope of sessions listed, you can add more criteria by going through the same process again. In our example, as shown in Figure 12.33, we want to view only the Web Proxy sessions for client IP address 192.168.1.121 (the local host).


Figure 12.33: Specifying Multiple Filtering Criteria



When you have added all the criteria that you want, click Start Query and the filtering process will begin. The session(s) that meet all of the specified criteria will be displayed as shown in Figure 12.34.


Figure 12.34: Result of Filtering



You can save a filter definition so you can use it again by exporting it to an .xml file. See Exporting and Importing Filter Definitions later in this section.








ISA Server Mysteries...The Missing Task Pane Functions

In the ISA Server 2004 Help files, you'll see instructions for saving filter definitions and 'loading' filter definitions that tell you to select Save Filter Definitions or Load Filter Definitions on the Tasks tab. The problem is that no such selections exist (they did in some beta versions). In the final release of the product, you use the Export and Import functions for this purpose.






Tip

Before you edit the default filter, export (save) the filter definition. If you want to return to the default Sessions view, you can easily import the filter definition, and then stop and restart monitoring. ISA Server does not provide a reset button to return you to the default view (all sessions); this is a feature we would like to see in a future version of ISA Server.













Disconnecting Sessions


You can disconnect a session quickly and easily by right-clicking it in the Sessions window and selecting Disconnect Session in the context menu. You will be asked if you're sure you want to disconnect the session. Click Yes to do so. Alternatively, you can highlight the session, and then click Disconnect Session in the right task pane.


Exporting and Importing Filter Definitions


You can save filters by exporting them to .xml files, and then load them by importing them. If you do a lot of filtering, you will probably want to make a number of predefined filters so you can quickly view, for example, all Web Proxy sessions with one filter, all Firewall sessions with another filter, all sessions for a particular application with another, all sessions for a particular client user name with another, and so forth.

Once you have defined a filter you want to save and conducted a query with it, click Export Filter Definitions in the right task pane. Select a location in which to save it (we suggest creating a folder for all your filters) and give it a descriptive name (for example, FirewallSessionFilter). Click the Save button.

When you're ready to use that filter again, just click Import Filter Definitions in the right task pane, navigate to the location of the saved filter and select it, and click the Load button. You may need to click the Refresh button in the top toolbar to view the new filter results after loading the filter.

Monitoring Services


You can view the ISA Server services that are running on the firewall by using the Services tab in the Monitoring node. By default, the Services window in the middle pane will show the names of services, the status of each (running or stopped), and in some cases, the service uptime (how long the service has been running in days, hours, minutes, and seconds.






Note

The Service Uptime column does not update in real time. You will need to click the Refresh button on the toolbar or click Refresh Now in the right task pane to update the times.


You can stop and start services from this interface. Just right-click a running service and select Stop, or highlight a service and click Stop Selected Service in the right task pane. The service's status will change to 'Stopped' as shown in Figure 12.35. You can then restart the service by right-clicking and selecting Start, or highlighting and selecting Start Selected Service in the task pane.


Figure 12.35: Stopping and Starting Services

/ 145