Understanding ISA 2004 Monitoring (Part 2)

If you missed the first part of this series please read Understanding ISA 2004 Monitoring (Part 1).

The ISA 2004 developers have conveniently nested the entire monitoring suite of tools in one location for ease of use when monitoring ISA server 2004. Let’s go through the next few tabs following from article one in the monitoring series.

The Session Tab

In this tab under monitoring, the ISA administrator can view active connections. This mode makes it possible to end a connection after applying a rule. The client will then have to re-establish a connection to the ISA server and if the rule allows the connection, the connection will go forth. To make life easier the developers of ISA 2004 have also added a very useful filter option that helps to identify all of the session types, client types, source networks, client usernames (this field represents the client that the ISA server has authenticated if authentication is required) and application name. This monitoring feature is very useful, from a connection perspective, and for trouble shooting purposes you can quickly identify if a user is in fact reaching the ISA server from the remote location or if there is something preventing the client from connecting to the ISA server.

Over the years there has been discussion of what type of client to use in order to connect to the ISA server. I have written an article describing the types of clients that ISA support but a common question is what the final connection results in, if I use both a firewall client and an X type of connection. On this tab it is easy to create a filter for a specific client IP and then identify the type of connection and client type.

The Services Tab

Under this tab the ISA administrator can start, stop and view the ISA services running on the ISA host. The ISA service uptime is also reflected for the Firewall and Job scheduling service.




Microsoft Firewall service

Microsoft Firewall service (fwsrv)
Stopping this service will affect SecureNAT clients, Firewall clients, Caching, Web browsing and publishing.
To stop this service from a command line net stop wspsrv.exe


ISA Server Control Service

The ISA Server Control service (mspadmin) is used to restart the group of ISA Server services, generating alerts and deleting log files.
To stop this service from a command line net stop isactrl
all other ISA Server services will also be stopped.


Microsoft ISA Server Job Scheduler

Microsoft ISA Server Job Scheduler service (w3prefch) This service downloads defined cache content from Web servers.
To stop this service from a command line Net stop w3prefch

Cache related

The Report Tab

Under the report tab there are features that help to identify patterns that occur when clients use the ISA server. The ISA administrator can also use this tab to identify security breaches and attacks that may have occurred. Various reports can be modified and customized so that the business requirements are met. If more detail is needed and the internal reports are not sufficient, logs can be directed to a SQL database server and customized reports can be written so that information that is pertinent to the organization can be gathered and analyzed.

Reports that have been created previously appear under this tab and reports that are in the process of being compiled also appear here with a clock icon to relect this. Once the report is complete, the clock disappears and a green check mark is displayed. The ISA administrator can then at any time right click the report and view, publish or delete the report. ISA administrators are also able to generate default reports that come standard with ISA 2004. These reports typically summarize activities and highlight the top users and resources being used.

The Connectivity Tab

In ISA 2004 connectivity verifiers were introduced. These objects can be used to monitor connections to computers using their names, IP address and URL. The feature can be used to check if a site is up and accepting requests. This is achieved by sending a HTTP GET request to the web server to verify if the server is still servicing the URL. If the request times out (this timeout option can be set by the ISA administrator) then the ISA server will raise an alert and this in turn can send an email to the SMS gateway and notify the ISA administrator on his/her cell phone wherever they may be. This feature is very useful and can be used instead of purchasing extra monitoring software for your web/hosting environment and can be used in micromanagement of an ISP line.

A good example of this would be the likely scenario of an organization wanting to know if a leased line to an ISP was interrupted. A periodic ping request can be sent to a defined server on the internet and as long as the response is returned, no alert will be raised.

Note: the time out needs to be set and if the remote host has a firewall protecting ICMP may be blocked (because the ISP is most likely to be the way out of a network the alerting mechanism should be likened to a system that does not rely on the ISP for external communication, an example of this is a cell phone gateway).

This verification feature can monitor DNS, DHCP, active directory devices and web servers. By looking at this tab the servers that are up are represented as computers that have a green check mark reflected. Servers that are inaccessible have a red X mark reflected. This is a powerful tool and should be used to monitor uptime and availability.

The Logging Tab

As part of the maturation of IT processes and operations management, the logging and auditing side of the environment needs to be addressed and reported on periodically to management. The monitoring should also be done on a regularly scheduled basis and logs should be consolidated and stored remotely in a central environment within Microsoft MOM or in a log aggregation system like GFI S.E.L.M. This ensures that if an intruder was able to break through the many layers of defense on the network, and was able to manipulate the logs in any way, the records would be available. Many attackers use a flooding method to obfuscate matters. A classic example would be when an intruder connects to a host and sends lots of traffic and creates a flurry of events after the intrusion so that the log file fills up and does not log the intrusion due to space limitations.

Now that I have highlighted the background to logging, let’s get down to the logging portion of ISA 2004. Live logs are an improvement over the ISA 2000 server software in ISA 2004. An administrator is able to view traffic in its live connection state. If the network consists of over ten hosts this can be overwhelming and filtering is an option that makes sense. This is why ISA 2004 allows the administrator to filter by IP, hostname, protocol and many other interesting and useful filtering options are available to narrow down the complexity. This is a very powerful component that ISA 2004 has employed and should be used regularly when troubleshooting and identifying ISA problems that occur due to mis-configuration.

It is important to look at the logging first before establishing a rule, as specific ports can be identified when looking at the logs to and from a pre specified location. In the logging section an administrator can easily isolate problems and rules that are being denied for a specific reason. This section can be considered one of the most powerful features of ISA 2004 and certainly one of the major improvements over ISA 2000.

Adding more columns to get full logging capabilities

Figure A: The above figure depicts adding extra columns to the ISA 2004 server (this is done by right clicking on the existing columns).

For a full feature logging I like to add all of the columns.

Figure B: This figure depicts all the columns that can be added

The above described logging mechanisms are very useful when troubleshooting; using these new methods the ISA pro will be armed with more tools and should be able to easily troubleshoot previous illusive problems.


In this article the monitoring of ISA 2004 and its sub components were described and discussed, the IT professional was able to find specific information on logging connectivity and reporting. This powerful component of ISA 2004 is often overlooked as a troubleshooting tool when in-fact it can help in identifying typical issues that occur with ISA 2004.

If you missed the first part of this series please read Understanding ISA 2004 Monitoring (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top