Beruflich Dokumente
Kultur Dokumente
In the following sections I’ll provide some basic insight into each of these post-
installation configuration options. However, because some of these topics are somewhat
complex, I’ll limit my discussion to a basic overview with some occasional hard-coded
recommendations. For other topics, you’ll need to get our ISA 2006 book (coming up
later this year), or read the Help file before making a final decision on some of these
configuration options.
1. In the ISA firewall console, right click the top node and click Export (Back Up).
Figure 1
Figure 2
4. On the Export File Location page, enter a name for the backup file in the text
box, then click Next.
Figure 3
To assign Enterprise roles, right click the Enterprise node in the left pane of the ISA
firewall console and click Properties. In the Enterprise Properties dialog box, click the
Assign Roles tab. You’ll see what appears in the figure below.
Figure 4
By default, the local administrator of the machine is set as an ISA Server Enterprise
Administrator. You can add other users as Enterprise administrators, but keep in mind
that since the ISA firewall is not a domain member, those user accounts must exist on the
ISA firewall itself. The other Enterprise role is ISA Server Enterprise Auditor. This
role enables the user assign to this role to view the configuration of the entire enterprise,
as well as perform all monitoring tasks, including configuring the ISA firewall’s log files,
configuring Alert Definitions, and monitoring all aspects of the enterprise and arrays in
that enterprise.
Figure 5
On the Configuration Storage tab you can set the polling interval. The default value is
15 seconds. You can change the value to 10 minutes, 60 minutes or a Custom (seconds)
interval where you set the number of seconds manually. Keep in mind that the longer the
interval, the longer it will take for the changes you make to distribute themselves from
the CSS to the active firewall policy.
Assign Array Roles
Array roles are different than enterprise roles. Users assigned enterprise roles are able to
exercise the privileges of their roles to all arrays in the enterprise. In contrast, roles
assigned at the array level apply only to the specific array to which those users are
assigned the specific role. The array role options are slightly different than what you see
at the enterprise level. Click the Assign Roles tab in the array’s Properties dialog box to
assign array roles.
Figure 6
Note that there are no default users assigned any type of role at the array level. There are
three array roles: ISA Server Array Administrator, which is similar to the role of
enterprise administrator, ISA Server Array Auditor, which allows the user to view the
ISA Server traffic logs for their array, and ISA Server Array Monitoring Auditor,
which gives the user viewing privileges over the entirety of their array, including
enterprise and firewall policy rules.
Configure Alert Definitions
The ISA firewall includes dozens of pre-built alerts. These alerts are triggered when the
ISA firewall detects the parameters of the alert are met. The behavior of the alerts can be
customized to meet your specific requirements.
To configure the Alert Definitions, click the Monitoring node in the left pane of the ISA
firewall console and then click the Alerts tab in the middle pane of the console. Click the
Tasks tab in the Task Pane and then click the Configure Alert Definitions link. You’ll
see what appears in the figure below.
Figure 7
The Alerts properties dialog box includes a list of all the available alerts on the ISA
firewall. Each of these alerts has a default configuration that you can use right out of the
box, or you can customize the default configuration. You can also create new alerts
which are based on the built-in alerts, but trigger on different event parameters or have
different actions.
Double click on one of the alerts and you’ll see something like what appears in the figure
below. On the General tab of the alert’s Properties dialog box, you’ll see a description
for the alert, the category to which the alert belongs, and the default severity of that alert.
The Enable checkbox determines whether the alert is enabled or not.
Figure 8
Click the Events tab and you’ll see the default parameters that must be met in order to
trigger the alert. You can change the trigger parameters here. You can also specify if you
want the alert triggered only if a specific server in the array is affected.
Figure 9
Click the Actions tab. Here you can configure the alert to send an email message, run a
program, or stop or start Windows services if the alert is triggered based on the settings
configured on the Events tab.
Figure 10
Detailed coverage of all the ISA firewall alerts and details of how to configure them and
create new alerts are beyond the scope of this article. I may do a future article on this
subject, and detailed coverage will definitely be included in our ISA Server 2006 book,
due out later this year.
Click the Sessions tab and then click the Add/Remove Columns entry.
Figure 11
In the Add/Remove Columns dialog box, click the Application Name entry in the
Available columns list and click Add. This column provides valuable information about
what application the user is using to access a resource through the ISA firewall. You can
view this information to check for suspicious applications used to connect to Internet
resources. You can then disconnect that session in real time. Note that this option is
available only if you have correctly deployed the Firewall client in your organization (an
ISA firewall best practice, but not an option in a unihomed Web proxy only ISA firewall
configuration).
You can use the Move Up and Move Down buttons to change the order of the columns.
Use these to change the order of the columns so that they appear as in the figure below.
Click OK after making the changes.
Figure 12
Click on the Reports tab in the middle pane of the console. Click the Tasks tab in the
Task Pane and you’ll see a number of options available to creating and configuring
reports. Perform the following steps to create a recurring report job:
1. In the Tasks tab of the Task Pane, click the Create and Configure Report Jobs
link. This link allows you to create a recurring report job. The Generate a New
Report link enables you to create an Ad Hoc report.
Figure 13
2. On the Welcome to the New Report Job Wizard page, enter a name for the
report in the Report Job name text box. In this example we’ll create a report that
runs once a week, so we’ll name the report Weekly Report. Click Next.
Figure 14
3. On the Report Content page, select the content you want to include in the report.
More is better when it comes to reporting, so select all of the options (the default
setting). Click Next.
Figure 15
4. On the Report Job Schedule page, you select the frequency for this report. You
can select from Daily, Weekly, on specified days and Monthly, on this date
every month options. Note that by default, report jobs are run at 1:00AM
(0100h). In this example we want to run a weekly report job, so we’ll select the
Weekly, on specified days option. You can also select the day of the week you
want the report to run. In this example, we’ll select Saturday. Click Next.
Figure 16
5. On the Report Publishing page, you have the option to publish the report to a
local directory or a network share. The reports are saved as HTML files that can
be read in any Web browser. Enter the location where you want the reports
published, and the user credentials requires to access the network share. Avoid
publishing reports on the ISA firewall itself, as you want to avoid allowing
connections to the ISA firewall. Click Next.
Figure 17
6. On the Send E-mail Notification page, you have the option to send an e-mail
message when the report is created. Enter the address of the SMTP server, the
From and To e-mail addresses, and a short message. You can also include a link
to the published report. Click the Test button to confirm connectivity with your e-
mail server.
Figure 18
7. Click Finish on the Completing the New Report Job Wizard page.
8. The Report Jobs Properties dialog box shows the report you created.
Figure 19
Customize Reports
The ISA firewall’s reports can be customized to a certain extent. While you still can
create reports that drill down on a specific user’s activity, you can customize the type of
information included in the reports.
Click the Customize Web Usage Content link and you’ll see what appears in the figure
below. Each of the report customization options allows you a different set of
customization features. In the figure below, the Top Users tab is selected. Here you can
configure how many users appear in the reports, and the sort order. Similar customization
options are available for the other reports. Go through each of the report customizations
closely and select those that meet your requirements.
Figure 21
Figure 22
In the Log Summary and Report Properties dialog box, click the Log Summary tab.
You’ll see what appears in the figure below. By default, log summaries are created daily
at 12:30AM local time. Information used to create the reports is stored in the log
summaries, so you can’t have a report based on a specific data unless the log summary
for that date is available. Note that these log summaries are based on the information in
the ISA firewall’s log files. However, once the log summary is created from the log files,
the actual log files are no longer required to create a report for that date.
The default location for the log summaries is in the ISA Server 2004 folder tree, in the
ISASummaries folder. You can change the location by selecting the This folder option,
but you cannot use a network drive or shared folder for this. You can also configure the
number of log summaries you want to keep. The default values are 35 Daily summaries
and 13 Monthly summaries. I am in the camp of more is better, so I typically keep 365
daily and 48 monthly.
Figure 23
Click the Report Storage tab. This is a new feature in ISA Server 2006. Here you can set
the number of reports of each period type that are saved to the local hard drive. The
default is 30. I usually change this to something like 365, since I don’t want to have to
rerun reports, but you set this based on your available disk space.
Figure 24