Understanding ISA 2004 Monitoring (Part 1) – The Dashboard and Beyond

If you would like to read the second part of this series please read Understanding ISA 2004 Monitoring (Part 2)

In order to mature the IT life cycle, it is fundamental to report on the resources periodically to management so that decisions can be made in a timely fashion and so that service is not disrupted. The higher the risk of the asset being exploited and abused, the higher the safeguard and in most cases monitoring of such a safeguard is a good way of keeping the solution performing as it was intended. This approach will lead to a dynamic resolution of problems before they arise and in turn results in less down time and increased productivity.

Microsoft ISA 2004 monitoring has been drastically improved. In this article the focus is specifically about understanding ISA 2004’s new monitoring capabilities as well as focusing on the interpretation of the monitoring process. This approach will enable the IT professional to decipher what is being let through to other servers and hosts from each interface. Learning how to use ISA 2004 monitoring features helps the IT professional to achieve more in less time. 

To ensure that your customers, users or employees have access to internet resources at all times, in mission critical environments, you may need to guarantee that your ISA server is available 24 X 7 X 365 days a year. If you cluster your ISA servers you can possibly come close to achieving this goal. If the organization has budgetary restraints and is unable to license an additional ISA server the obvious choice would be close monitoring of the internet resources using ISA.

Monitoring is an important management skill to learn and will differentiate the IT professional from typical IT personnel. Monitoring introduces a level of measurement which ultimately assists the IT professional to manage the ISA server and the network accordingly. This is especially true when the data is collected and reported on to senior management.

Dashboard

Dashboard is a feature that was asked for by many ISA 2000 professionals. This enables the ISA administrator to quickly and effectively summarize the state of his/her ISA server. In ISA 2004 the dashboard is a great place to quickly see if all is well, it is also a good starting point when troubleshooting. Traditional monitoring practices introduce laborious patterns of looking through complicated logs distributed throughout the system in various places in many forms. This is not the case in ISA 2004 as a consolidated view has been designed, through the incorporation of input from various professionals in the field, resulting in a one glance machine room type approach. This has been produced to achieve easier administration of the ISA 2004 server by the IT professional.  

Operating the dashboard

The dashboard is a consolidated tab in, under the monitoring object in the ISA 2004 console. It represents the happenings of objects within the ISA 2004 server which require close monitoring. It provides the professional with an overview of how the ISA server is performing, how many users and devices are currently connected to the ISA 2004 server, the services running and state of the services critical to ISA 2004. Alerts are displayed by default and different options can be set up for utilization of each alert. However, the dashboard component depicts the current alerts that need to be revised by the ISA 2004 administrator.

The green check marks beside the description of each object changes colour as the state of each object changes, thus if a service fails the IT professional will no longer see a green check mark but rather a red cross indicating a problem with the services component.  These objects cannot be edited from this screen, if you need to edit them click on the object and the corresponding Tab should open.

Figure 1: The above Diagram shows the objects within the dashboard

The dashboard tool helps the trained eye identify problems quickly by using the snapshot presented. The status of the ISA 2004 server can be observed in one window view.

Alternative monitoring solutions

There are many alternative products that can monitor your ISA server and also inform the professional on the status of the ISA services and identify if they are up or down. In most organizations the Firewall, web proxy and the mail server are of paramount importance and users (the people that pay the IT staff’s salaries) do not tolerate much down time. Ultimately one should aim to proactively assess the ISA servers, knowing if it will fall over due to hardware restraints.

My feeling when explaining this concept to management and IT professionals is as follows. Once the ISA server is installed it is important to monitor the server closely and keep tabs on the resources it is using and to baseline the system, so that when the ISA sever is stressed, the professional is able to identify the occurrence.

In the field when auditing and visiting clients, I find that often the most overlooked aspect of the ISA implementation is the monitoring of the server and the rule base. Rules that used to apply no longer apply and are left open. The bandwidth requirements have also changed and due to this the organization could either save money by toning down the bandwidth requirements or may need to purchase more bandwidth depending on the present situation. Monitoring the ISA server is a good way of spotting such indicators.

The alert tab

The alert tab in ISA 2004 lets the professional configure an alert definition enabling specific actions to be performed based on the frequency of the occurrence. Programs or script files can be created to stop and start servers or services and enable e-mails to be sent when thresholds have been reached. This is particularly useful if you want to monitor the ISA server when you are away from the office, as an alert can be created that sends the email to an SMS gateway describing the violation or occurrence. The Security professional can then react accordingly with the appropriate response for the event. This is applicable in the case when an application has not already been pre-configured to react to a specific occurring event. This type of flexibility can alert the professional to many events. Below are some that are useful.

• Connection limit exceeded: This alert is useful when the Professional wants to be alerted that the clients have exceeded the connection limitations of the ISA server. This setting can be changed. However if a client reaches the connection limitation this may be an indication of DDOS or that there is something on the client machine that is using up more connections than the default amount.
• Dial on demand failure: The IT professional sets the ISA server up to dial on demand to an alternate ISP when the link goes down, or to backup the primary connection. It is important to know if this feature has failed as a denial of service has resulted and this alert is then generated and sent off to the ISA administrator informing them of the problem and the appropriate action can then be initiated.
• DNS intrusion: This intrusion can lead to a severe problem especially in organizations where the identity is needed by the business. Financial, governmental, health, commercial, legal, military and other trusted institutions should all have this option reported on, so that if an occurrence is identified the appropriate action is taken.
• Intrusion detected: This intrusion can lead to a severe problem especially in organizations where the identity is needed by the business. Financial, governmental, health, commercial, legal, military and other trusted institutions should all have this option reported on so that if an occurrence is identified the appropriate measure is taken.
• Event log failure: Hackers and intruders may aim at the event logs as a way of covering their tracks. Typically they create noise or excessive logging so that their intrusive attacks are lost amongst the hundreds of other events that are logged, thus do not overlook this alert.
• ISA Server computer restart required: If the ISA administrator has not initiated a computer restart then the respective people should be notified when this critical resource is taken down.
• No connectivity: This alert will make the professional aware that connectivity to a published server or an internet server has been interrupted. Note: if you are sending an email to an external SMS gateway and the internet connectivity goes down you are likely not to receive the notification. For this reason it is a good idea to have an internal gateway that is setup on the local network that functions wirelessly on cell phone type technology. These systems are cheap and easy to setup and often only require an SMTP gateway with GSM type software to be installed on a low spec computer.
• Log failure: Hackers and intruders may aim at the event logs as a way of covering their tracks. Typically they create noise or excessive logging so that their intrusive attacks are lost amongst the hundreds of other events that are logged, so do not overlook this alert.
• Service shutdown:  Hackers and intruders may aim at the services as a way of taking over the host computer. ISA has a failsafe security feature that locks down the server if the ISA services are shutdown, however the intruder may attempt to tamper with other services and this activity should be monitored.
• Service started: The only people starting up ISA services on an ISA server should be authorized ISA administrators. If ISA services are started they would have been stopped so it is a good idea to monitor the startup of these services.
• Service not responding: A service not responding could potentially result in a denial of service to the users and for this reason it is important to be alerted when this event occurs and the appropriate response should be followed.
• Service initialization failure: A service not initializing could potentially result in a denial of service to the users and for this reason it is important to be alerted when this event occurs and the appropriate response should be followed.
• Slow connectivity: Slow connectivity can result when the bandwidth is being over utilized because of business related activities and because of abuse, it could also indicate that the network segment being monitored needs to be upgraded due to high demands.
• Syn Attack: This old attack still makes its way into environments everywhere. For this reason you may want to monitor this, to issue out warnings to potential intruders or to identify intruders that could be a potential threat. Eventually these intruders, if left unmonitored, may start using more sophisticated attacks and this may be an early indication of identification of the intruders.

Summary

In this article the monitoring of ISA 2004 and its sub components were described and discussed, the IT professional was able to find specific information on Alerting, viewing and operation of the dashboard. This powerful component of ISA 2004 is often overlooked as a troubleshooting tool; when in fact it can help in identifying typical issues that occur with ISA 2004. The dashboard is a one stop component that will quickly identify and display any problems and performance related situations on the ISA 2004 server.

If you would like to read the second part of this series please read Understanding ISA 2004 Monitoring (Part 2)