Microsoft® Internet Security and Acceleration (ISA) Server 2004 with Service Pack 3 (SP3) provides improvements on the diagnostic level, which makes troubleshooting much easier. For a summary about the components of this update, see "ISA Server 2004 Service Pack 3" at the Microsoft TechNet Web site.
This article explains some of the advantages of using this service pack while troubleshooting an issue on ISA Server 2004. The scenario is that ISA Server 2004 SP3 is publishing a corporate Web site, and when users try to access one specific page, they receive the following error.
Figure 1—Page error when users are trying to access the corporate page through the Internet
According to users, they can access this page without a problem when they are on the Internal network.
2. Details about logging
To gather more information about this error, you can use the monitoring and logging features available in ISA Server 2004 and extended with SP3. Now, logging is divided into two panes, the regular real-time logging and the details for each log selection. For this scenario, we created a filter to log all HTTP traffic, and we used this to reproduce the issue. The following figure shows the result.
Figure 2—New Logging tab with the details pane.
By default, the color for a denied connection is red and the allowed connection is green. Those colors can be customized using the option Define Log Text Colors on the Tasks tab.
In the detailed explanation, you can see the main aspects of the connection and the reason why it was denied. For this scenario, the following are emphasized:
· Status—Summarizes the reason of the rejection.
· Rule—Shows the rule that was matched for this connection.
· Request—Shows the method that was used to access the page.
· Filter information—Shows the request ID (Req ID) and the information about the ISA Server filter that was used for this access.
Based on that brief explanation, we can create some hypotheses and take actions based on those hypotheses. However, with ISA Server 2004 SP3, it is possible to see even more details about the connection and better understand how it was processed.
3. Diagnostic logging
Diagnostic logging is a new feature introduced with SP3. This feature provides over 200 new events about the status of your ISA Server computer, as well as information about configuration and policy issues. It is possible to follow the actions that are taken when ISA Server 2004 is analyzing and processing a request.
To enable this option, go to the new Troubleshooting node and click Configure Diagnostic Logging.
Figure 3—Diagnostic Logging dialog box
It is important to emphasize that when this option is enabled, ISA Server 2004 performance can decrease. We recommend disabling this logging after you find the information that you are looking for.
In this scenario, we enabled this option and reproduced the issue. After reproducing this issue, we can either open this window again and click View Log Data or open Event Viewer and click the ISA Server Diagnostics node.
For this specific scenario, the following sequence (along with other ones) were logged:
1. ISA Server 2004 receives the connection request:
Event Type: Information
Event Source: ISA Server Diagnostics
Event Category: None
Event ID: 30091
Time: 9:18:52 PM
Date and time: 08/06/2007-21:18:51.654
Packet context: 06a0dd31
Log source: Web Proxy
Web Proxy properties:
Client IP address: 192.168.0.50
Client port: 3597
Local IP address: 192.168.0.8
Local port: 80
SecureNAT client: false
Web proxy client: false
Inbound traffic: true
2. The method used to retrieve this page is analyzed:
Event ID: 30093
Packet context: 06a0dd31 06a0dd32
HTTP method: GET
3. The target URL is analyzed:
Event ID: 30105
Target URL: /corp/Commun.eml
4. After analysis of the rules, ISA Server 2004 finds the rule that matches with traffic:
Event ID: 30008
Log source: Firewall service
The rule Corp Site matches the packet. The packet is allowed.
5. Now ISA Server 2004 looks for rules that match with the protocol itself for filtering purposes:
Event ID: 30019
ISA Server is looking for a rule that is associated with the protocol HTTP.
6. After processing the HTTP filter, ISA Server 2004 shows the following result:
Event ID: 30136
ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. \"The request was rejected by the HTTP filter.
As you can see, this tool is powerful and can help greatly during the troubleshooting of complex scenarios.
4. Parsing the log
Following action-by-action using Event Viewer is difficult for situations where the server is busy. To resolve this problem, you can use the ISA Server Diagnostic Logging Viewer, which can be downloaded from the Microsoft Download Center. With this tool, you can view the log in HTML format and better track the request ID that appears on the Logging tab. To use this tool, you need to first install Log Parser 2.2 on the system, which is available from the Microsoft Download Center.
For this scenario, the sequence that follows creates an HTML page in the table grid format (-ogrid) in the folder Debug:
C:\Program Files\Log Parser 2.2>dlviewer.cmd -ogrid -odir Debug
Generating query results. Please wait...
Elements processed: 731
Elements output: 731
Execution time: 0.08 seconds
Generating contexts information results. Please wait...
Execution time: 0.19 seconds
Done. Open Debug\index.html to view the results.
When you open the HTML file, a page with the same format as the one that follows appears.
Figure 4—Improved way to view the logging generated by ISA Server 2004
Although fictitious, this scenario shows some of the new features introduced by ISA Server 2004 SP3. For this particular scenario, the issue was an HTTP filter that was blocking files with an .eml extension. To fix this, the rule was opened and the filter was removed as shown in the following figure.
Figure 5—File extension filter removed
These improvements will be available for ISA Server 2006 later this year. For more information, keep watching the ISA Server Web site.
Special thanks to Ian Parramore and Jonny Sharp for presenting these features at TechReady.
Support Engineer – Latin America Team – Platforms
<p>Thanks alot for this nice info</p>
<p>I have question here , why this Improvement in MS ISA 2004 SP3 and not on MS ISA 2006</p>
<p>Since the SP3 for ISA 2004 was already ready to be ship, it was decided to include those features on it. But, those improvements will be soon available on ISA 2006. </p>
<p>Thanks for your visit.</p>
<p>Security Microsoft and Novell Open Interoperability Lab <a rel="nofollow" target="_new" href="http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx">http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx</a></p>
<p>ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)</p>
<p>Glad to see your interesting post! its very useful and yet true for sure.. </p>
<p>Nice post on ISA servers, the latest addition of 2011 is out right. Not sure, will look into it.</p>
<p>Very nice! Thanks for the elaborated steps! They are very easy to understand and replicate! </p>