Monitoring Real-Time Information
You can monitor real-time information by configuring alerts that are raised when specific events occur. You can also collect real-time information about client connections, server performance, and connectivity on ISA Server. Consider the following when you create a monitoring and reporting strategy:
1- Decide the events to which you must be alerted in real time ISA Server can raise alerts based on almost any event that occurs. In most cases, you do not need to be apprised in real time about every alert. For example, if ISA Server blocks a single spoofing attack, you probably do not need to receive an alert. However, if the connection between ISA Server and a business-critical published Web server fails, you might decide that you must receive an alert. If you are using SMTP Message
Screener, and suddenly the volume of e-mail passing through the message screener increases tenfold, you must be notified about this immediately to reduce the impact of a potential virus outbreak.
2- Determine the threshold for the alert As part of deciding which events will raise alerts, you must also determine the threshold for when ISA Server will raise the alerts. If ISA Server detects hundreds of spoofing attacks within minutes, then you probably want to receive an alert. If a single VPN client fails to authenticate once, you are probably not interested. However, if the same client tries to authenticate many times, you may want to be alerted.
3- Monitor ISA Server using the ISA Server Management Console and Performance Monitor You can also collect real-time information from ISA Server using the ISA Server Management Console and the Performance Monitor. In many cases, you might use these tools for real-time analysis only when a problem is reported.For example, if users report that the Internet connection is slower than usual, you can use these tools to determine why. If you use the Performance Monitor, use the preconfigured ISA Server Performance Monitor to monitor the most important counters on ISA Server.
Collecting Long-Term Information
In addition to the real-time information that you can collect on ISA Server, you should also develop a strategy to collect long-term information on ISA Server. Categories of information that you should collect include the following:
1- Performance-related information To prepare for future modifications to the ISA Server infrastructure, regularly collect information about ISA Server performance. As a best practice, collect information about the performance to establish a baseline and then regularly collect the same types of information to determine how the performance on ISA Server is changing.
2- Usage information Regularly collect usage reports. This is useful for future planning and to monitor the current activity on the server.
3- Security-related information Collect information about security-related events. This information allows you to develop a baseline of the normal security events, which makes it easier to detect an anomaly to that regular pattern. This information may also be useful to track the progress of a successful attack so that you can prevent such an attack in the future.
You can monitor real-time information by configuring alerts that are raised when specific events occur. You can also collect real-time information about client connections, server performance, and connectivity on ISA Server. Consider the following when you create a monitoring and reporting strategy:
1- Decide the events to which you must be alerted in real time ISA Server can raise alerts based on almost any event that occurs. In most cases, you do not need to be apprised in real time about every alert. For example, if ISA Server blocks a single spoofing attack, you probably do not need to receive an alert. However, if the connection between ISA Server and a business-critical published Web server fails, you might decide that you must receive an alert. If you are using SMTP Message
Screener, and suddenly the volume of e-mail passing through the message screener increases tenfold, you must be notified about this immediately to reduce the impact of a potential virus outbreak.
2- Determine the threshold for the alert As part of deciding which events will raise alerts, you must also determine the threshold for when ISA Server will raise the alerts. If ISA Server detects hundreds of spoofing attacks within minutes, then you probably want to receive an alert. If a single VPN client fails to authenticate once, you are probably not interested. However, if the same client tries to authenticate many times, you may want to be alerted.
3- Monitor ISA Server using the ISA Server Management Console and Performance Monitor You can also collect real-time information from ISA Server using the ISA Server Management Console and the Performance Monitor. In many cases, you might use these tools for real-time analysis only when a problem is reported.For example, if users report that the Internet connection is slower than usual, you can use these tools to determine why. If you use the Performance Monitor, use the preconfigured ISA Server Performance Monitor to monitor the most important counters on ISA Server.
Collecting Long-Term Information
In addition to the real-time information that you can collect on ISA Server, you should also develop a strategy to collect long-term information on ISA Server. Categories of information that you should collect include the following:
1- Performance-related information To prepare for future modifications to the ISA Server infrastructure, regularly collect information about ISA Server performance. As a best practice, collect information about the performance to establish a baseline and then regularly collect the same types of information to determine how the performance on ISA Server is changing.
2- Usage information Regularly collect usage reports. This is useful for future planning and to monitor the current activity on the server.
3- Security-related information Collect information about security-related events. This information allows you to develop a baseline of the normal security events, which makes it easier to detect an anomaly to that regular pattern. This information may also be useful to track the progress of a successful attack so that you can prevent such an attack in the future.
