Diagnostic Improvements in ISA Server 2004 Service Pack 3


1. Introduction


 


Microsoft® Internet Security and Acceleration (ISA) Server 2004 with Service Pack 3 (SP3) provides improvements on the diagnostic level, which makes troubleshooting much easier. For a summary about the components of this update, see “ISA Server 2004 Service Pack 3” at the Microsoft TechNet Web site.


 


This article explains some of the advantages of using this service pack while troubleshooting an issue on ISA Server 2004. The scenario is that ISA Server 2004 SP3 is publishing a corporate Web site, and when users try to access one specific page, they receive the following error.


 



 


Figure 1—Page error when users are trying to access the corporate page through the Internet


 


According to users, they can access this page without a problem when they are on the Internal network.  


 


2. Details about logging


 


To gather more information about this error, you can use the monitoring and logging features available in ISA Server 2004 and extended with SP3. Now, logging is divided into two panes, the regular real-time logging and the details for each log selection. For this scenario, we created a filter to log all HTTP traffic, and we used this to reproduce the issue. The following figure shows the result.


 



 


Figure 2—New Logging tab with the details pane.


 


By default, the color for a denied connection is red and the allowed connection is green. Those colors can be customized using the option Define Log Text Colors on the Tasks tab.


 


In the detailed explanation, you can see the main aspects of the connection and the reason why it was denied. For this scenario, the following are emphasized:


·         Status—Summarizes the reason of the rejection.


·         Rule—Shows the rule that was matched for this connection.


·         Request—Shows the method that was used to access the page.


·         Filter information—Shows the request ID (Req ID) and the information about the ISA Server filter that was used for this access.


 


Based on that brief explanation, we can create some hypotheses and take actions based on those hypotheses. However, with ISA Server 2004 SP3, it is possible to see even more details about the connection and better understand how it was processed.


 


3. Diagnostic logging


 


Diagnostic logging is a new feature introduced with SP3. This feature provides over 200 new events about the status of your ISA Server computer, as well as information about configuration and policy issues. It is possible to follow the actions that are taken when ISA Server 2004 is analyzing and processing a request.


 


To enable this option, go to the new Troubleshooting node and click Configure Diagnostic Logging.


 



 


Figure 3—Diagnostic Logging dialog box


 


It is important to emphasize that when this option is enabled, ISA Server 2004 performance can decrease. We recommend disabling this logging after you find the information that you are looking for.


 


In this scenario, we enabled this option and reproduced the issue. After reproducing this issue, we can either open this window again and click View Log Data or open Event Viewer and click the ISA Server Diagnostics node.


 


For this specific scenario, the following sequence (along with other ones) were logged:


 


1.      ISA Server 2004 receives the connection request:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30091


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31


Log source: Web Proxy


 


Web Proxy properties:


    Client IP address: 192.168.0.50


    Client port: 3597


    Local IP address: 192.168.0.8


    Local port: 80


    SecureNAT client: false


    Web proxy client: false


    Inbound traffic: true


 


2.      The method used to retrieve this page is analyzed:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30093


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31 06a0dd32


Log source: Web Proxy


 


HTTP method: GET


 


3.      The target URL is analyzed:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30105


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31 06a0dd32


Log source: Web Proxy


 


Target URL: /corp/Commun.eml


 


4.      After analysis of the rules, ISA Server 2004 finds the rule that matches with traffic:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30008


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31 06a0dd32


Log source: Firewall service


 


The rule Corp Site matches the packet. The packet is allowed.


 


5.      Now ISA Server 2004 looks for rules that match with the protocol itself for filtering purposes:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30019


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31 06a0dd32


Log source: Firewall service


 


ISA Server is looking for a rule that is associated with the protocol HTTP.


 


6.      After processing the HTTP filter, ISA Server 2004 shows the following result:


 



Event Type:   Information


Event Source: ISA Server Diagnostics


Event Category:       None


Event ID:       30136


Date:            8/6/2007


Time:            9:18:52 PM


User:            N/A


Computer:     SRVISA


Description:


Date and time: 08/06/2007-21:18:51.654


Packet context: 06a0dd31 06a0dd32


Log source: Web Proxy


 


ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. \”The request was rejected by the HTTP filter.


 


As you can see, this tool is powerful and can help greatly during the troubleshooting of complex scenarios.


 


4. Parsing the log


 


Following action-by-action using Event Viewer is difficult for situations where the server is busy. To resolve this problem, you can use the ISA Server Diagnostic Logging Viewer, which can be downloaded from the Microsoft Download Center. With this tool, you can view the log in HTML format and better track the request ID that appears on the Logging tab. To use this tool, you need to first install Log Parser 2.2 on the system, which is available from the Microsoft Download Center.


 


For this scenario, the sequence that follows creates an HTML page in the table grid format (-ogrid) in the folder Debug:


 



C:\Program Files\Log Parser 2.2>dlviewer.cmd -ogrid -odir Debug


 


Generating query results. Please wait…


 


Statistics:


———–


Elements processed: 731


Elements output:    731


Execution time:     0.08 seconds


 


Generating contexts information results. Please wait…


 


Statistics:


———–


Elements processed: 731


Elements output:    731


Execution time:     0.19 seconds


 


Done. Open Debug\index.html to view the results.


 


When you open the HTML file, a page with the same format as the one that follows appears.


 



 


Figure 4—Improved way to view the logging generated by ISA Server 2004


 


5. Conclusion


 


Although fictitious, this scenario shows some of the new features introduced by ISA Server 2004 SP3. For this particular scenario, the issue was an HTTP filter that was blocking files with an .eml extension. To fix this, the rule was opened and the filter was removed as shown in the following figure.


 



 


Figure 5—File extension filter removed


 


These improvements will be available for ISA Server 2006 later this year. For more information, keep watching the ISA Server Web site.


 


 


Special thanks to Ian Parramore and Jonny Sharp for presenting these features at TechReady.


 


 


Yuri Diogenes


Support Engineer – Latin America Team – Platforms


Microsoft


 


 


 


 


Comments (8)

  1. Anonymous says:

    Security Microsoft and Novell Open Interoperability Lab http://www.microsoft.com/presspass/press/2007/sep07/09-11MSNovellLabsPR.mspx

  2. ehab says:

    Hi

    Thanks alot for this nice info

    I have question here , why this Improvement in MS ISA 2004 SP3 and not on MS ISA 2006

  3. Anonymous says:

    ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)

  4. Anonymous says:

    ISA Server 2006 Service Pack 1 Features Introduction Microsoft ® Internet Security and Acceleration (ISA)

  5. Yuri Diogenes says:

    Since the SP3 for ISA 2004 was already ready to be ship, it was decided to include those features on it. But, those improvements will be soon available on ISA 2006.

    Thanks for your visit.

  6. <a href="http://www.oracledigital.com.au/">SEO Perth</a> says:

    Glad to see your interesting post! its very useful and yet true for sure..

  7. http://www.highvalueseo.com says:

    Nice post on ISA servers, the latest addition of 2011 is out right. Not sure, will look into it.

  8. Search Engine Optimization Perth says:

    Very nice! Thanks for the elaborated steps! They are very easy to understand and replicate!