Diagnostic Improvements in ISA Server 2004 Service Pack 3

1. Introduction

Microsoft® Internet Security and Acceleration (ISA) Server 2004 with Service Pack 3 (SP3) provides improvements on the diagnostic level, which makes troubleshooting much easier. For a summary about the components of this update, see "ISA Server 2004 Service Pack 3" at the Microsoft TechNet Web site.

This article explains some of the advantages of using this service pack while troubleshooting an issue on ISA Server 2004. The scenario is that ISA Server 2004 SP3 is publishing a corporate Web site, and when users try to access one specific page, they receive the following error.

 

Figure 1—Page error when users are trying to access the corporate page through the Internet

According to users, they can access this page without a problem when they are on the Internal network.

2. Details about logging

To gather more information about this error, you can use the monitoring and logging features available in ISA Server 2004 and extended with SP3. Now, logging is divided into two panes, the regular real-time logging and the details for each log selection. For this scenario, we created a filter to log all HTTP traffic, and we used this to reproduce the issue. The following figure shows the result.

 

Figure 2—New Logging tab with the details pane.

By default, the color for a denied connection is red and the allowed connection is green. Those colors can be customized using the option Define Log Text Colors on the Tasks tab.

In the detailed explanation, you can see the main aspects of the connection and the reason why it was denied. For this scenario, the following are emphasized:

· Status—Summarizes the reason of the rejection.

· Rule—Shows the rule that was matched for this connection.

· Request—Shows the method that was used to access the page.

· Filter information—Shows the request ID (Req ID) and the information about the ISA Server filter that was used for this access.

Based on that brief explanation, we can create some hypotheses and take actions based on those hypotheses. However, with ISA Server 2004 SP3, it is possible to see even more details about the connection and better understand how it was processed.

3. Diagnostic logging

Diagnostic logging is a new feature introduced with SP3. This feature provides over 200 new events about the status of your ISA Server computer, as well as information about configuration and policy issues. It is possible to follow the actions that are taken when ISA Server 2004 is analyzing and processing a request.

To enable this option, go to the new Troubleshooting node and click Configure Diagnostic Logging.

 

Figure 3—Diagnostic Logging dialog box

It is important to emphasize that when this option is enabled, ISA Server 2004 performance can decrease. We recommend disabling this logging after you find the information that you are looking for.

In this scenario, we enabled this option and reproduced the issue. After reproducing this issue, we can either open this window again and click View Log Data or open Event Viewer and click the ISA Server Diagnostics node.

For this specific scenario, the following sequence (along with other ones) were logged:

1. ISA Server 2004 receives the connection request:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30091

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31

Log source: Web Proxy

Web Proxy properties:

    Client IP address: 192.168.0.50

    Client port: 3597

    Local IP address: 192.168.0.8

    Local port: 80

    SecureNAT client: false

    Web proxy client: false

    Inbound traffic: true

2. The method used to retrieve this page is analyzed:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30093

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

HTTP method: GET

3. The target URL is analyzed:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30105

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

Target URL: /corp/Commun.eml

4. After analysis of the rules, ISA Server 2004 finds the rule that matches with traffic:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30008

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Firewall service

The rule Corp Site matches the packet. The packet is allowed.

5. Now ISA Server 2004 looks for rules that match with the protocol itself for filtering purposes:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30019

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Firewall service

ISA Server is looking for a rule that is associated with the protocol HTTP.

6. After processing the HTTP filter, ISA Server 2004 shows the following result:

Event Type: Information

Event Source: ISA Server Diagnostics

Event Category: None

Event ID: 30136

Date: 8/6/2007

Time: 9:18:52 PM

User: N/A

Computer: SRVISA

Description:

Date and time: 08/06/2007-21:18:51.654

Packet context: 06a0dd31 06a0dd32

Log source: Web Proxy

ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. \"The request was rejected by the HTTP filter.

As you can see, this tool is powerful and can help greatly during the troubleshooting of complex scenarios.

4. Parsing the log

Following action-by-action using Event Viewer is difficult for situations where the server is busy. To resolve this problem, you can use the ISA Server Diagnostic Logging Viewer, which can be downloaded from the Microsoft Download Center. With this tool, you can view the log in HTML format and better track the request ID that appears on the Logging tab. To use this tool, you need to first install Log Parser 2.2 on the system, which is available from the Microsoft Download Center.

For this scenario, the sequence that follows creates an HTML page in the table grid format (-ogrid) in the folder Debug:

C:\Program Files\Log Parser 2.2>dlviewer.cmd -ogrid -odir Debug

Generating query results. Please wait...

Statistics:

-----------

Elements processed: 731

Elements output: 731

Execution time: 0.08 seconds

Generating contexts information results. Please wait...

Statistics:

-----------

Elements processed: 731

Elements output: 731

Execution time: 0.19 seconds

Done. Open Debug\index.html to view the results.

When you open the HTML file, a page with the same format as the one that follows appears.

 

Figure 4—Improved way to view the logging generated by ISA Server 2004

5. Conclusion

Although fictitious, this scenario shows some of the new features introduced by ISA Server 2004 SP3. For this particular scenario, the issue was an HTTP filter that was blocking files with an .eml extension. To fix this, the rule was opened and the filter was removed as shown in the following figure.

 

Figure 5—File extension filter removed

These improvements will be available for ISA Server 2006 later this year. For more information, keep watching the ISA Server Web site.

Special thanks to Ian Parramore and Jonny Sharp for presenting these features at TechReady.

Yuri Diogenes

Support Engineer – Latin America Team – Platforms

Microsoft