Microsoft® Internet Security and Acceleration (ISA) Server 2004 with Service Pack 3 (SP3) provides improvements on the diagnostic level, which makes troubleshooting much easier. For a summary about the components of this update, see “ISA Server 2004 Service Pack 3” at the Microsoft TechNet Web site.
This article explains some of the advantages of using this service pack while troubleshooting an issue on ISA Server 2004. The scenario is that ISA Server 2004 SP3 is publishing a corporate Web site, and when users try to access one specific page, they receive the following error.
Figure 1—Page error when users are trying to access the corporate page through the Internet
According to users, they can access this page without a problem when they are on the Internal network.
2. Details about logging
To gather more information about this error, you can use the monitoring and logging features available in ISA Server 2004 and extended with SP3. Now, logging is divided into two panes, the regular real-time logging and the details for each log selection. For this scenario, we created a filter to log all HTTP traffic, and we used this to reproduce the issue. The following figure shows the result.
Figure 2—New Logging tab with the details pane.
By default, the color for a denied connection is red and the allowed connection is green. Those colors can be customized using the option Define Log Text Colors on the Tasks tab.
In the detailed explanation, you can see the main aspects of the connection and the reason why it was denied. For this scenario, the following are emphasized:
· Status—Summarizes the reason of the rejection.
· Rule—Shows the rule that was matched for this connection.
· Request—Shows the method that was used to access the page.
· Filter information—Shows the request ID (Req ID) and the information about the ISA Server filter that was used for this access.
Based on that brief explanation, we can create some hypotheses and take actions based on those hypotheses. However, with ISA Server 2004 SP3, it is possible to see even more details about the connection and better understand how it was processed.
3. Diagnostic logging
Diagnostic logging is a new feature introduced with SP3. This feature provides over 200 new events about the status of your ISA Server computer, as well as information about configuration and policy issues. It is possible to follow the actions that are taken when ISA Server 2004 is analyzing and processing a request.
To enable this option, go to the new Troubleshooting node and click Configure Diagnostic Logging.
Figure 3—Diagnostic Logging dialog box
It is important to emphasize that when this option is enabled, ISA Server 2004 performance can decrease. We recommend disabling this logging after you find the information that you are looking for.
In this scenario, we enabled this option and reproduced the issue. After reproducing this issue, we can either open this window again and click View Log Data or open Event Viewer and click the ISA Server Diagnostics node.
For this specific scenario, the following sequence (along with other ones) were logged:
1. ISA Server 2004 receives the connection request:
2. The method used to retrieve this page is analyzed:
3. The target URL is analyzed:
4. After analysis of the rules, ISA Server 2004 finds the rule that matches with traffic:
5. Now ISA Server 2004 looks for rules that match with the protocol itself for filtering purposes:
6. After processing the HTTP filter, ISA Server 2004 shows the following result:
As you can see, this tool is powerful and can help greatly during the troubleshooting of complex scenarios.
4. Parsing the log
Following action-by-action using Event Viewer is difficult for situations where the server is busy. To resolve this problem, you can use the ISA Server Diagnostic Logging Viewer, which can be downloaded from the Microsoft Download Center. With this tool, you can view the log in HTML format and better track the request ID that appears on the Logging tab. To use this tool, you need to first install Log Parser 2.2 on the system, which is available from the Microsoft Download Center.
For this scenario, the sequence that follows creates an HTML page in the table grid format (-ogrid) in the folder Debug:
When you open the HTML file, a page with the same format as the one that follows appears.
Figure 4—Improved way to view the logging generated by ISA Server 2004
Although fictitious, this scenario shows some of the new features introduced by ISA Server 2004 SP3. For this particular scenario, the issue was an HTTP filter that was blocking files with an .eml extension. To fix this, the rule was opened and the filter was removed as shown in the following figure.
Figure 5—File extension filter removed
These improvements will be available for ISA Server 2006 later this year. For more information, keep watching the ISA Server Web site.
Special thanks to Ian Parramore and Jonny Sharp for presenting these features at TechReady.
Support Engineer –