SolutionBase: Monitoring, logging, and reporting with ISA Server 2004

You've put ISA Server 2004 in charge of protecting your network. How do you know if it's doing a good job? Start by using these monitoring and logging techniques.

An often overlooked but important feature of any business-class firewall product is its ability to monitor, log, and report security events. In today's business environment, it's not enough to detect and prevent intrusions; we also need to document attempted and successful attacks for a number of reasons.

Documentation helps us to discern patterns and trends that lead to better security practices, and it may help IT administrators justify their budget expenditures (and proposed expenditures) to management. We also need a way to monitor outgoing traffic in order to keep track of what internal users are doing, to protect the company from liability, and to discourage lost productivity due to too much personal use of the Internet.

One of many improvements made to ISA Server 2004 is an enhanced monitoring, logging, and reporting mechanism. In this two-part series, we'll take a look at how to use these features to our best advantage. Part one addresses the monitoring node in the ISA Server Management Console and explains how to use the Dashboard, how to view and configure alerts, and how to monitor sessions and services. In part two, we'll look at monitoring server connectivity, configuring and querying the logs, and generating reports.

Author's note

This article is based on ISA Server 2004 Standard Edition (SE). There are some differences (notably, an extra tab) in the monitoring interface for Enterprise Edition (EE), which was still in private beta testing at the time of this writing.

The Monitoring node

As with all other ISA Server tasks, with the exception of performance monitoring, firewall monitoring is done from the ISA Server Management Console. To open the console, click Start | All Programs | Microsoft ISA Server | ISA Server Management, or run msisa.msc from the Microsoft ISA Server program folder.

In the left pane of the ISA MMC, expand the name of your ISA server and click the Monitoring node, as shown in Figure A.

Figure A

Open the Monitoring node on the ISA 2004 Management Console.

You'll see these seven tabs across the top of the middle details pane (in Standard Edition): Dashboard, Alerts, Sessions, Services, Reports, Connectivity, and Logging.

You'll also see the Tasks pane on the right, which contains a Tasks tab and Help tab. The contents of the Tasks and Help tabs change, depending on which middle details tab you've selected.

Let's take a look at each of the tabs and how you can use their interfaces to perform ISA Server monitoring, logging, and reporting tasks.

The Dashboard

The first tab presents an interface concept that's entirely new to ISA Server: the Dashboard. This is a summary page designed to give administrators a quick, at-a-glance overview of the subsequent tabs. The information is provided in real time, and it's a useful starting place for troubleshooting or checking the status of your ISA Server firewall.

By clicking the up arrow in the top-right corner of each window, you can "roll up" some of the windows if you want the Dashboard to show only specific windows. To display a window again, just click the down arrow to roll it back down. Figure B shows the Dashboard with all windows rolled up except the Services and Alerts windows.

Figure B

You can roll up some of the Dashboard windows if you don't want them displayed.

When you're viewing the Dashboard, the Tasks tab contains two selections. You can click Refresh Now to update the Dashboard data, or you can click Automatic Refresh Rate to set the rate at which the data will automatically refresh. The refresh rate for each is as follows:

  • None: The data doesn't automatically refresh. You can manually refresh it by clicking the Refresh Now option.
  • Low: The data refreshes at 120-second intervals.
  • Medium: The data refreshes at 60-second intervals (the default).
  • High: The data refreshes at 30-second intervals.

Drilling down on the monitoring tabs

Note that the Dashboard view gives only a summary of the information that's available on the other tabs. Let's look at each of those in detail.

Viewing and configuring alerts

Alerts occur when predefined events occur. You can set the alert feature to notify you via e-mail when a specific alert event occurs. You use the Alerts tab to view alerts that have been triggered and to configure alert events. For example, in Figure C, you can see that the Service Started alert was triggered by the starting of the firewall service.

Figure C

Use the Alerts tab to configure and view alerts.

Alerts that have been triggered appear in the middle details pane, with one alert to each line. If there are multiple alerts of the same type, a plus sign will appear by the alert name, and you can expand it to see all instances of the alert.

You can reset an alert (or multiple alerts) by selecting it in the middle pane and then clicking the Reset Selected Alerts option in the Tasks pane. Or, you can right-click the alert and select Reset. When you reset an alert, it will disappear from the details pane, and monitoring for the triggering event will start over.

You can also acknowledge alerts. This prevents them from showing up in the Dashboard view, but doesn't remove them from the Alerts tab view. In the Alerts view, the status will be shown as acknowledged; you can use this to indicate to other administrators (or as a reminder to yourself) that you've already noted the alert and you're handling it.

To see the alert definitions that are preset, or to configure new ones, click Configure Alert Definitions in the Tasks pane. You'll see the Alert Definitions shown in Figure D.

Figure D

You can view the alerts that are currently set or add new ones through the Alert Definitions.

Check the box to enable an alert event, or uncheck the box to disable it. To add a new alert definition, click the Add button to invoke the New Alert Wizard. You'll be asked to select events and additional conditions from a drop-down box. For example, you can configure an alert to trigger if a particular log fails, such as the ISA Server Firewall service, as shown in Figure E.

Figure E

You can configure new alert definitions with the New Alert Wizard.

When you create a new alert with the wizard, you can specify an action to be performed when the alert is triggered. Your choices include:

  • ISA Server will send you an e-mail notification of the alert.
  • ISA Server will run the program you specify.
  • ISA Server will report the event to the Windows event log.
  • ISA Server will stop selected ISA Server services (the firewall service and/or the Job Scheduler).
  • ISA Server will start selected ISA Server services (again, the firewall service and/or the Job Scheduler).

Note that you can select more than one of these options. If you select to have an e-mail message sent, you'll be asked to enter an SMTP server name or IP address, along with sender and recipient information, as shown in Figure F.


When you choose to have an e-mail notification sent, you must first ensure that the ISA firewall has an access rule or system policy rule in place that allows the firewall to send the SMTP message to the destination SMTP server.

Figure F

You can configure ISA Server to send an e-mail message when an alert is triggered.

If you select to run a program when an alert is triggered, you'll be asked to enter the path or browse to the location of the program's executable file. You can choose to run the program under the local system account or specify a username and password for another account under which it should run.

The last page of the wizard will summarize your selections and give you the chance to go back and change anything that's incorrect. If all is well, just click Finish and the new alert definition will be created.

You can make changes to an alert by highlighting it in the Alert Definitions box and clicking the Edit button. For example, you might want to edit one of the preset definitions to cause ISA Server to send you an e-mail message when it's triggered.

The properties box for an alert has three tabs: General, Events, and Actions, as shown in Figure G.

Figure G

You can make changes to an alert by editing its properties sheets.

The General tab contains fields for the alert's name; an optional description; a category (Security, Cache, Routing, Firewall Service, or Other); a severity rating (whether the alert condition indicates an error, a warning, or information only when recorded in the Event log); and a check box for quickly enabling or disabling the alert.

The Events tab, shown in Figure H, contains a field for the event that triggers the alert (which may be the same as the name); a description; and additional conditions that may limit the scope of the alert. For example, if the event is a DNS intrusion, you can select to trigger the alert for all DNS intrusions or for only a specific type (DNS hostname overflow, DNS length overflow, or DNS zone transfer).

Figure H


On this tab, you can further specify that the event has to occur a specific number of times, or a specific number of times per second, in order to trigger the event. You might do this, for example, so you won't be notified of every isolated intrusion attempt. But if a large number is occurring within a short time period, you'll be notified. Finally, you'll be able to specify what behavior you want each subsequent time the event conditions are met. You can choose to trigger the alert immediately, only if the alert was manually reset (this is the default), or if the time since the last execution of the alert has been more than a set number of minutes.

The last tab is Actions, where you can configure ISA to send e-mail, run a program, write to the event log, or stop/start selected services for preset alert definitions. Using this tab, you can also select actions if you didn't do so when you created the alert definition.

Monitoring sessions

The Sessions tab lets you monitor the actions of a specific user on a specific computer, regardless of whether the computer is going through ISA as a firewall client, Web proxy client, or SecureNAT client.

To view the current sessions through the ISA firewall, click the Sessions tab. Because there are a large number of columns in this view, you might want to hide the left console tree pane (by clicking the Hide Console Tree button in the toolbar) and the right Tasks pane (by clicking the right arrow in the space between the middle and right panes). You'll then have a wider view, as shown in Figure I.

Figure I

You can view the sessions that are taking place through the ISA firewall from the Sessions tab.

As you can see, the ISA Server console displays the time each session was activated; the client type (firewall, Web proxy, or SecureNAT); the IP address of the client computer; the source network (where the client is located); the username; the client computer's host name or IP address; and the application being used.


Because SecureNAT clients are not authenticated, you won't see usernames associated with those sessions. You'll see the IP address of the SecureNAT client computer instead of the computer name, and you won't see the application name.

Note that you can configure which columns are displayed by right-clicking a column header and checking the names of the columns you want displayed.

You can use Stop Monitoring Sessions and Start Monitoring Sessions in the Tasks pane (if you haven't hidden it), or you can right-click one of the sessions and select Stop Monitoring Sessions from the context menu. When you stop monitoring, the sessions are all cleared from the middle pane. If you just want ISA Server to stop adding new sessions to the display, select Pause Monitoring Sessions. This will not clear the sessions that are already displayed.

You can disconnect a session by right-clicking it and clicking Disconnect, or by highlighting it and clicking Disconnect Session in the Tasks pane.

You can use filtering to display specific sessions. This is handy for helping you find the sessions you want. Click Edit Filter in the Tasks pane to create a filter definition. You can filter by activation time, session type, client host name, IP address, username, source network, application name, or server name.

You can save filter definitions once you've created them, in case you want to filter by the same criteria in the future. You can also export and import filter definitions to use them on another ISA server.

Monitoring services

ISA Server installs several services: the firewall service, the ISA Server Control service, the Job Scheduler, and the Microsoft Data Engine (MSDE). You can use the Services tab to keep track of the ISA Server services that are running on the machine, rather than having to get out of the ISA Server Management Console and go to the Computer Management Console, or access the services through the Administrative Tools menu.

You can't start or stop the ISA Server Control service from the Sessions tab. You must stop this service from the command line. As Figure J shows, the details pane will display the service name and its status (whether it's running or stopped), as well as the amount of time the service has been up and running.

Figure J

You can view which ISA Server services are running on the ISA computer.

You can stop or start a service by right-clicking it and selecting Stop or Start from the context menu, or by highlighting it and making the appropriate choice from the Tasks pane.


ISA Server 2004 makes it easy for you to monitor firewall activities and ensure that you're alerted when they occur. You can also monitor, in real time, the sessions that are connected through the ISA Server and the services that are running on it.

In part two of this article, we'll look at monitoring server connectivity, configuring and querying logs, and generating reports.