As part of monitoring, it is vital that you get alerted when there is an intrusion or an attack taking place on your network. ISA has methods of identifying when an attack is attempted or taking place on your network. ISA Server compares network traffic and log entries to well-known attack methods that are used by hackers. ISA also has the capability of taking actions when these attacks are taking place.
ISA Server can be used to prevent the spread of the Code Red worm and its current (as of August 24, 2001) variants (such as Code Red and Code Red II). This has not been tested against the new Code Red.d variant.
ISA Server supports both distributed and hierarchical caching. In distributed caching, the ISA Server cache is distributed among array members. In hierarchical caching, different ISA Servers or arrays can connect to other ISA Servers or arrays for cached data access, or eventual access to the Internet. The array closest to the Internet is considered the "upstream" array while the array that is most far from the Internet is considered the "downstream" array. Aside from caching, a chained configuration can provide authentication functions as well.
All ISA Server clients can use the Web Proxy service. SecureNAT, Firewall and Web Proxy clients can have access to it. However, the way these different ISA Server clients access the Web Proxy service differs. These differences are important because they impact how you approach securing and monitoring of web content.
I've noticed a lot of people are having problems with setting up ISA Server to take inbound VPN calls. ISA Server supports VPN connections from external clients on the Internet. Virtually any computer that is able to act as a PPTP or L2TP/IPSec client can connect to your network through the ISA Server. However, everything has to be set up right in order to make this work.
Some help is often better than none (especially when its free) so lets give some attention to the built-in set of Intrusion Detection mechanisms. When enabled, ISA will identify when an attack is attempted against your network and performs a set of manually configured alerts in case of an attack. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, e-mail alerts, logging, and others.
How to create an Alert for Intrusion Detection.
How to create a packet filter for dropping ICMP Packets (Ping Requests).