In this article we discuss monitoring ISA server with Monitis using a custom monitor that you can add to the Monitis dashboard. Microsoft provides the ISA Server Performance Monitor tool to analyze ISA Server performance. The ISA Server Performance Monitor is installed when you install ISA Server, but if you are already monitoring a number of servers in your environment the Monitis dashboards offers an integrated solution to monitor ISA server together with your other monitored systems.
Custom ISA Server Monitor
The Monitis monitor for ISA Server integrates the recommended performance metrics that we discussed on the article “ISA Server Best Practices” into the dashboard.
If you run this monitor from a remote system (recommended) and not on the ISA server itself, you must make sure to follow these guidelines:
· Enable remote management on the ISA server.
· Allow RPC protocols from the remote system and the ISA server to pass through.
· Remove the remote computer from the Remote Management Computers group on ISA.
More details on configuring the RPC filter can be found on the Technet ISA Server blog: http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx
The ISA monitor discussed in this article tracks the Microsoft recommended metrics and we also add some subsystem performance counters for memory, disk, and network performance..The table below shows the metrics in this monitor:
Performance Counter | Description |
ISA Server Control Service Status | Checks the status of the service. Possible results are:”Stopped” “Start Pending” “Stop Pending” “Running” “Continue Pending” “Pause Pending” “Paused” “Unknown” |
ISA Firewall Service Status | Checks the status of the service. Possible results are:”Stopped” “Start Pending” “Stop Pending” “Running” “Continue Pending” “Pause Pending” “Paused” “Unknown” |
ISA Server Storage Service Status | Checks the status of the service. Possible results are:”Stopped” “Start Pending” “Stop Pending” “Running” “Continue Pending” “Pause Pending” “Paused” “Unknown” |
ISA Server Job Scheduler Service Status | Checks the status of the service. Possible results are:”Stopped” “Start Pending” “Stop Pending” “Running” “Continue Pending” “Pause Pending” “Paused” “Unknown” |
Processor Utilization | % Processor Utilization |
Memory Available | Total available memory |
Disk Utilization | Total bytes/sec transferred to and from disk |
Network Connection(*) Bytes Sent/Sec | Total bytes transmitted per second |
Network Connection(*) Bytes Received/Sec | Total bytes received per second |
Network Connection(*) Packets Sent/Sec | Total packets sent per second |
Network Connection(*) Bytes Received/Sec | Total packets received per second |
ISA Server Firewall Engine | Active Connections |
ISA Server Firewall Service | Active Sessions |
ISA Server Web Proxy | Requests/sec |
ISA Server Firewall Engine | Bytes/sec |
ISA Server Firewall Engine |
Dropped packets/sec |
ISA Server Firewall Engine |
Packets/sec |
ISA Server Firewall Engine |
Connections/sec |
ISA Server Web Proxy |
Average Milliseconds/request |
(*) For purpose of tracking network utilization for each adapter installed in the ISA server, there is a separate monitor for each active network connection. Whether a network adapter is “active” is determined by looking at the IP address. If an adapter is configured with an IP address, it is assumed the adapter is in use.
Installing and running the Monitis monitor for ISA Server
The scripts for this monitor are available for download on GitHub at :https://github.com/monitisexchange/Windows-Monitoring-Scripts/tree/master/vbscript/ISAServer. Download both the AddCustomISAMonitor and PushISADataMonitor scripts and save them on your local computer somewhere.
To start monitoring your ISA Server you must first run the script AddCustomISAMonitor.vbs. Open a command window and change directory to the folder where you have saved the scripts that you downloaded earlier. Now simply enter the command ‘cscript AddCustomISAMonitor.vbs’ . This will create a new page to your dashboard named “ISA Server” .Once the script has finished running, log on to your dashboard (or refresh the web page if you’re already logged on) and you’ll see the new tab.
Now you should execute the second script; PushDataISAMonitor.vbs. This script actively monitors your ISA Server and records the metrics on your dashboard page.Note that this script remains running and will upload performance data every 30 seconds to the Monitis dashboard.
Adding alert notifications
There are many useful alerts that you can add to be alerted. One basic notification you can create is to be alerted when the Firewall Service is stopped.
Edit ISA monitor notifications
To set up an alert notification, click on the icon resembling a pencil and click on the Notifications button.
Edit ISA notification rule
On the next screen, select ‘Firewall’ from the Event Parameter drop-down list. You can set the Failures required to trigger an alert value to 3. This way if the service is restarted, you will not get an unnecessary alert. Set the Event Action to ‘not equal’ and enter the Event Value: ‘Running’. This will alert you anytime the service is in any other state than ‘Running’.
Useful ISA monitoring notifications
There are a number of notifications that can be useful to determine if the ISA server hardware needs upgrading or when the system is under a possible attack. We’ll list the most common things to look out for below. For each item, you can create a notification rule similar to the way we described earlier.
\Network Interface(*)\Bytes Total/sec
If its value is more than 75 percent of the maximum bandwidth of any network interface, consider increasing the bandwidth of the network infrastructure.
\Disk Transfers/sec
ISA server uses disk storage firewall logging and web caching. This metric is used to monitor disk access rate per second. The typical limit is between 100 to 200 accesses per second. If this limit is reached for a sustained period of time, you will notice an increase in the systems’ response time and adding more disks tot the server is the way to resolve the issue.
\Processor\%Processor Time
Another good metric to get notified on is the Percent Processor Time. If this number 80% for an extended period of time (several minutes) and the number correlates with the \ISA Server Firewall Engine\Packets/sec, it may indicate maximal capacity or a DoS attack.Before jumping to conclusions, verify that there are no other processes running on the ISA server that take up processing time.
\Network Interface(*)\Packets/sec
If the metric ‘Bytes Total/sec’ divided by the ‘Packet/sec’ is less than a 100 bytes, it might indicate a possible attack. The thing to do is to trace network activity and look for irregular traffic patterns. If not an attack, check network for possible misconfiguration.
\ISA Server Web Proxy\Average Milliseconds/Request
This counter measures the average response time of ISA server’s web proxy. A number of milliseconds higher than 30,000 points to an issue.
\ISA Server Web Proxy\Requests/sec
This measures the request rate. The ‘Clients Bytes Sent/sec’ divided by the the’ Requests/sec’ should not exceed 20KB.
\ISA Server Firewall Packet Engine\Active Connections
For application filtering scenarios, expect up to 30,000 connections. For stateful filtering with IP routing enabled, expect up to 100,000. This metric can be used to detect a network misconfiguration or a possible DoS attack.
Advanced ISA monitoring
ISA server offers a lot more performance counters that can be queried to get more detailed information about the Firewall Engine, Web Proxy, and ISA cache. We’ll discussed those in our next article in this series; Advanced ISA Monitoring.
More links: