ISA Server 2006 Service Pack 1 Features

ISA Server 2006 Service Pack 1 Features

  • Comments 28
  • Likes

ISA Server 2006 Service Pack 1 Features

Introduction

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Service Pack (SP) 1 will be available for your installation pleasure this summer!

This Service Pack introduces new features and improved functionality for ISA Server 2006 Enterprise and Standard Editions. The new features focus primarily on enhanced troubleshooting mechanisms designed to help you identify and resolve ISA Server configuration issues.   Also included in this package are the updates we’ve promised for so long, such as SAN certificate support.

 

 

Service Pack 1 new and improved features

ISA Server 2006 SP1 includes the following new features:

·                     Configuration Change Tracking — logs all configuration changes applied to ISA Server configuration to help you backtrack through your change history.

·                     Web Publishing Rule Test Button — helps you verify that the rule configuration agrees with what is set at the published web server and provides specific suggestions when they disagree.

·                     Traffic Simulator — simulates network traffic as it would be seen by the ISA rules engine and gives you specific information about traffic processing along the way.

·                     Diagnostic Logging Query — an extension to the Diagnostic Logging feature provided in the Supportability Pack, this feature makes it much easier to see only the data that is relevant to the current troubleshooting effort.

 

ISA Server 2006 SP1 also includes such feature improvements as:

·                     Support for Network Load Balancing (NLB) multicast and multicast with IGMP operations (KB 938550)

·                     Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers

·                     Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts (KB 942637 )

 

For additional feature improvements, see "Improvements to existing features" later in this document.

 

 

Configuration change tracking

When enabled, configuration change tracking logs all configuration changes that are made in ISA Server Management or programmatically using scripts. You can use configuration change tracking as a support tool to determine the cause of an issue that results from a configuration change. Change tracking is disabled by default.

Configuration change tracking output can be viewed in the Change Tracking tab of the Monitoring node in the ISA Server Management console. In ISA Server 2006 Enterprise Edition, you can configure configuration change tracking at the enterprise level. Enabling configuration change tracking on the enterprise enables tracking on all arrays in the enterprise. Enterprise settings override array level settings.

When applying changes at the array and enterprise level together, Change Tracking creates two entries in the output: One entry shows the configuration change at the enterprise level and another entry shows the change at the array level.

 

 

Viewing configuration change tracking output

Each configuration change tracking output entry represents a single configuration change. Entries are sorted by date and time, the most recent-first.

The following details are provided in the Change Tracking tab:

·                     Time — Displays the date and time of the configuration change.

·                     User — Displays the user name of the person who made the configuration change.

·                     Change Summary — Displays a system-generated description of the configuration change in ISA Server.

·                     Description — Displays the change description that the user entered for the configuration change.

·                     Array — Displays the name of the array where the configuration change was made or name of the enterprise if the change was made on the enterprise level (Enterprise Edition only).

·                     Details — Displays an extensive description of the configuration change.

A sample output is shown in figure 1.

 

 Figure 1

Figure 1

 

 

Configuring change tracking

You can configure the following settings for configuration change tracking:

·                     Enable and configure change tracking - you can enable change tracking, specify a maximum number of entries in the change tracking log, and allow users making configuration changes in ISA Server Management to specify a description that will appear in the configuration tracking output.

·                     Filter and search configuration change tracking output.

 

To enable and configure change tracking

1.            In the ISA Server Management console, click the Monitoring node, and then click the Change Tracking tab.

2.            On the Tasks tab, click Configure Change Tracking.

3.            To turn on change tracking, click Enable change tracking.

Note To configure configuration change tracking at the enterprise level, right-click the enterprise node, click Properties, and then click the Change Tracking tab from the Enterprise Properties property sheet.

4.            To allow users to add a change description when making changes, click Prompt for a change description when applying configuration changes.

5.            To specify a maximum number of entries for the change tracking log, enter the number in the Limit number of entries to box. We recommend that you do not configure a limit of more than 10,000. A larger limit may affect performance.

Note When the maximum number of entries is reached, the earliest entries are overwritten.

6.            Click Apply in order to view the entry in the configuration change tracking output.

 

Figure 2 

Figure 2

 

Figure 3 

Figure 3

 

 

Entering a change description

If configuration change tracking is enabled, users making configuration changes in ISA Server Management can enter a description for that change. This description will appear in the configuration change tracking output.

 

To enter a change description

1.            After you make the configuration changes in ISA Server Management, when you click Apply, the Configuration Change Description prompt appears. Type the description of the change.

2.            To create a backup of the pre-change configuration, click Export to open the Export Wizard. For Enterprise Edition, export backs up the entire enterprise.

3.            Click Apply. When you click apply the required configuration change is saved, and the description is applied to the change.

4.            When Saving Configuration Changes status dialog box is completed, click OK. Configuration changes are recorded to the change tracking output.

 

 

Figure 4 

Figure 4


 

Filtering and searching configuration changes

Filter options are accessible at the top of the Change Tracking tab. You can filter the entries by user name and by content. You can also use the short key CTRL+F to search for entries.

 

To search for an entry

1.            In the User name contains box, enter the name of the user who performed the configuration change.

2.            In the Entry contains box, enter a keyword for the search.

Note   You can filter by one or both options.

3.            Click the Apply Filter button. The system executes a search, and then the results are displayed on the Change Tracking tab of the Monitoring node.

 

 

 

Figure 5

 

 

Web Publishing Rule Test

The test rule feature verifies that the configuration settings of the Web publishing rule correspond with the settings on the Web server. In addition, you can use the test rule for troubleshooting when a rule is not working as expected. The test results description can help you to resolve an issue that is detected by the test.

The test rule can be activated from the following wizards and types of rules:

·                     Exchange Web Client Access Publishing Wizard

·                     SharePoint® Site Publishing Rule Wizard

·                     Web Site Publishing Wizard

·                     A rule that publishes a single Web server, Web site, or server farm over HTTP.

·                     A rule that publishes a single Web server, Web site, or server farm over SSL.

Note Even if the published rule is disabled, you can still run the test rule.

 

 

 Figure 6

Figure 6

 Figure 7

Figure 7

 

When you click the Test Rule button, ISA Server first attempts to perform name resolution. After a name is resolved to an IP address, ISA Server then tries to establish a TCP/IP connection with the published server. For a publishing rule over Secure Sockets Layer (SSL), test rule attempts to establish an SSL connection to the published server and also tests the certificate for validity according to the rule configuration. ISA Server sends an HTTP GET request to the published server and waits for a response. If a response is received, ISA Server compares its authentication requirements and methods to that of the configuration settings in the rule. You will want to be aware of the following limitations:

·                     When running the test on a publishing rule that applies to all requests (no public name is specified) and Forward the original host header instead of the actual one (specified in the internal site name field) is checked, the test uses the fully qualified domain name (FQDN) of the ISA Server computer as the host header. The test might fail if the published Web server rejects the host header of the ISA Server computer, but traffic may be allowed, as the host header is accepted by the published Web server. The opposite situation can also happen: The test passes because the published Web server accepts the ISA Server computer's host header, while actual client traffic is denied, as the host header is rejected by the published Web server.

·                     The test rule button does not check the authentication type on specific files within the folder unless a specific file is published by the rule, using the path.

·                     If authentication is not required on the published server, the test rule checks that the path specified in the publishing rule exists.

·                     If authentication delegation is configured, the test button cannot validate folder existence since the test does not pass credentials to the published server. In this case the test rule is successful if the authentication method configured for the rule matches one of the authentication methods required by the folder specified in the rule. Success does not indicate that the folder exists.

 

 

Running the test

 

To run the test

1.            From the selected publishing wizard, or from the Properties page of the rule, click the Test Rule button.

2.            To view status details on each of the items in the tree, click the item. The corresponding status description can be viewed in the description frame.

3.            Click Close to close the Web publishing rule test results dialog box.

Note You cannot close the dialog box while the test is in progress. You can close the dialog box only after the test process has completed or if you first click Stop.  If you want to stop the test process at any time, click Stop.

 

 Figure 8

Figure 8

 

Test rule error messages

Each of the error messages that appear in the description frame of the test button results dialog box is categorized into one of the following four types of error buckets:

·                     Published server certificate — errors are triggered when validation of the  published server certificate fails

·                     Name resolution — errors are triggered from unresolved name resolution of published server to its IP address

·                     Connectivity — errors are triggered when ISA Server fails to establish a session with the published server

·                     General — errors are triggered for all other types of issues

The following tables show the list of the most common error codes that may appear when running the Test Rule button and an explanation of each of the errors.

Published server certificate errors:

 

Error codes

Error description

Explanation

0x80090308

The token supplied to the function is invalid.

This happens when the published port is not used for listening to SSL.

0x80090322

The target principal name is incorrect.

Usually this happens when accessing HTTPS sites and the certificate name on the server doesn’t match the URL with which it’s being accessed.

Recommendation: Check the certificate of the published Web site, and then update the name of the published site in the To tab.

0x80090325

 

The certificate chain was issued by an authority that is not trusted.

ISA Server doesn’t have the certificate from the root or intermediate certification authority (CA) installed.

Recommendation: Import the CA certificate.

0x80090328

The received certificate has expired.

The certificate on the published server has expired.

Recommendation: Replace or renew the certificate on the published server.

Name resolution errors:

 

Error codes

Error description

Explanation

11004

The requested name is valid, but no data of the requested type was found.

This occurs when the name resolution to the published server (that is published by its NetBIOS name) fails.

Recommendation: Check whether the name on the To tab of the published rule is resolvable.

11001

Host not found.

This occurs when the name resolution to the published server (that is published by its FQDN name) fails.

Recommendation: Check whether the name on the To tab of the published rule is resolvable.

Connectivity errors:

 

Error codes

Error description

Explanation

10060

No connection could be made because the target machine did not respond.

This may be because the server name specified in the rule resolved to an IP address used by an unresponsive host, or a firewall may be blocking that traffic.

10061

No connection could be made because the target machine actively refused it.

This may be because the incorrect port was specified in the web publishing rule or because the service on the published server is not started.

 

For more details on error codes, see:

-      ISA Error Codes

-      System Error Codes

-      WinInet Error Codes

-      Winsock Error Codes

 

 

Traffic Simulator

Traffic simulator simulates network traffic in accordance with specified request parameters and provides information about firewall policy rules that are evaluated for the request. This feature can help you to troubleshoot communication issues that users may have with the destination server. For example, when a user from the internal corporate network tries to access an external Web server but is denied access. Traffic simulator scans through all of the published rules correlating with the scenario. The administrator can then check the results to determine how to resolve the issue. In addition, this feature can verify the functionality of a new policy rule by testing traffic that would be handled by the new rule.

Traffic simulator can be run from a remote management machine and operates on a per-array basis. You select a specific array server on which you want to run the traffic simulator.

Important Traffic simulator checks rules only on the basis of what is allowed or denied by the firewall engine. If traffic is blocked or allowed based on application filter settings, or HTTP filter, this is not known to Traffic simulator. This means that even if simulated traffic is allowed, real traffic may be blocked by a filter.

 

 

Configuring traffic simulator

Following is a list of the different firewall policy scenarios that can be simulated:

·                     Web access — Simulates traffic handled by an access rule allowing or denying Web access to a Web proxy client.

·                     Non-Web access — Simulates traffic between an internal client making non-HTTP requests for resources in another network.

·                     Web publishing — Simulates traffic from external clients making requests to internal Web servers (requests that are handled by ISA Server Web publishing rules).

·                     Server publishing — Simulates traffic between an external client and a non-HTTP published server.

The results of the simulation for the configuration properties of the policy rules are displayed at the bottom of the screen. You can check any of the setting details in the following list to evaluate the cause of any network issues.

Setting

Description

Rule Name

Displays the name of the policy rule used by the request.

Rule Order

Displays the order number of the rule from the Firewall policy rules.

From

Displays the source network from which the traffic is initiated.

To

Displays the destination network where the traffic is being sent.

Network Rule name

Specifies the name of the network rule used.

Network Relationship

Specifies the network relationship in the policy rule as either network address translation (NAT) or Route.

Protocol

Specifies the protocol used to establish the connection (for example, HTTP).

Rule Application Filters

Used by the application filter types defined in the published rule.

 

Simulating traffic scenarios

To run the traffic simulation, first configure the traffic scenario settings, as follows:

 

To simulate traffic for Web proxy access to the Internet

1.            In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2.            From the Simulation Scenarios options, click Web access.

3.            In Source Parameters, configure the source request settings.

4.            Select if traffic is to be sent from anonymous user or from user of the source computer.

5.            In Destination Parameters, in the URL box, type the URL address of the target site.

6.            In Server, select the server from which you are running the traffic simulator.

7.            Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

8.            Click Start.

9.            If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario in the Diagnostic Logging tab.

 

 

 

Figure 9 

Figure 9

 

To simulate traffic for non-HTTP access connection

1.            In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2.            In Simulation Scenarios, click Non-Web access.

3.            In the IP address box, enter the network IP address of the source server.

4.            In Destination/Source Parameters, configure the request settings.

5.            In Server, select the server from which you are running the traffic simulator.

6.            Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

7.            Click Start.

8.            If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario in the Diagnostic Logging tab.

 

Figure 10 

Figure 10

 

To simulate traffic to a published Web server

1.            In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2.            In Simulation Scenarios, click Web publishing.

3.            In Source Parameters, configure the source request settings.

4.            In Destination Parameters, in the URL box, type the URL address of the target site.

a.    Note The URL is the one published by ISA Server. The URL is specified in the Public Name tab. ISA Server must be able to resolve it to its external IP, otherwise the simulation fails.

5.            In Server, select the server from which you are running the traffic simulator.

6.            Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

7.            Click Start.

8.            If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario in the Diagnostic Logging tab.

 

 

Figure 11 

Figure 11

 

To simulate traffic to a non-HTTP published server

1.            In the ISA Server Management console, in the Troubleshooting node, click the Traffic Simulator tab.

2.            In Simulation Scenarios, click Server Publishing.

3.            In the Destination/Source Parameters box, configure the request settings.

4.            In Server, select the server from which you are running the traffic simulator.

5.            Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

6.            Click Start.

7.            If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario in the Diagnostic Logging tab.

 

Figure 12 

Figure 12

Diagnostic Logging Query

Diagnostic logging tracks the behavior or ISA Server policy components. It enhances traditional log information by tracing the flow of specific packet through the ISA rules engine. It reports on packet progress and provides information about traffic handling and rule matching. Diagnostic logging can be configured and be viewed on the Diagnostic Logging tab of the Troubleshooting node in ISA Server Management. When diagnostic logging is enabled, it automatically logs events for firewall policy access and authentication issues.

For more information about diagnostic logging, see Using diagnostic logging on Microsoft Technet.

 

 

Configuring diagnostic logging

You can use diagnostic logging as follows:

·                     Enable diagnostic logging to capture information about all traffic packets processed. Information is captured until diagnostic logging is turned off or size limits are reached. You can configure log limit and timeout values, and delete events in the log.

·                     To run diagnostic logging remotely, you must add the remote computer to the array-level system policy rule “Allow remote management from selected computers using MMC”.  Errors may appear if this is not done.

To enable and disable diagnostic logging

1.            In the ISA Server Management console in the Troubleshooting node, click the Diagnostic Logging tab.

2.            On the Tasks tab, click Enable Diagnostic Logging To turn logging on.

3.            After you click Enable Diagnostic Logging, click Disable Diagnostic Logging to turn logging off. 

Note Disable diagnostic logging when not required. If enabled for an extended period, ISA Server performance might be affected

The following limits are imposed in diagnostic logging:

·                     The maximum number of entries that can be handled by the query is 10000.

·                     There is a timeout of 30 seconds if the query did not complete. If the query times out, a pop up containing an error is displayed. Before you rerun the query, modify the filter.

Limits can be modified using the registry as follows:

To configure diagnostic logging limits

1.            Click Start. In the Run dialog box, type Regedit.

2.            Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.

3.            Right-click Microsoft, create the following key if it does not exist: RAT\Stingray\Debug\UI.

4.            Right-click UI, click New, and then click DWORD (32-bit). Create the value DIALOG_QUERY_MAX_RECORDS. And specific a maximum value for the number of entries that can be handled by the query. Then create another value DIAGLOG_DLVIEWER_TIMEOUT and specific the query timeout value. 

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:  256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry.

 

Delete events from the diagnostic logging output pane as follows:

To delete diagnostic logging events

1.            In the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

2.            On the Tasks tab, click Delete Diagnostic Logging Events. The events from the diagnostic logging tab are deleted.

 

To run diagnostic logging remotely, add the remote management computer to the required ISA Server system policy rule as follows:

To add a remote management computer to the remote management system policy rule

1.            In the ISA Server Management console, in the Firewall Policy node, double click the system policy rule Allow remote manage from selected computers using MMC.

2.            Select Remote Managers Computers from the From tab and click Edit.

3.            Verify that the name of the remote management computer is included in the computer set. If not included, add the remote management computer.

4.            Click OK.

 

Filtering the diagnostic log

Diagnostic logging events can be filtered and searched for specific information. You can filter by for a specific request and query the results of traffic simulator output.

To distinguish the current view of the diagnostic logging events, the top section of the logging results pane displays a status line which includes the following details:

·         Server

·         Context ID

·         Message Contains

A context ID is a random 8-digit hex number which represents an ISA Server operation such as a TCP or UDP connection, an HTTP session or request, a VPN client connection. When you run traffic simulator, the context ID is displayed automatically in the diagnostic logging results pane. If you need to identify a context ID manually, do the following:

To identify a context ID

1.            In ISA Server Management console, click the Monitoring node.

2.            Click Start Query to start logging without filtering on specific criteria.

3.            Click Edit Filter to specify that the query should run with specific parameters such as Rule or Destination IP. Then click Start Query to start logging based on filter criteria.

4.            The unique ID of a request is not displayed by default in the ISA Server Management console. To display it, right-click one of the column headings for the log entries, and then click Add/Remove Columns.

5.            From the Available Columns list, select Filter Information, and then click Add.

6.            When Filter Information appears in the Displayed Columns list, click OK to close the Add/Remove Columns dialog box.

7.            In the Filter Information properties displayed for the rule, make a note of the Req ID property for the required rule.

 

 

 

To filter for diagnostic logging events

1.            In the ISA Server Management console in the Troubleshooting node, click the Diagnostic Logging tab.

2.            To filter by message string, in Message contains, enter the message string that is contained in the message of the event log.

Note The query run on the message string is on the whole phrase, even if there are spaces between words. For example if the string in Message contains is Hello World, the query searches for the whole string and not Hello and World. 

3.            To filter by context, in Context contains, enter the context ID of the event log you are searching. The context IDs that are generated from the traffic simulator have the prefix FFF.

4.            Select the server of which you would like to view the events from which they originated. 

 

Figure 13 

Figure 13

Improvements to Existing Features

Several ISA Server 2006 features have been modified in SP1. The changes in these features are described in this section.

 

 Multicast support for integrated NLB

Previous versions of ISA Server supported integrated Network Load Balancing (NLB) in unicast mode only. This compromised the use of bidirectional affinity (BDA).  In unicast mode, computers in an NLB cluster are all designated a single virtual IP address by ISA Server. The NLB driver assigns a new unicast MAC to all computers to be used by the virtual IP. When traffic arrives, the switch that controls which computer to send packets cannot differentiate between ports; therefore because all computers in the cluster share the same virtual address, traffic is sent to all ports in the switch. This behavior causes switch flooding. In multicast mode, NLB designates a multicast MAC address to all computers in the cluster. Multicast combined with Internet Group Management Protocol (IGMP) prevents all ports being flooded.

SP1 adds support for unicast, multicast, and multicast with IGMP modes.

For configuration steps and more details, see Microsoft article 938550: An update enables multicast operations for ISA Server integrated NLB. http://support.microsoft.com/kb/938550/.

KCD authentication for cross domain user accounts

Credentials from users located in a trusted domain can now be delegated to an internal published Web site when using KCD.

For more details, see to Knowledge Base article 942637, http://support.microsoft.com/kb/942637/.

 

Secondary client certificate validation without mapping to Active Directory

Client certificates used as the secondary authentication method to Forms-Based authentication in ISA Server do not need to be validated against an Active Directory® user account. Previously in this scenario, ISA Was required to be a domain member. The administrator would have to ensure that each client certificate mapped to a user account in Active Directory. Such authentication was available only for ISA Server in the domain and when FBA with Active Directory was configured as the primary authentication method. With the new option, ISA Server in the workgroup can accept client certificates issued from any CA for which a certificate is included in the local machine Trusted Root store. If you limit the trusted roots only to your enterprise CA, then ISA Server will accept only users who were granted a client certification by your organization.

Note Client certificate mapping to Active Directory user account is still possible and functions as it did prior to SP1. With SP1, you also have the option to authenticate client certificates without mapping.

Note This new feature is limited to scenarios where client certificate authentication is used as a secondary authentication mehod with Forms-Based authentication (FBA).  If client certificates are used as the primary authentication method, ISA must still be a domain member to satisfy this authentication method.

 

Support for use of server certificates containing multiple Subject Alternative Name (SAN) entries

Certificates with multiple SAN entries are now supported at the web-published servers.

Previously, ISA Server was able to use only either the subject name (common name) of a server certificate, or the first entry in the SAN list. For more information about this limitation, see this ISABlog for details of this problem.

 

RSA SecurID supports public timeout

For RSA SecurID authentication, a new form has been introduced that gives the user the option to select between a public or private session timeout.

 

Improve Web Publishing Load Balancing (WPLB) cookie handling

ISA Server now saves the domain of the server to which the user is connected. Even if there are two separate rules for the same server farm, the user is not redirected to another server within the farm. ISA Server saves the domain to a cookie. A fix for this issue was previously included in a private hotfix. See Microsoft Knowledgebase article 945224.

 

Filtering RPC Access rule traffic by UUID

You can now filter remote procedure call (RPC) traffic by universally unique identifier (UUID) within an access rule. Previously, an access rule controlling RPC traffic could not be restricted by RPC interface UUID.

The RPC-filtered protocol can be added to the protocols list by selecting New RPC protocol in the Protocols option in Toolbox. You can now add the UUIDs for restricting clients. A fix for this issue was previously included in a private hotfix. See Microsoft Knowledgebase article 943212.

 

Alert Improvements

Alert improvements include the following:

New alert indicator

When a new error type alert is generated, the upper section of the details pane is now highlighted in red.

New alert for logging failure

A new alert, Long Write Time Excessive, indicates when ISA Server logging fails. By default, if the logging process takes longer than 15 seconds, this alert is generated.  This will help the ISA administrator identify logging problems before they cause the server to go into lockdown for log failures.

New alert for exceeding virtual memory threshold of WSPSRV service

A new alert has been created that monitors the amount of virtual memory consumed by the WSPSRV process (the Microsoft firewall service). By default, the monitoring is off. To enable it, configure the threshold of virtual memory through the registry. When the virtual memory used by the WSPSRV process exceeds the specified threshold, an alert is activated. You can configure the alert to stop and then start the service on the Actions tab of the Alert Actions dialog box.

For more details, see the Knowledge Base article 941296.

 

New performance counter

A performance counter has been added to measure the kilobytes per second for an HTTP/HTTPS request/response. This feature serves as an indicator to help administrators determine how to improve performance of an HTTP/HTTPS request/response process. The counter filters out noise such as weak Web servers that respond too slowly or extremely long responses such as large files or RPC over HTTP.

The following script shows how the performance counter is configured. 

 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE

' ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE

' REMAINS WITH THE USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR

' WITHOUT MODIFICATION, IS HEREBY PERMITTED.

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

 

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"

 

SetValue "RequestProcessingTimeLowBoundary", 5 ' milliseconds

SetValue "RequestProcessingTimeHighBoundary", 200 ' milliseconds

SetValue "RequestSizeLowBoundary", 0 ' bytes

SetValue "RequestSizeHighBoundary", 5000 ' bytes

 

Sub SetValue(paramName, newValue)

 

    ' Create the root obect.

    Dim root  ' The FPCLib.FPC root object

    Set root = CreateObject("FPC.Root")

 

    'Declare the other objects needed.

    Dim isaArray    ' An FPCArray object

    Dim vendorSets  ' An FPCVendorParametersSets collection

    Dim vendorSet   ' An FPCVendorParametersSet object

 

    ' Get references to the array object

    ' and the vendor parameters set of the array object.

    Set isaArray = root.GetContainingArray()

    Set vendorSets = isaArray.VendorParametersSets

 

    On Error Resume Next

    Set vendorSet = vendorSets.Item(SE_VPS_GUID)

    If Err.Number <> 0 Then

        Err.Clear

 

        ' Add the vendor parameters set.

        Set vendorSet = vendorSets.Add(SE_VPS_GUID)

        CheckError

        WScript.Echo "The vendor parameters set " & vendorSet.Name _

            & " was added."

    Else

        WScript.Echo "The value " & paramName & " = " _

            & vendorSet.Value(paramName) & " was found."

    End If

 

    If vendorSet.Value(paramName) <> newValue Then

        Err.Clear

        vendorSet.Value(paramName) = newValue

        If Err.Number <> 0 Then

            CheckError

        Else

            vendorSets.Save False, True

            CheckError

            If Err.Number = 0 Then

                WScript.Echo "The new value for " & paramName _

                    & " was saved."

            End If

        End If

    Else

        WScript.Echo "No change is needed for " & paramName & "."

    End If

End Sub

 

Sub CheckError()

 

    If Err.Number <> 0 Then

        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " "_

            & Err.Description

        Err.Clear

    End If

End Sub

 

 

Jim Harrison
Forefront Edge; ISA Sustained Engineering

If We Can't Fix It - It Ain't Broke!

Comments
  • Hola amig@s : Con nuevas herramientas de monitoreo y diagnóstico, viene el SP1 de ISA Server 2006. Además

  • Endlich gibt es mal wieder Neuigkeiten rund um ISA Server 2006: Das erste Service Pack soll in diesem

  • It isn't here yet but with the amount of information coming out of Microsoft about it lately, I suspect it will be out soon. I've put the entries important to me in bold. SP1 - New and improved features: Configuration Change Tracking — logs all con

  • There is a new post about the new features of ISA Server 2006 SP1 in the ISA Server Team blog. One of

  • Que me encanta ISA Server es una cosa conocida, pero la llegada del SP1 marca un nuevo hito en ISA. Las

  • Asta pentru ca am terminat de tinut cursul de ISA si am spus ca nu exista SP de ISA 2006 (in afara de

  • Microsoft&#39;s Push for Exchange Online Fast Guide: How to improve Outlook Web Access security Why Exchange

  • Le SP1 d&rsquo;ISA Server 2006 sera disponible cet été et va apporter son lot de nouveautés (dont certaines

  • Bello vedere come l'uso crescente dei blog stia abilitando in Microsoft una diversa tempistica nel rilascio

  • Отличные новости от команды ISA Server. Летом ожидается выход Service Pack 1 для ISA Server

  • Hi Folks,

    Looks like we need to clarify a feature.

    The certificate authentication change is only for client certificates when used as a secondary auth method to Forms-Based Authentication (FBA).

    When client certs are the primary auth method, ISA must still be a member of an Active Directory domain.

    The reason we haven't loosened this requirement for primary authentication is that ISA intentionally limits KCD to accounts which have been previously authenticated.  If the client certificate is "only trusted" instead of authenticated, then KCD will not be used.

  • Too bad..still no possibility to search through the ruleset (for example to see where a certain source or protocol is used)

    That would be a really strong feature in my opinion.

    For the rest, nice!

    Enrico Klein

  • Is SP1 going to support 64 bit systems?

  • Le SP1, comprend de nouvelles fonctionnalités, qui sont: Change Tracking : Outil qui trace tous les changements

  • News Microsoft Internet Security and Acceleration Server Forefront Threat Management Gateway, the Next

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment