Working with ISA Server 2004 Logs and Reports - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید









Working with ISA Server 2004 Logs and Reports

ISA Server 2004's logging and reporting features take monitoring a step further and provide you with permanent documentation of the activities related to your ISA server. In the following sections, we take a look at how ISA Server logs data, how to configure the logs, and how to generate reports based on the logged information.

Understanding ISA Server 2004 Logs


ISA Server 2004 logs all components by default. These logs include the following:



Web Proxy



Firewall Service



SMTP Message Screener




Log Types


The default log type is a Microsoft Data Engine (MSDE) database. The MSDE service is installed along with ISA Server 2004. If you have a SQL server on the network, you can configure the logs to be saved to the SQL database, or you can save the information to a file (World Wide Web Consortium or W3C format, or ISA Server format). There are advantages and disadvantages to each.






Note

The SMTP Message Screener log cannot be saved to an MSDE or SQL database. It must be saved to a file.



Logging to an MSDE Database

You can use ISA Server 2004's log viewer to display information saved in an MSDE database. You can query the database to find specific information. This is one of the reasons we like the MSDE format. The logs themselves are limited to 2GB each, but the log viewer will display all the information in separate log files as if it came from the same file. If a log reaches the 2GB limit, ISA Server 2004 will automatically start a new one.

You can also export the information from the log viewer to a text file, which is handy if you use analysis tools that require text files.

By default, MSDE log information is saved to the ISALogs folder within the ISA Server installation folder.


Logging to a SQL Server

Logging to a SQL server allows you to use standard SQL tools to query the database. There is also some fault tolerance in having the logs located on a remote SQL server. However, if connectivity with the SQL server is lost, the Firewall service shuts down.

There are also a number of security issues involved in logging to a remote SQL server. If you choose to do so, Microsoft recommends using Windows authentication rather than SQL authentication, and you should also consider encrypting the log information and implementing IPSec for the data transmitted from the ISA Server to the SQL server. In order to log to a SQL database, you will need to ensure that the system policy rule to allow remote logging using NetBios transport to trusted servers is enabled on the ISA server.






Tip

The Microsoft Log Parser is a free command line tool that ships with Microsoft IIS and Windows Server 2003 Advanced Edition or can be downloaded from the Microsoft Web site. It can be used to mine information from ISA firewall logs. You can use it to search, analyze, cross-reference, and export log files. For more information about Log Parser and how to use it with ISA logs, see the Microsoft Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett (published by Syngress Publishing).



Logging to a File

If you select to use the W3C file format, the data is stored along with information about the version, log date, and logged fields. The W3C format creates a tab-delimited file.

If you select to use the ISA Server file format, only the data itself is saved, and all fields are logged, whether selected or not, but unselected fields are shown as empty (marked by a dash). This format creates a comma-delimited file.

Another difference between the two formats is that W3C files denote the date and time in Coordinated Universal Time (UTC), whereas the ISA Server format uses local time as configured on the computer.

The files are stored by default in the ISALogs folder. You can change this location if you want. If the partition on which the logs are stored is formatted in NTFS (which we recommend), you can compress the log files to save space, although this may cause a reduction in performance (access time).

W3C and ISA Server log files, like MSDE files, are limited to 2GB, but a new file is started automatically when the limit is reached. ISA Server monitors log file size at ten minute intervals.






Note

Regardless of the logging method you choose, logs should always be stored in a secure location. Access to logs should be tightly controlled to prevent accidental or deliberate modification.



How to Configure Logging


You can configure logging separately for each of the three services (Firewall, Web Proxy, and SMTP Message Screener). Click the Logging tab in the Monitoring node, and select Configure Firewall Logging, Configure Web Proxy Logging, or Configure SMTP Message Screener Logging in the right task pane, as shown in Figure 12.36.


Figure 12.36: Configuring Logging Separately

Configuration is basically the same for each service, with a few differences. In our example, we will configure logging for the Firewall service. The first step is to ensure that the Enable logging for this service box at the bottom of the Log tab is checked (it is enabled by default). Next, you need to configure the log storage format, as shown in Figure 12.37.


Figure 12.37: Configuring Log Storage Format


Configuring MSDE Database Logging

By default, the MSDE database format is selected. To configure it, click Options, which will display the Options dialog box shown in Figure 12.38.


Figure 12.38: Configuring MSDE Database Logging


Here you can select whether to store the MSDE database files in the default location in the ISALogs folder, or in a different folder. To do the latter, type in the folder path or click the Browse button to browse to the folder where you want to store the logs.

Next, you can set a limit on the total size of all log files, in gigabytes. The default is 8 GB. You can also set an amount of free disk space that is to be maintained, in megabytes. The default is 2048MB (2 GB).

You can select also determine what ISA Server will do when the log limits are reached: either delete the oldest files to make room for new ones, or discard the new log entries. Finally, you can select to automatically delete files that are older than a specified number of days (by default, this option is selected and the default time period is 7 days).






Note

The Compress log files option is grayed out because you can't compress MSDE files. You can only compress when logging to a W3C or ISA Server format file.


On the Fields tab, you can check the fields that you want logged or uncheck those you don't want logged. If you want to log all fields, you can click the Select All button or you can clear all fields with the Clear All button. By default, all fields are logged except the following:



Bidirectional



Source proxy



Destination proxy



Client host name



Destination host name



Network Interface



Raw IP Header



Raw Payload



You can log only the default fields by clicking the Restore Defaults button.


Configuring Logging to a File

If you choose to log to a file, you will need to select the file format from the drop-down box: either ISA Server file format or W3C extended log file format. When you click Options, you will see the same options you were given for MSDE logging (location to store the log file, storage limits, actions for maintaining storage limits), but you will also see that the Compress log files checkbox is now available.


Configuring Logging to a SQL Database

If you choose to log to a SQL database, you will first need to set up a SQL server for ISA Server logging. This involves configuring the SQL server to accept the Open Database Connectivity (ODBC) connection from the ISA Server. You'll need to create a SQL server account if the SQL Server and the ISA Server aren't in the same Windows domain. If the two are in the same domain, you can use Windows authentication; if they are in different domains that do not have an appropriate trust relationship, you have to use SQL authentication.








Tools and Traps...Setting Up the SQL Server for ISA Logging

To set up logging to a SQL server, you will first have to prepare the SQL database and tables. Fortunately, the ISA Server installation CD contains two SQL scripts, fwsrv.sql and w3proxy.sql, that will create the tables used to record the Web Proxy and Firewall service data. You will have to modify these scripts by adding SQL statements to use an existing database or create a new one to store the tables. You can use the SQL Query Analyzer tool that comes with SQL Server to run these scripts to create the tables. After setting up the SQL tables, you will have to configure appropriate permission for the Windows or SQL account used by ISA Server to be able to query and insert data.











Once you have the SQL server set up, on the Log tab of the Firewall Logging Properties dialog box, you'll need to enter the name of the ODBC data source and a table name. Then you may need to set a user account. To do so, click Set Account, and enter the user name and password (twice) in the Set Account dialog box. You can browse for a user by clicking the Browse button.

You'll need to enable the necessary Remote Logging configuration groups in the System Policy Editor.






Note

There are many complex issues related to configuring SQL server authentication and creating SQL databases that are beyond the scope of this chapter. Consult the SQL Server 2000 documentation or download the SQL Server 2000 Books Online (updated in 2004) from the Microsoft Web site at www.microsoft.com/sql/techinfo/productdoc/2000/books.asp.


To configure Web Proxy or SMTP Message Screener logging, the procedure is the same as for Firewall logging. The primary difference is in the available fields to be logged. In addition, you'll find that all log storage formats except File are grayed out in the SMTP Message Screener Logging properties dialog box.


How to Use the Log Viewer


The log viewer will show you entries being logged in real time as they happen. Each event is displayed in the log viewer as soon as it is logged. Click the Logging tab to use the log viewer. The default filter displays all log records for the Firewall or Web Proxy logs. To display these records, click Start Query in the task pane. Entries will continue to be added to the display in real time until you click Stop Query.

Because the log viewer contains many columns, you might want to close the console tree pane and/or the task pane to provide more room. Even if you do, you will probably still have to scroll to see all the default columns. The log viewer is shown in Figure 12.39.


Figure 12.39: The Log Viewer with Default Filter

By default, the following columns are shown:



Log time



Destination IP



Destination port



Protocol



Action



Rule



Client IP



Client user name



Source network



Destination network



HTTP method



URL



You can add additional columns, such as MIME type, source or destination proxy, referring server, and many others. To do so, or just to view a list of available column headers, right-click any column header and select Add/Remove Columns.


How to Filter the Log Information


You can filter the information in log viewer similarly to the way you filtered the sessions information. As with the sessions filters, only those entries that meet all of your specified criteria will be displayed.

If you have logged to an MSDE database, you can also filter by log time. This allows you to display log data entered during a specific time period (rather than live data). You can only set the log time to something other than live for MSDE databases. This is referred to as offline viewing.

To configure a filter, click Edit Filter in the task pane. The Edit Filter dialog box is shown in Figure 12.40.


Figure 12.40: Editing a Log Filter

In the Filter by field, select the desired criteria.








ISA Server Mysteries...Can't Remove The Default Criteria

Note that you cannot remove the default entries. When you click either the Log Record Type or Log Time entry, the Remove button is grayed out. If you try to create a new entry for Log Record Type or Log time, when you click Add to List, you will get a message that only one Log Record Type (or Log Time) expression is allowed in a query.

So how do you change these parameters? Here's the secret: Click the one you want to change to highlight it, make the change in the Value field, and then click Update.











You can choose from the following criteria by which to filter:

Action

Authenticated client

Bidirectional

Bytes received

Bytes sent

Cache information

Client agent

Client host name

Client IP

Client user name

Destination host name

Destination IP

Destination network

Destination port

Destination proxy

Error information

Filter information

HTTP method

HTTP status code

Log Record type

Log time

MIME type

Network interface

Object source

Original client IP

Processing time

Protocol

Raw IP header

Raw payload

Referring server

Result code

Rule

Server name

Service

Source network

Source port

Source proxy

Transport

URL

Some of these criteria apply only to one or the other log type (Firewall or Web Proxy).

When you configure the log record type, you can select to display entries from the Firewall or Web Proxy filter, from the Firewall filter only, or from the Web Proxy filter only. Note that you cannot display entries from the SMTP Message Screener logs.






Tip

There will be no SMTP Message Screener log until you configure the Message Screener on the ISA Server computer.


When you configure the log time, in the Condition field the default is Live (and that is the only option if you are not logging to an MSDE database). If you're logging to MSDE, you can select any of the following:



Last 24 hours



Last 30 days



Last 7 days



Last hour



Live



On or after



On or before



If you choose one of the last two, you'll need to select a date and time in the Value field.

After you have specified all the desired criteria for filtering, click Start Query to display the entries filtered by your criteria.






Note

If the Firewall service is stopped, either manually or automatically, the log viewer will stop updating information, and the ISA server will go into lockdown mode. The firewall service might shut down automatically because of an event trigger that is configured to stop the service if a particular event, such as an intrusion attempt, occurs. In lockdown mode, no incoming traffic other than DHCP traffic is allowed except for traffic specifically allowed by a system policy rule. To bring the ISA Server out of lockdown mode, restart the firewall service.



Saving Log Viewer Data to a File


You can save the data displayed in the log viewer to a file by copying all results, or only selected results, to the Windows clipboard. To copy selected results, highlight the entries you want to copy (you can select multiple entries by holding down the CTRL or SHIFT keys). Click Copy Selected Results to the Clipboard. To copy all results, click Copy All Results to the Clipboard.

Then you can paste the copied results into a text editor, such as Notepad, as shown in Figure 12.41.


Figure 12.41: Saving Log Viewer Data by Copying to the Clipboard

Once you have the data in a text editor, you can save it as a text file. However, note that you can only display up to ten thousand results in the log viewer, so even if you copy all results, you may not get all entries in the log.


Exporting and Importing Filter Definitions


You can save your filter definitions in the same way you did with sessions filters, by selecting Export Filter Definitions in the task pane and selecting a location and file name. The filters are saved as .xml files. You can then load them by selecting the Import Filter Definitions in the task pane.

Because there are so many different filtering criteria available for filtering log information, it is handy to be able to save a number of different filters and import them when they are needed.

Generating, Viewing, and Publishing Reports with ISA Server 2004


The reporting function is where it all comes together; this is where you create reports that summarize or detail the information in the log files in such a way that allows you to easily analyze the data and spot patterns, trends, and anomalies.

You can track usage for bandwidth allocation purposes, or you can track access for security purposes. With the reporting feature, you can generate reports manually or schedule report jobs to be run on a regular basis. The reporting component creates a database in the ISASummaries folder (by default) on the ISA Server computer. Reports are based on summaries of the Firewall and Web Proxy logs.


How to Generate a One-time Report


To create a report, click the Reports tab in the Monitoring node. This will show you a listing of all reports that have been generated, or are in the process of generating, as shown in Figure 12.42.


Figure 12.42: The Reports Display

To create a new report, click Generate a New Report in the task pane. This will invoke the New Report Wizard. This wizard manually creates a single, one-time report as soon as you finish configuring the wizard. On the first page, you'll be asked to give your report a name.

On the next page of the wizard, you can select the type of content to include in this report. You can choose any of all of the following:



Summary



Web Usage



Application Usage



Traffic and Utilization



Security



In our example, shown in Figure 12.43, we've selected to include only Web usage data.


Figure 12.43: Configuring Report Content

Click Next, and you'll be asked to specify a reporting period (start date and end date). Because the reports are based on daily log summaries, you cannot include the present date as the end date.

On the next page, you will have the option to publish the report to a directory. You can type in a path or browse to the folder where you want to save the report. If you click Browse, you can use the Make New Folder button to create a new folder in which to save the reports. It will be named New Folder by default, but you can right-click it and rename it from within the Browse for Folder dialog box.

You may need to enter an account name and password of an account that has permission to write to the specified directory. If so, check the Publish using this account checkbox, as shown in Figure 12.44, and click Set Account to enter the account name and credentials.


Figure 12.44: Configuring Report Publishing

The report is automatically saved in HTML format.

On the next page, you can choose to have an e-mail notification sent when the report is completed. You'll need to enter the following information:



SMTP server name or IP address



Address from which the notification is to be sent



Address to which the notification is to be sent



CC: addresses of additional recipients, if any



Message for the body of the e-mail.



You can also check a checkbox to include a link to the completed published report within the e-mail message.

The last page of the wizard summarizes your choices. Use the Back button to make any changes, then click Finish to begin generating the report. The report will immediately appear in the Reports list, with the status shown as 'Generating,' as shown in Figure 12.45.


Figure 12.45: Generating the Report Upon Completion of the Wizard

Because it is a one-time report, the Period column will indicate 'Custom.'


How to Configure an Automated Report Job


You can configure a report job to generate reports on a daily, weekly, monthly, or yearly basis. This is handy for comparative purposes. For example, you might want to create a daily summary report, or a weekly Web usage report.






Note

The ISA Server Job Scheduler Service must be running in order to generate reports from report jobs.


To create a report job, click Create and Configure Report Jobs in the right task pane. This will bring up the Report Jobs Properties dialog box, shown in Figure 12.46.


Figure 12.46: Creating Report Jobs

Here you will see a list of all scheduled report jobs. To add a new report job, click the Add button. This invokes the New Report Job Wizard. On the first page of the wizard, you'll be asked to give your report job a name (for example, Weekly Web Usage Report).

On the next page, you can configure the report content in the same way you did for a one-time report.

On the third page, as shown in Figure 12.47, you can select the time interval to run the report job: daily, weekly, or monthly.


Figure 12.47: Scheduling the Report Job

If you choose to run the job weekly, you can select on which day of the week to run the job. If you choose to run the job monthly, you will be asked to specify a day of the month on which to run the job. You should not use days that some months don't have (29, 30 or 31) if you want the job to run every month. If you want a report that covers the entire preceding month, you should set this value to 1.

On the next page, you can configure the job to publish the reports to a directory in the same way you did with the one-time report. The following page allows you to configure an e-mail message to be sent when the report completes, also in the same way as was done for the one-time report.

Finally, the last page of the wizard summarizes your choices. When you click Finish, the job will be scheduled to run on the day(s) you specified. By default, the report will start generating at 1:00

a.m. on the specified day. You can change this by selecting the report job in the Report Job Properties dialog box and clicking Edit. Click the Schedule tab, and you can change the generation hour, as shown in Figure 12.48.


Figure 12.48: Editing the Report Job Properties


Other Report Tasks


There are a number of other report-related tasks you can perform from the task pane. You can configure the log summary by clicking Configure Log Summary. This brings up the Log Summary Properties dialog box, from which you can enable or disable daily and monthly summaries by checking a checkbox, as shown in Figure 12.49.


Figure 12.49: Configuring the Log Summary

You can also change the default report generation time here, and specify where the summaries are to be saved (by default, they are saved in the ISASummaries folder). You can also configure the number of daily and monthly summaries to save (from a minimum of 35 to a maximum of 999 for daily summaries, and from a minimum of 13 to a maximum of 999 for monthly summaries).






Note

Remember, the log summaries are the basis for reports. If you disable the log summary database, ISA Server will create the missing summaries if you generate a report. However, if you delete summaries that were previously created, ISA Server will not re-create them.


You can also customize each of the report content types, using the following task pane selections:



Customize Summary Content: You can specify the number of protocols to include, specify the number of top users to report on, specify the sort order for determining top usage, specify the number of top Web sites and the sort order for determining top sites, and specify the sort order for the cache hit ratio, either by requests or by bytes.



Customize Web Usage Content: You can specify the number of top protocols to include and specify the sort order for determining top protocols (requests, users, bytes in, bytes out, or total bytes), specify the number of top Web sites and the sort order, specify the number of top users and the sort order, specify the number of object types and the sort order, specify the number of Web browsers and the sort order, and specify the number of operating systems and the sort order.



Customize Application Usage Content: You can specify the number of top protocols and the sort order, number of top users and sort order, number of client applications and sort order, number of destinations and sort order, and number of operating systems and sort order.



Customize Traffic and Utilization Content: You can specify the number of top protocols and the sort order for cache hit ratio.



Customize Security Content: You can specify the number of clients who generate the most dropped packets and the number of users who cause the most authorization failures.




How to View Reports


Once a report has been generated, you can view it from the Reports tab in the Monitoring node of the ISA Server Management console. Double-click the report name, and it will open in your Web browser, as shown in Figure 12.50.


Figure 12.50: Viewing Reports

As you can see, the reports use graphs and tables to make the information easy to access and analyze. You can quickly move to different sections of the report by clicking the hyperlinks on the left side of the page.


Publishing Reports


If you didn't select to automatically publish the report to a directory when you configured the report job, you can publish it after it has been generated. Just highlight the report you want to publish and click Publish Selected Report in the task pane.

You will be asked to select a destination location for the report files folder. Click OK, and the report will be published to the folder. A new subfolder will be created within the selected folder (the folder name will be the report name plus the date). All the HTML and graphics files for the report will be stored there. To open the report itself from the folder, double-click the file named Report.

Reports need to be published if you want to view them on computers other than the ISA Server computer.

/ 145