Internet Security & Acceleration (ISA) Server’s Monitoring Whitepaper

imageThis whitepaper on Microsoft ISA Server discusses best practices specific to ISA Server, Health Monitoring in general, and how to monitor your ISA Server with Monitis. Included is a VBScript that creates a custom monitor in Monitis.

The Microsoft website offers links to documentation on the different versions of ISA Server. A good starting point is the Microsoft Technet website. Note that Microsoft ISA Server is now called Forefront. The Microsoft website contains links to all versions of ISA Server.

We’ll start with a general overview of the specific functionality ISA Server offers and then we’ll go into best practices.


Microsoft Internet Security and Acceleration (ISA) Server offers a complete Internet connectivity solution that contains an enterprise firewall and a Web cache solution. You can use either or both of these functions when you install ISA Server in your network.

ISA Server secures your network and allows you to implement your business security policy by configuring a broad set of rules that specify which sites, protocols, and content can be passed through the ISA Server computer. ISA Server monitors requests and responses between the Internet and internal client computers, controlling who can access which computers on the corporate network. ISA Server also controls which computers on the Internet can be accessed by internal clients.

Firewall and Security Overview

ISA Server can be deployed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. In this scenario ISA Server protects communication between your internal computers and the Internet. Also in this simple firewall scenario, your ISA Server has two network interface cards, one connected to the local network and one connected to the Internet.

You can use Microsoft Internet and Security (ISA) Server to configure the firewall, configuring policies and creating rules to implement your business guidelines. By setting the security access policies, you prevent unauthorized access and malicious content from entering the network. You can also restrict what traffic is allowed for each user and group, application, destination, content type, and schedule.

ISA Firewall Server offers the following security features:

  • Outgoing access policy
  • Intrusion detection
  • Application filters
  • Authentication

Publishing Overview

With ISA Server you can publish internal servers to the Internet without affecting the security of your internal network. You can configure Web publishing and server publishing rules that determine which requests should be sent to a server on your local network, providing an increased layer of security for your internal servers.

For example, you can place your Microsoft Exchange server behind the ISA Server computer and create server publishing rules that allow the e-mail server to be published to the Internet. Incoming e-mail to the Exchange server is intercepted by the ISA Server computer, which gives the appearance of an e-mail server to clients. ISA Server can filter the traffic and forward it on to the Exchange server. Your Exchange server is never exposed directly to external users and sits in its secure environment, maintaining access to other internal network services.

When a client on the Internet requests an object from a Web server, the request is actually sent to an IP address on the ISA Server computer. Web publishing rules that are configured on the ISA Server computer then forward the request, as applicable, to the internal Web server.

Cache Overview

ISA Server caches frequently-requested objects to improve network performance. You can configure the cache to ensure that it contains the data that is most frequently used by the organization or accessed by your Internet clients

In the case of internal clients accessing the Internet, ISA server can be configured as a forward caching server. If external clients accessing internal publishing servers, ISA Server implements reverse caching. Either scenario will benefit from ISA Server’s ability to cache information, making it more quickly available to users.

ISA Server caching features include distributed caching (using an array of ISA Server computers), hierarchical caching (enhancing on distributed caching), scheduled caching (specifying when ISA Server should fetch content from the Internet and have it available), and reverse caching (caching internal content available for external clients).

Forward caching

When ISA Server is deployed as a forward caching server it maintains a centralized cache of frequently requested Internet objects that can be accessed by any web browser client. Objects served from the disk cache require significantly less processing than objects served from the Internet, improving client browser performance and reduces bandwidth consumption on your Internet connection.

The steps involved in forward caching (reverse caching follows the same process) are:

  1. The first user (Client 1) requests a Web object.
  2. ISA Server checks if the object is in the cache. Since the object is not in the ISA Server cache, ISA Server requests the object from the server on the Internet.
  3. The server on the Internet returns the object to the ISA Server.
  4. The ISA Server retains a copy of the object in its cache, and returns the object to Client 1.
  5. Client 2 requests the same object.
  6. The ISA Server returns the object from its cache, rather than obtaining it from the Internet.

Reverse caching

ISA Server can be deployed in front of an organization’s Web server that is hosting a commercial Web business or providing access to business partners. With incoming Web requests, ISA Server can impersonate a Web server to the outside world, fulfilling client requests for Web content from its cache. ISA Server forwards requests to the Web server only when the requests cannot be served from its cache.

Enterprise management overview

ISA Server computers can be setup as stand-alone servers or they can be grouped into arrays, sharing the same configuration. ISA Server offers centralized management for arrays giving you one single management point to maintain the entire array.

When you set up the enterprise, you specify the enterprise policy management. You can select a centralized enterprise policy that applies to all arrays in the enterprise or a more flexible policy where each array administrator can define a local policy.

You can create array-level access policies and enterprise-level policies. The enterprise policy can be applied to any array and can be augmented by the array’s own policy. This enables administrators at branch and departmental levels to adopt governing enterprise policies.

Architecture overview

ISA Server operates at different communication layers to protect your network. At the packet layer, ISA Server implements packet filtering. When packet filtering is enabled, ISA Server controls data on the external interface, evaluating inbound traffic before it has the chance to reach any resource. If the data is allowed to pass, it is passed to the Firewall and Web Proxy services where ISA Server rules are processed to determine if the request should be serviced.

ISA Server protects three types of clients: Firewall clients, SecureNAT clients, and Web Proxy clients.

Firewall clients are computers that have Firewall Client software installed and enabled. Requests from firewall clients are directed to the Firewall service on the ISA Server computer to determine if access is allowed. They might be filtered by application filters and other add-ins, if applicable. If the Firewall client requests an HTTP object, then the HTTP redirector redirects the request to the Web Proxy service. The Web Proxy service may also cache the requested object or serve the object from the ISA Server cache.

Secure network address translation (SecureNAT) clients are computers that do not have Firewall Client installed. Requests from SecureNAT clients are directed first to the network address translation driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine if access is allowed. Finally, the request may be filtered by application filters and other extensions. If the SecureNAT client requests an HTTP object, then the HTTP redirector redirects the request to the Web Proxy service. The Web Proxy service may also cache the requested object or deliver the object from the ISA Server cache.

Web Proxy clients are any CERN-compatible Web application. Requests from Web Proxy clients are directed to the Web Proxy service on the ISA Server computer to determine if access is allowed. The Web Proxy service may also cache the requested object or serve the object from the ISA Server cache.

Both Firewall client computers and SecureNAT client computers might also be Web Proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, then all Web requests are sent directly to the Web Proxy service, including HTTP, File Transfer Protocol (FTP), Secure HTTP (HTTPS), and Gopher. All other requests are handled first by the Firewall service.

Best Practices

This section describes a number of best practices for the ISA Firewall. The tips we give here will help to optimize security, reliability, and performance of your ISA server. We’ll focus on the most important items that you should pay attention to. The overview is not in any particular order so items higher in the list are not necessarily more important.

1. ISA Server comes with a Firewall and Web Proxy client. You should deploy these clients to get superior performance over what a hardware firewall provides. The combination of ISA server and its clients provide an intelligent security solution, more so than an appliance without clients can offer.

2. The ISA firewall should have only one DNS server configured on its interfaces, and that DNS server address must be configured on its internal interface (or whatever interface is closest to an internal DNS server that can resolve Internet host names). Never put an external DNS server on any of the ISA firewall’s interfaces, and never enter a DNS server address on more than one ISA firewall interface.

3. When investigating a possible attack, use and do a Whois search on the IP address. This should be the first thing you do when you detect unusual activity in your firewall logs.

4. Use DMZ networks connected to the ISA firewall to limit access to different security zones within your organization. Put ISA firewalls between different security zones to make sure you are protected against attacks sourcing from different security zones.

5. Do not consolidate other server functions (file server, web server, etc) with the ISA server. The ISA firewall is a just that; a firewall.

6. Harden the server using the ISA firewall hardening guides located at

7. Typically there is no reason to enable NetBT on the external interface of the ISA firewall. If you don’t need it, disable it.

8. There typically isn’t a reason to enable the Server service on the external interface of the ISA firewall, as it is used to enable access to shared resources on the ISA firewall. In general, the Server service should be disabled on all interfaces of the ISA firewall, but there can be side effects, such as being unable to access the Firewall client share on the ISA firewall if you installed it there. It is best to place the client installation files on a network share hosted by a file server. You shouldn’t run into any issues if the Server service is unbound only from the external interface.

9. On Windows 2000, the Alerter and Messenger services should be disabled on the ISA firewall. Windows Server 2003 turns off these services by default, or they are turned off as part of running the Security Configuration Wizard on a Windows Server 2003 Service Pack 1 ISA firewall.

10. Install Network monitor for troubleshooting issues. Microsoft Network Monitor comes with Windows, and you can install it Monitor either before or after the ISA firewall software is installed.

11. The ISA firewall shouldn’t be used as a workstation; it is a network firewall representing an important component of your network security infrastructure. Don’t use client applications, such as Internet Explorer, on the ISA firewall and don’t disable the enhanced IE security configuration that is part of Windows Server 2003 Internet Explorer.

12. If users complain about decreased performance of the Web, configure the clients as Web Proxy clients and configure the web browsers to use HTTP 1.1.

13. Make sure to patch the base operating system before installing ISA. Innstall the base operating system on a protected network, so that you can safely install the operating system and then update the operating system before installing the ISA firewall software. Connect the ISA firewall device to the Internet only after the operating system is patched and the ISA firewall software is installed.

14. You can rename the network interfaces installed on the ISA firewall from Local Area Connection 1 and Local Area Connection 2 to something more meaningful, such as WAN, LAN, and DMZ. This is helpful when you have a lot of interfaces installed on the ISA firewall device.

15. The ISA firewall can mitigate worm and other automated attacks by enforcing connection limits. You can configure connection limits by going to the General node in the ISA firewall console and Define Connection Limits.

The above items represent only some of the recommendation for configuring your ISA Firewall and certainly don’t cover all of the aspects. If you want to analyze your implementation of ISA Server it is a good idea to download the Microsoft Best Practice Analyzer Tool from the Microsoft website and run this against your ISA Server. The tool is compatible with ISA Server 2004, 2006, and Forefront TMG:
The Microsoft TechNet website is a great resource that offers a lot of information about how to configure your ISA server for your environment, performance best practices ( , and troubleshooting performance issues (


ISA Server Health & Performance Monitoring

To maintain and manage the health of ISA Server, it is necessary to monitor its performance and watch for any possible anomalies. The following sections list resource counters and ISA Server counters that help troubleshoot ISA Server performance problems. It is recommended that these counters be samples on a regular basis at a rate of several samples per minute.

The performance counters that should be tracked can be grouped in the following categories:

Base subsystem metrics:

  • Processor Subsystem
  • Network Subsystem
  • Disk Subsystem

ISA Server specific metrics:

  • ISA Server Firewall Engine
  • ISA Server Firewall Service
  • ISA Server Web Proxy
  • ISA Server Cache

Between the Processor, Disk, and Network subsystems, as well as the ISA specific metrics, there are many counters that can be measured, but for the purpose of providing a general, yet effective monitor, we’ll focus on the most recommended performance counters only. For those interested, a complete overview of the subsystem metrics and all the ISA supported performance counters can be found in the article; Advanced ISA Monitoring.
Microsoft recommends that, to monitor the general performance of your ISA server, the following metrics should be monitored:

Load Monitoring

Performance Counter Description
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec

Security Monitoring

Category Performance Counter Name
ISA Server Firewall Engine Dropped packets/sec
ISA Server Firewall Engine Packets/sec
ISA Server Firewall Engine Connections/sec
ISA Server Web Proxy Average Milliseconds/request

These metrics offer a generic insight in your ISA server’s performance. Like previously mentioned, ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. The basic performance metrics that we mentioned in this article are included in the Custom Monitis ISA Monitor that is discussed in the next section.

Custom Monitis ISA Server Monitor

In this section we discuss monitoring ISA server with Monitis using a custom monitor that you can add to the Monitis dashboard. Microsoft provides the ISA Server Performance Monitor tool to analyze ISA Server performance. The ISA Server Performance Monitor is installed when you install ISA Server, but if you are already monitoring a number of servers in your environment the Monitis dashboards offers an integrated solution to monitor ISA server together with your other monitored systems.

The Monitis monitor for ISA Server integrates the recommended performance metrics that we discussed in the previous section of this whitepaper.
If you run this monitor from a remote system (recommended) and not on the ISA server itself, you must make sure to follow these guidelines:

· Enable remote management on the ISA server.
· Allow RPC protocols from the remote system and the ISA server to pass through.
· Remove the remote computer from the Remote Management Computers group on ISA.

More details on configuring the RPC filter can be found on the Technet ISA Server blog:


The ISA monitor discussed in this article tracks the Microsoft recommended metrics and we also add some subsystem performance counters for memory, disk, and network performance. The table below shows the metrics in this monitor:

Performance Counter Description
ISA Server Control Service Status Checks the status of the service. Possible results are:
“Start Pending”
“Stop Pending”
“Continue Pending”
“Pause Pending”
ISA Firewall Service Status Checks the status of the service. Possible results are:
“Start Pending”
“Stop Pending”
“Continue Pending”
“Pause Pending”
ISA Server Storage Service Status Checks the status of the service. Possible results are:
“Start Pending”
“Stop Pending”
“Continue Pending”
“Pause Pending”
ISA Server Job Scheduler Service Status Checks the status of the service. Possible results are:
“Start Pending”
“Stop Pending”
“Continue Pending”
“Pause Pending”
Processor Utilization % Processor Utilization
Memory Available Total available memory
Disk Utilization Total bytes/sec transferred to and from disk
Network Connection(*) Bytes Sent/Sec Total bytes transmitted per second
Network Connection(*) Bytes Received/Sec Total bytes received per second
Network Connection(*) Packets Sent/Sec Total packets sent per second
Network Connection(*) Bytes Received/Sec Total packets received per second
ISA Server Firewall Engine Active Connections
ISA Server Firewall Service Active Sessions
ISA Server Web Proxy Requests/sec
ISA Server Firewall Engine Bytes/sec
ISA Server Firewall Engine Dropped packets/sec
ISA Server Firewall Engine Packets/sec
ISA Server Firewall Engine Connections/sec
ISA Server Web Proxy Average Milliseconds/request

(*) For purpose of tracking network utilization for each adapter installed in the ISA server, there is a separate monitor for each active network connection. Whether a network adapter is “active” is determined by looking at the IP address. If an adapter is configured with an IP address, it is assumed the adapter is in use.

Installing and running the Monitis monitor for ISA Server

The scripts for this monitor are available for download on GitHub here. Download both the AddCustomISAMonitor.vbs and PushISADataMonitor.vbs scripts and save them on your local computer somewhere.

To start monitoring your ISA Server you must first run the script AddCustomISAMonitor.vbs. Open a command window and change directory to the folder where you have saved the scripts that you downloaded earlier. Now simply enter the command ‘cscript AddCustomISAMonitor.vbs’. This will create a new page to your dashboard named “ISA Server” .Once the script has finished running, log on to your dashboard (or refresh the web page if you’re already logged on) and you’ll see the new tab.

Now you should execute the second script; PushDataISAMonitor.vbs. This script actively monitors your ISA Server and records the metrics on your dashboard page.Note that this script remains running and will upload performance data every 30 seconds to the Monitis dashboard.

Adding alert notifications

There are many useful alerts that you can add to be alerted. One basic notification you can create is to be alerted when the Firewall Service is stopped.

Edit monitor notifications

To set up an alert notification, click on the icon resembling a pencil and click on the Notifications button.

Edit notification rule

On the next screen, select ‘Firewall’ from the Event Parameter drop-down list. You can set the Failures required to trigger an alert value to 3. This way if the service is restarted, you will not get an unnecessary alert. Set the Event Action to ‘not equal’ and enter the Event Value: ‘Running’. This will alert you anytime the service is in any other state than ‘Running’.

Useful notifications

There are a number of notifications that can be useful to determine if the ISA server hardware needs upgrading or when the system is under a possible attack. We’ll list the most common things to look out for below. For each item, you can create a notification rule similar to the way we described earlier.

\Network Interface(*)\Bytes Total/sec – If its value is more than 75 percent of the maximum bandwidth of any network interface, consider increasing the bandwidth of the network infrastructure.

\Disk Transfers/sec – ISA server uses disk storage firewall logging and web caching. This metric is used to monitor disk access rate per second. The typical limit is between 100 to 200 accesses per second. If this limit is reached for a sustained period of time, you will notice an increase in the systems’ response time and adding more disks tot the server is the way to resolve the issue.

\Processor\%Processor Time – Another good metric to get notified on is the Percent Processor Time. If this number 80% for an extended period of time (several minutes) and the number correlates with the \ISA Server Firewall Engine\Packets/sec, it may indicate maximal capacity or a DoS attack.Before jumping to conclusions, verify that there are no other processes running on the ISA server that take up processing time.

\Network Interface(*)\Packets/sec – If the metric ‘Bytes Total/sec’ divided by the ‘Packet/sec’ is less than a 100 bytes, it might indicate a possible attack. The thing to do is to trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.

\ISA Server Web Proxy\Average Milliseconds/Request – This counter measures the average response time of ISA server’s web proxy. A number of milliseconds higher than 30,000 points to an issue.

\ISA Server Web Proxy\Requests/sec – This measures the request rate. The ‘Clients Bytes Sent/sec’ divided by the the’ Requests/sec’ should not exceed 20KB.

\ISA Server Firewall Packet Engine\Active Connections – For application filtering scenarios, expect up to 30,000 connections. For stateful filtering with IP routing enabled, expect up to 100,000. This metric can be used to detect a network misconfiguration or a possible DoS attack.