Diagnostic Improvements in ISA Server 2004 Service Pack 3

Diagnostic Improvements in ISA Server 2004 Service Pack 3

  • Comments 8
  • Likes

1. Introduction

 

Microsoft® Internet Security and Acceleration (ISA) Server 2004 with Service Pack 3 (SP3) provides improvements on the diagnostic level, which makes troubleshooting much easier. For a summary about the components of this update, see "ISA Server 2004 Service Pack 3" at the Microsoft TechNet Web site.

 

This article explains some of the advantages of using this service pack while troubleshooting an issue on ISA Server 2004. The scenario is that ISA Server 2004 SP3 is publishing a corporate Web site, and when users try to access one specific page, they receive the following error.

 

 

Figure 1—Page error when users are trying to access the corporate page through the Internet

 

According to users, they can access this page without a problem when they are on the Internal network.  

 

2. Details about logging

 

To gather more information about this error, you can use the monitoring and logging features available in ISA Server 2004 and extended with SP3. Now, logging is divided into two panes, the regular real-time logging and the details for each log selection. For this scenario, we created a filter to log all HTTP traffic, and we used this to reproduce the issue. The following figure shows the result.

 

 

Figure 2—New Logging tab with the details pane.

 

By default, the color for a denied connection is red and the allowed connection is green. Those colors can be customized using the option Define Log Text Colors on the Tasks tab.

 

In the detailed explanation, you can see the main aspects of the connection and the reason why it was denied. For this scenario, the following are emphasized:

·         Status—Summarizes the reason of the rejection.

·         Rule—Shows the rule that was matched for this connection.

·         Request—Shows the method that was used to access the page.

·         Filter information—Shows the request ID (Req ID) and the information about the ISA Server filter that was used for this access.

 

Based on that brief explanation, we can create some hypotheses and take actions based on those hypotheses. However, with ISA Server 2004 SP3, it is possible to see even more details about the connection and better understand how it was processed.

 

3. Diagnostic logging

 

Diagnostic logging is a new feature introduced with SP3. This feature provides over 200 new events about the status of your ISA Server computer, as well as information about configuration and policy issues. It is possible to follow the actions that are taken when ISA Server 2004 is analyzing and processing a request.

 

To enable this option, go to the new Troubleshooting node and click Configure Diagnostic Logging.

 

 

Figure 3—Diagnostic Logging dialog box

 

It is important to emphasize that when this option is enabled, ISA Server 2004 performance can decrease. We recommend disabling this logging after you find the information that you are looking for.

 

In this scenario, we enabled this option and reproduced the issue. After reproducing this issue, we can either open this window again and click View Log Data or open Event Viewer and click the ISA Server Diagnostics node.

 

For this specific scenario, the following sequence (along with other ones) were logged:

 

1.      ISA Server 2004 receives the connection request:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30091

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31

Log source: Web Proxy

 

Web Proxy properties:

    Client IP address: 192.168.0.50

    Client port: 3597

    Local IP address: 192.168.0.8

    Local port: 80

    SecureNAT client: false

    Web proxy client: false

    Inbound traffic: true

 

2.      The method used to retrieve this page is analyzed:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30093

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

 

HTTP method: GET

 

3.      The target URL is analyzed:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30105

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

 

Target URL: /corp/Commun.eml

 

4.      After analysis of the rules, ISA Server 2004 finds the rule that matches with traffic:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30008

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Firewall service

 

The rule Corp Site matches the packet. The packet is allowed.

 

5.      Now ISA Server 2004 looks for rules that match with the protocol itself for filtering purposes:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30019

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Firewall service

 

ISA Server is looking for a rule that is associated with the protocol HTTP.

 

6.      After processing the HTTP filter, ISA Server 2004 shows the following result:

 

Event Type:   Information

Event Source: ISA Server Diagnostics

Event Category:       None

Event ID:       30136

Date:            8/6/2007

Time:            9:18:52 PM

User:            N/A

Computer:     SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

 

ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. \"The request was rejected by the HTTP filter.

 

As you can see, this tool is powerful and can help greatly during the troubleshooting of complex scenarios.

 

4. Parsing the log

 

Following action-by-action using Event Viewer is difficult for situations where the server is busy. To resolve this problem, you can use the ISA Server Diagnostic Logging Viewer, which can be downloaded from the Microsoft Download Center. With this tool, you can view the log in HTML format and better track the request ID that appears on the Logging tab. To use this tool, you need to first install Log Parser 2.2 on the system, which is available from the Microsoft Download Center.

 

For this scenario, the sequence that follows creates an HTML page in the table grid format (-ogrid) in the folder Debug:

 

C:\Program Files\Log Parser 2.2>dlviewer.cmd -ogrid -odir Debug

 

Generating query results. Please wait...

 

Statistics:

-----------

Elements processed: 731

Elements output:    731

Execution time:     0.08 seconds

 

Generating contexts information results. Please wait...

 

Statistics:

-----------

Elements processed: 731

Elements output:    731

Execution time:     0.19 seconds

 

Done. Open Debug\index.html to view the results.

 

When you open the HTML file, a page with the same format as the one that follows appears.

 

 

Figure 4—Improved way to view the logging generated by ISA Server 2004

 

5. Conclusion

 

Although fictitious, this scenario shows some of the new features introduced by ISA Server 2004 SP3. For this particular scenario, the issue was an HTTP filter that was blocking files with an .eml extension. To fix this, the rule was opened and the filter was removed as shown in the following figure.

 

 

Figure 5—File extension filter removed

 

These improvements will be available for ISA Server 2006 later this year. For more information, keep watching the ISA Server Web site.

 

 

Special thanks to Ian Parramore and Jonny Sharp for presenting these features at TechReady.

 

 

Yuri Diogenes

Support Engineer – Latin America Team – Platforms

Microsoft

 

 

 

 

Comments
  • Hi

    Thanks alot for this nice info

    I have question here , why this Improvement in MS ISA 2004 SP3 and not on MS ISA 2006

  • Since the SP3 for ISA 2004 was already ready to be ship, it was decided to include those features on it. But, those improvements will be soon available on ISA 2006.

    Thanks for your visit.

  • Security Microsoft and Novell Open Interoperability Lab http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx

  • ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)

  • ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)

  • Glad to see your interesting post! its very useful and yet true for sure..

  • Nice post on ISA servers, the latest addition of 2011 is out right. Not sure, will look into it.

  • Very nice! Thanks for the elaborated steps! They are very easy to understand and replicate!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment