Get your copy of the German language “Microsoft ISA Server 2004 – Das Handbuch”
Let’s begin
The ISA Server Best Practices Analyzer is a diagnostic tool like the well known EXBPA (Exchange Best Practice Analyzer Tool) that automatically performs specific tests on configuration data collected on the local ISA Server 2004 computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings. You can use ISABPA for both ISA Server 2004 Standard and ISA Server 2004 Enterprise.
The resulting report details critical configuration issues, potential problems, and information about the ISA Server 2004.
First we need to download the ISA Server 2004 Best Practice Analyzer (ISABPA). After downloading you can install the ISABPA tool following the instructions of the wizard.
Please note:
ISABPA requires and installs .NET Framework 1.1.
Installation
Follow the installation instructions of the Microsoft ISA Server Best Practice Analyzer Tool Setup.
Figure 1: Installation of ISABPA
The installation process takes only some minutes.
Figure 2: Installation process
After installation ISABPA starts automatically unless you clear the checkbox.
Figure 3: Launch ISABPA after installation
Updating ISABPA
After installing ISABPA you can start a new Best Practice scan. If you haven’t used the ISA Best Practice Analyzer for a long period of time, it is recommended to look for an update of ISABPAs configuration. To update ISABPA click Update the ISA Server Best Practice Analyzer under See also.
Figure 4: Update ISABPA
ISABPA looks for online updates on the Microsoft website. If the update process finds new updates, ISABPA will be updated and the tool will be restarted.
After updating ISABPA you can start a new Best Practice scan by clicking the Start a new Best Practices scan button.
Figure 5: Start a new Best Practice scan
You can choose between three scantypes:
- Health Check + ISAInfo
- Health Check
- Run ISAInfo
The ISABPA health check executes an ISA Server 2004 diagnose based on the configuration file downloaded from the Microsoft website.
Isainfo is the well known tool to collect information about the ISA Server configuration and to display the configuration settings. You can download ISAInfo as a separate installation from here. ISAInfo is included in the ISA Server Best Practice Analyzer tool.
Figure 6: Start a scan
An ISABPA scan requires only a few minutes to execute. After collecting data, you can view the report of this Best Practices Scan.
Click View the report of this Best Practice scan.
Figure 7: View a best practice scan
In this example I have used an ISA Server 2004 without SP1 running on Microsoft Virtual Server 2005 R2. ISABPA reports that ISA Server 2004 is running on Microsoft Virtual OC which is not correct.
Figure 8: Analyze collected information
If you are using ISABPA for the first time or if you are an ISA beginner, you should spend some time reading the ISABPA help file which contains a lot of information about ISA Server, the analyzing process of ISABPA and best Practice recommendations.
Figure 9: ISABPA help file
After executing ISABPAs Health Check you can execute ISAINFO within ISABPA – theoretically. I had tried opening ISAINFO with ISABPA Version 2.5.3439.50 and the configuration file 4.0.3440.277 but I did not succeed. ISAInfo will NOT display information created by ISABPA. I also tried the ISAINFO option from ISABPA with different ISA Server 2004 Enterprise servers and ISA Server 2004 Standard servers in german and English language but with no success.
Figure 10: ISABPA – Run ISAInfo
ISABPA executes the ISAINFO tool correctly. ISAINFO creates an ISAINFO XML-file but this information will not be displayed in ISABPA. I assume that this is a bug in ISABPA.
To overcome this limitation you can start ISAINFO manually and open the XML file created by ISABPA. You can find the ISAINFO XML file in the ISABPA installation directory.
Figure 11: Manually executing ISAINFO
It is possible to automate the execution of ISABPA scans. To enable scheduled scanning click Schedule a scan and enable scan scheduling and the start time and run frequency.
Figure 12: Scheduling ISABPA scans
Bugs
- ISABPA reports ISA installed on Virtual Server 2005 R2 as Virtual PC.
- It is not possible to automatically create an ISAInfo Report. ISAInfo will be installed with ISABPA but you must manually execute ISAInfo with the XML file created by ISABPA.
- One guy in the German ISA Server newsgroup posted that ISABPA doesn’t listed any installed certificate although it was installed.
- The Link to the ISA Server 2004 Security Hardening Guide is wrong. The correct link is: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx
I spoke with a member of the ISA Server Product team and they said that the first bug (wrong report of Virtual PC) and the wrong link will be corrected in a next ISABPA update/version.
ISABPA listed missing certificates only when there was no corresponding private key for this certificate.
For running ISAINFO on ISABPA you have to install the ISAINFO XML Parser which is not included in ISABPA.
Conclusion
In this article I have shown you how to use the ISABPA – ISA Server 2004 Best Practice Analyzer to analyze your existing ISA Server environment to find security holes, performance bottlenecks and configuration mismatches.
Related Links
ISABPA Download
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en