Let’s look at the log configuration first and make sure that we’re setup to record the packets that we’ll need to view. Open ISA 2004 Management and click on Monitoring. Select the Logging tab. On the Task pad click Configure Firewall Logging. Select the Fields tab and make sure that all fields are selected. When troubleshooting more information is better than less.
Select the Log tab. The default logging type is file. This is fine and it will record everything but you won’t be able to use the GUI to search through the logs. To enable searching capabilities you’ve got to switch to MSDE. Select MSDE and press the Options button. Here you can control where the MSDE database will be stored, how large it can grow, how much guaranteed drive space you want left and how you want ISA to trim the log files when they reach the limits you’ve set.
Here’s an example of how to setup your MSDE log settings. You may choose any option that make sense for your environment. When you are finished configuring these options click OK to save them.
Configure Web Proxy Logging in the same manner by clicking on Configure Web Proxy logging in the task pad.
Now that your logging is configured let’s take a look at what you can do with it.
At the top of the Logging tab are the elements of your log query. The default elements are Log Record type = Firewall or Web Proxy client, Log time = Live, and Action does not = Connection Status. Leaving the defaults, click on Start Query in the task pad. After a moment the query results will start to appear. This is a live look at the incoming and outgoing packets on your network. Let this query run until you have a full screen and then click Stop Query on the task pad.
Now that we have some packets to work with, right click on the column heading and select Add/Remove Columns. Here you are able to change which columns in the log you are viewing. It’s often advantageous to know what the transport is, so let’s go ahead and add a column for transport. Click on Move Up until it’s the first column in the list.
Something happens right away to your view. You can now see the transport for each of the packets that you previously captured. You can add/remove columns at will. Doing so doesn’t change what ISA is recording only what you are seeing in this pane.
Now choose a group of similar packets. Using the mouse, click at the top of a group of packets, then shift-click the bottom of a group packets to highlight them. Or ctrl-click and select a few individual packets. Once you have them highlighted click Copy Selected Results to the Clipboard from the task pad.
Launch Excel, right click and paste in your packet log information. Right away you’ll see that there’s a lot more information. When you copy and paste you get all columns of information. Trim it down by deleting the columns with no data or those that you aren’t interested in. Sometimes you want to be able to create a report or save a specific group of logged packet information for later. Excel is a great tool for this.
After you’ve captured log data into an MSDE database you’ll be able to pull up historical data onto the Logging tab. On the task pad click on Edit Query. Here you can narrow down your query results and also take a look into the past.
For example, if you want to look for packets that were denied in the last week, you’d select the Log Time filter. At the bottom of the page, change the condition to Last 7 Days and press the Update button. If you also want to only look at data from a specific client on the network then under Filter by, choose Original Client IP, under Condition choose Equals and enter the IP address of the workstation that you’re interested in viewing in the Value box. Click Add To List. Then click Start Query to see the packets.
Now that you know how the very cool logging features of ISA 2004 work you can use them when troubleshooting.
A user has come to you and complained that she can’t get to a particular website, or more likely she is unable to perform a particular function on a website. You’re got two options for figuring out how to adjust your firewall policy so they can do what they need to do.
- Option 1: Fire up live logging then have the user show you what she can’t do. Go back over to the server, stop live logging, locate the Action tab and locate the denied packets and look at the destination port, rule and the error code. (If these columns aren’t in your view, add them) The combination of error code and rule will provide you with the reason why the packet was denied. The destination port will tell you which port was denied.
- Option 2: Edit the Query and change the log time to either 7 days or 30 days depending on when the last time the problem occurred and proceed from there as under Option 1 without the users assistance. Remember if you want to save your results for easy viewing later, or you want to print them, copy them into Excel.
Now you have lots of information: You’ll now know which port was denied, for whom, the error and which rule is blocking the traffic.
What do you do with this information? It depends on the error. Here are a few possibilities:
- Create a rule to allow traffic on the denied port. Keeping in mind that ISA processes rules from the top down put this new rule just above the rule that blocked the traffic.
- If the error code indicates that it’s an authentication issue, then you’ll have to configure that application to use the ISA as its proxy to the Internet or allow that destination URL or IP direct access to the Internet. Java apps are notorious for this.
- If the error code indicates that there was a protocol problem you should install the Firewall Client on the workstation. Firewall Clients are trusted PC’s and do not require that a protocol be defined on ISA 2004 for that workstation to use that protocol.
- A combination of the above. Generally this isn’t necessary but sometimes applications use multiple ports, protocols and even methods of authentication.
Now that you know how to use ISA 2004’s logging features you’ll be able to diagnose whether or not ISA is actually blocking the user from performing an Internet task or not and the reasons why.