How To Protect Your Network: Monitoring ISA Server with Monitis

Microsoft Internet Security and Acceleration (ISA) ServerIn this article we discuss monitoring ISA server with Monitis using a custom monitor that you can add to the Monitis dashboard. Microsoft provides the ISA Server Performance Monitor tool to analyze ISA Server performance. The ISA Server Performance Monitor is installed when you install ISA Server, but if you are already monitoring a number of servers in your environment the Monitis dashboards offers an integrated solution to monitor ISA server together with your other monitored systems.

Custom ISA Server Monitor

The Monitis monitor for ISA Server integrates the recommended performance metrics that we discussed on the article “ISA Server Best Practices” into the dashboard.

If you run this monitor from a remote system (recommended) and not on the ISA server itself, you must make sure to follow these guidelines:

·         Enable remote management on the ISA server.
·         Allow RPC protocols from the remote system and the ISA server to pass through.
·         Remove the remote computer from the Remote Management Computers group on ISA.

More details on configuring the RPC filter can be found on the Technet ISA Server blog: http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx

The ISA monitor discussed in this article tracks the Microsoft recommended metrics and we also add some subsystem performance counters for memory, disk, and network performance..The  table below shows the metrics in this monitor:

Performance Counter Description
ISA Server Control Service Status Checks the status of the service. Possible results are:”Stopped”
“Start Pending”
“Stop Pending”
“Running”
“Continue Pending”
“Pause Pending”
“Paused”
“Unknown”
ISA Firewall Service Status Checks the status of the service. Possible results are:”Stopped”
“Start Pending”
“Stop Pending”
“Running”
“Continue Pending”
“Pause Pending”
“Paused”
“Unknown”
ISA Server Storage Service Status Checks the status of the service. Possible results are:”Stopped”
“Start Pending”
“Stop Pending”
“Running”
“Continue Pending”
“Pause Pending”
“Paused”
“Unknown”
ISA Server Job Scheduler Service Status Checks the status of the service. Possible results are:”Stopped”
“Start Pending”
“Stop Pending”
“Running”
“Continue Pending”
“Pause Pending”
“Paused”
“Unknown”
Processor Utilization % Processor Utilization
Memory Available Total available memory
Disk Utilization Total bytes/sec transferred to and from disk
Network Connection(*) Bytes Sent/Sec Total bytes transmitted per second
Network Connection(*) Bytes Received/Sec Total bytes received per second
Network Connection(*) Packets Sent/Sec Total packets sent per second
Network Connection(*) Bytes Received/Sec Total packets received per second
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec
ISA Server Firewall Engine
Dropped packets/sec
ISA Server Firewall Engine
Packets/sec
ISA Server Firewall Engine
Connections/sec
ISA Server Web Proxy
Average Milliseconds/request

(*) For purpose of tracking network utilization for each adapter installed in the ISA server, there is a separate monitor for each active network connection. Whether a network adapter is “active” is determined by looking at the IP address. If an adapter is configured with an IP address, it is assumed the adapter is in use.

Installing and running the Monitis monitor for ISA Server

The scripts for this monitor are available for download on GitHub at :https://github.com/monitisexchange/Windows-Monitoring-Scripts/tree/master/vbscript/ISAServer. Download both the AddCustomISAMonitor and PushISADataMonitor scripts and save them on your local computer somewhere.

To start monitoring your ISA Server you must first run the script AddCustomISAMonitor.vbs. Open a command window and change directory to the folder where you have saved the scripts that you downloaded earlier. Now simply enter the command ‘cscript AddCustomISAMonitor.vbs’ . This will create a new page to your dashboard named “ISA Server” .Once the script has finished running, log on to your dashboard (or refresh the web page if you’re already logged on) and you’ll see the new tab.

Now you should execute the second script; PushDataISAMonitor.vbs. This script actively monitors your ISA Server and records the metrics on your dashboard page.Note that this script remains running and will upload performance data every 30 seconds to the Monitis dashboard.

Adding alert notifications

There are many useful alerts that you can add to be alerted. One basic notification you can create is to be alerted when the Firewall Service is stopped.

Edit ISA monitor notifications

To set up an alert notification, click on the icon resembling a pencil and click on the Notifications button.

Edit ISA notification rule

On the next screen, select ‘Firewall’ from the Event Parameter drop-down list. You can set the Failures required to trigger an alert value to 3. This way if the service is restarted, you will not get an unnecessary alert. Set the Event Action to ‘not equal’ and enter the Event Value: ‘Running’. This will alert you anytime the service is in any other state than ‘Running’.

Useful ISA monitoring notifications

There are a number of notifications that can be useful to determine if the ISA server hardware needs upgrading or when the system is under a possible attack. We’ll list the most common things to look out for below. For each item, you can create a notification rule similar to the way we described earlier.

\Network Interface(*)\Bytes Total/sec

If its value is more than 75 percent of the maximum bandwidth of any network interface, consider increasing the bandwidth of the network infrastructure.

\Disk Transfers/sec

ISA server uses disk storage firewall logging and web caching. This metric is used to monitor disk access rate per second. The typical limit is between 100 to 200 accesses per second. If this limit is reached for a sustained period of time, you will notice an increase in the systems’ response time and adding more disks tot the server is the way to resolve the issue.

\Processor\%Processor Time

Another good metric to get notified on is the Percent Processor Time. If this number  80% for an extended period of time (several minutes) and the number correlates with the \ISA Server Firewall Engine\Packets/sec, it may indicate maximal capacity or a DoS attack.Before jumping to conclusions, verify that there are no other processes running on the ISA server that take up processing time.

\Network Interface(*)\Packets/sec

If the metric ‘Bytes Total/sec’ divided by the ‘Packet/sec’ is less than a 100 bytes, it might indicate a possible attack. The thing to do is to trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.

\ISA Server Web Proxy\Average Milliseconds/Request

This counter measures the average response time of ISA server’s web proxy. A number of milliseconds higher than 30,000 points to an issue.

\ISA Server Web Proxy\Requests/sec

This measures the request rate. The ‘Clients Bytes Sent/sec’ divided by the the’ Requests/sec’ should not exceed 20KB.

\ISA Server Firewall Packet Engine\Active Connections

For application filtering scenarios, expect up to 30,000 connections. For stateful filtering with IP routing enabled, expect up to 100,000. This metric can be used to detect a network misconfiguration or a possible DoS attack.

Advanced ISA monitoring

ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. We’ll discussed those in our next article in this series; Advanced ISA Monitoring.

More links:

You might also like