Planning a Monitoring and Reporting Strategy

Monitoring Real-Time Information
You can monitor real-time information by configuring alerts that are raised when specific events occur. You can also collect real-time information about client connections, server performance, and connectivity on ISA Server. Consider the following when you create a monitoring and reporting strategy:

1- Decide the events to which you must be alerted in real time ISA Server can raise alerts based on almost any event that occurs. In most cases, you do not need to be apprised in real time about every alert. For example, if ISA Server blocks a single spoofing attack, you probably do not need to receive an alert. However, if the connection between ISA Server and a business-critical published Web server fails, you might decide that you must receive an alert. If you are using SMTP Message
Screener, and suddenly the volume of e-mail passing through the message screener increases tenfold, you must be notified about this immediately to reduce the impact of a potential virus outbreak.

2- Determine the threshold for the alert As part of deciding which events will raise alerts, you must also determine the threshold for when ISA Server will raise the alerts. If ISA Server detects hundreds of spoofing attacks within minutes, then you probably want to receive an alert. If a single VPN client fails to authenticate once, you are probably not interested. However, if the same client tries to authenticate many times, you may want to be alerted.

3- Monitor ISA Server using the ISA Server Management Console and Performance Monitor You can also collect real-time information from ISA Server using the ISA Server Management Console and the Performance Monitor. In many cases, you might use these tools for real-time analysis only when a problem is reported.For example, if users report that the Internet connection is slower than usual, you can use these tools to determine why. If you use the Performance Monitor, use the preconfigured ISA Server Performance Monitor to monitor the most important counters on ISA Server.

Collecting Long-Term Information
In addition to the real-time information that you can collect on ISA Server, you should also develop a strategy to collect long-term information on ISA Server. Categories of information that you should collect include the following:

1- Performance-related information To prepare for future modifications to the ISA Server infrastructure, regularly collect information about ISA Server performance. As a best practice, collect information about the performance to establish a baseline and then regularly collect the same types of information to determine how the performance on ISA Server is changing.

2- Usage information Regularly collect usage reports. This is useful for future planning and to monitor the current activity on the server.

3- Security-related information Collect information about security-related events. This information allows you to develop a baseline of the normal security events, which makes it easier to detect an anomaly to that regular pattern. This information may also be useful to track the progress of a successful attack so that you can prevent such an attack in the future.

Implementing Monitoring and Reporting

Planning a Monitoring and Reporting Strategy

Why You Should Implement Monitoring
ISA Server is a critical component in an organization’s network infrastructure. If ISA Server is deployed as an Internet-edge firewall, it operates as a firewall that secures the internal network. ISA Server may also be providing secure access to Internet resources for internal clients and access to specified internal resources for Internet clients. If ISA Server is not available, this functionality is disrupted. If ISA Server is being attacked from the Internet, the internal network may be at risk.

There are many reasons for monitoring ISA Server. Some of these include the following:
1- Monitoring traffic flow between networks You must monitor traffic between networks to ensure that your access rules are correctly configured and that only the expected traffic passes through ISA Server. You also need to monitor ISA Server regularly to identify normal and legitimate traffic passing through the server. After you identify a typical traffic pattern, you can detect any variation that
might indicate a potential problem.

2- Troubleshooting network connectivity Monitoring ISA Server is a critical component of troubleshooting network connectivity. For example, if users report that they cannot access resources on the Internet, you can connect to ISA Server to help locate the problem. In this scenario, the problem might be with the client configuration, the ISA Server configuration, or the availability of the Internet resource. By monitoring ISA Server, you can begin troubleshooting by identifying the option most likely to be the source of the problem.

3- Investigating attacks If ISA Server is operating as a firewall, it will inevitably be exposed to attacks from the Internet. If ISA Server is configured correctly, it can detect and block most attacks. However, even if ISA Server successfully blocks the attacks, you should still be aware that the attacks are occurring and be aware of any variations in the normal attack patterns. If a new attack is launched against ISA Server, you must be alerted as quickly as possible that the attack is occurring so that you can determine how to respond to the attack. After the attack is finished, you should also have enough information logged on the ISA Server computer to investigate the attack. Even if the attack fails, investigate the attack pattern to detect possible patterns that may lead to additional attack attempts.

4- Planning By monitoring the computer running ISA Server, you can also gather information you can use for planning modifications to the current ISA Server infrastructure. By collecting performance data over a period of time, you can identify trends and use this information for planning future deployments of ISA Server.