509 19 Monitoring ISA Server 2006 Health and Performance with MOM 3. Under the Remote Monitoring section, select Microsoft Operations Manager. 4. Click the checkbox to enable the configuration group. 5. Select the To tab and click Add under the section This Rule Applies to Traffic Sent to These Destinations. 6. Enter MOM (or a similar name) in the Name column, the IP address of the MOM Management server, and a description if necessary and click OK. 7. In the Add Network Entities dialog, expand Computers, select the MOM server, and click Add and Close. 8. Remove any other entries from the selection box, and then click OK, Apply, and OK to save the changes. This procedure should be replaced with one using the new MOM system policy rule. This would not require defining any custom protocols. The steps are as follows: 1. From the ISA Server Management Console, click on the Firewall Policy node in the console tree. 2. Click the Edit System Policy link in the Tasks tab of the Tasks pane. 3. Under the Remote Monitoring section, select Microsoft Operations Manager. 4. Click the checkbox to enable the configuration group. 5. Select the To tab and click Add under the section This Rule Applies to Traffic Sent to These Destinations. 6. Enter MOM (or a similar name) in the Name column, the IP address of the MOM Management server, and a description if necessary, as shown in Figure 19.24, and click OK. 7. In the Add Network Entities dialog, expand Computers, select the MOM server, and click Add and Close. 8. Remove any other entries from the selection box, and then click OK, Apply, and OK to save the changes. Installing the MOM Agent on the ISA Server After all prerequisites have been satisfied, the actual MOM agent installation on the ISA server can begin. To start the process, do the following: 1. From the MOM 2005 CD (or a network location), double-click on the \i386\MOMAgent.msi file. 2. At the Welcome screen, click Next to continue. 3. At the Destination Folder dialog box, click Next to continue. 4. Enter the Management Group Name and Management Server name; they are listed in the MOM environment. Leave the port unchanged at 1260 and the Agent Control Level at None, as shown in Figure 19.23. Click Next to continue. 510 CHAPTER 19 Monitoring and Troubleshooting an ISA Server 2006 Environment 5. Select Local System as the MOM Agent Action Account and click Next to continue. 6. Under Active Directory Configuration, select Yes if the ISA server is a domain member, or select No if it is not a domain member. Click Next to continue. 7. Click Install. 8. Click Finish. After installation, it may be necessary to wait a few minutes before processing the agent installation. After waiting, do the following to process the pending installation request: 1. From the MOM Administrator Console, Expand Administration, Computers, Pending Actions. 2. Look for the Manual Agent Install Request from the ISA server, right-click it, and choose Approve Manual Agent Installation Now, as shown in Figure 19.24. 3. Click Yes to confirm. Monitoring ISA Functionality and Performance with MOM After the management pack is installed for ISA and the agent has been installed and is communicating, MOM consolidates and reacts to every event and performance counter sent to it from the ISA server. This information is reflected in the MOM Operations Console, as shown in Figure 19.25. Performance data for ISA, such as what is shown in Figure 19.26, can also be displayed in MOM. This allows reports and performance metrics to be obtained from ISA. For more information on MOM 2005, see the Microsoft website at the following URL: http://www.microsoft.com/mom FIGURE 19.23 Manually installing the MOM agent. 511 19 Monitoring ISA Server 2006 Health and Performance with MOM FIGURE 19.24 Approving the MOM agent install. FIGURE 19.25 Viewing ISA alerts. Monitoring ISA with Windows Performance Monitor (Perfmon) ISA Server 2006 comes with several predefined performance counters that take advantage of the Windows Performance Monitor (perfmon) utility. These counters can be useful for checking to see whether an ISA server is being overwhelmed. To run the Performance 512 CHAPTER 19 Monitoring and Troubleshooting an ISA Server 2006 Environment FIGURE 19.26 Viewing server performance in MOM. Monitor application with preconfigured ISA counters, simply click Start, All Programs, Microsoft ISA Server, ISA Server Performance Monitor. Summary The ISA server developers did not disappoint when it came to developing the monitoring and troubleshooting tools made available to administrators. Using advanced logging to an MSDE or SQL database allows for advanced report generation, fast indexing and searching, and real-time logging. ISA alerts, connectivity verifiers, session monitoring, and the ISA dashboard also provide for excellent “out of the box” monitoring functionality. In addition to monitoring with the ISA tools, Microsoft Operations Manager (MOM) 2005 can allow for proactive management and troubleshooting capabilities in an ISA Server environment. Best Practices . Use Advanced ISA logging to an MSDE or SQL database to take advantage of the real- time logging and searching capabilities that this type of logging allows. . Use the logging mechanism to troubleshoot connectivity problems and errors with firewall policy rules. 513 19 Monitoring ISA Server 2006 Health and Performance with MOM . Reset VPN sessions from the Sessions tab of the Monitoring node if changes are made to the VPN policy. . Use Microsoft Operations Manager (MOM) 2005 or the more recent System Center Operations Manager 2007 product with the ISA Server 2006 management pack to monitor an ISA Server 2006 environment whenever possible. . Make use of connectivity verifiers to provide “quick glance” views of critical net- work services. This page intentionally left blank CHAPTER 20 Documenting an ISA Server 2006 Environment IN THIS CHAPTER: . Understanding the Benefits of ISA Server Documentation . Documenting the ISA Server 2006 Design . Developing Migration Documentation . Creating Administration and Maintenance Documentation for ISA . Preparing Disaster Recovery Documentation . Understanding the Importance of Performance Documentation . Writing Training Documentation . Summary . Best Practices One of the most commonly skipped but important tasks in an ISA deployment project is the documentation of the design and functionality elements of an ISA Server environ- ment. It is one thing to deploy an ISA server to address specific needs, but it is quite another to try to decipher why a particular ISA design was put into place or what an ISA server does years after it goes into place. Best practice dictates that the design, implementation, and functionality of an ISA server is incorporated into easy-to-understand and readily available documentation that can be accessed for disaster recovery purposes or during security audits. This chapter outlines key best-practice documentation tech- niques that can be used to formalize the design and imple- mentation of an ISA environment. Specific table of contents and document examples are shown, and documentation recommendations are given. In addition, this chapter also includes examples of a custom script that can be created to export firewall policy rules for documentation purposes. Understanding the Benefits of ISA Server Documentation Some of the benefits of documentation are immediate and tangible, whereas others can be harder to pin down. The process of putting the information down on paper encour- ages a level of analysis and review of the topic at hand that helps to clarify the goals and contents of the document. This process should also encourage teamwork and collabo- ration within the organization, as well as interdepartmental exchange of ideas. 516 CHAPTER 20 Documenting an ISA Server 2006 Environment For example, an ISA server maintenance document that details downtime for an individ- ual SMTP publishing rule might be reviewed by the marketing manager who is concerned about the company’s capability to send out emails to the existing and potential client base during the scheduled periods of downtime. The CIO or IT director should review the document as well to make sure that the maintenance process meets his or her concerns, such as meeting an aggressive service-level agreement (SLA). Consequently, documentation that has specific goals, is well organized and complete, and goes through a review or approval process should contribute to the overall professionalism of the organization and its knowledge base. The following sections examine some of the other benefits of professional documentation in the ISA Server environment. Using Documentation for Knowledge Management Quite simply, proper documentation enables an organization to better organize and manage its data and intellectual property. Rather than having the company’s policies and procedures in a dozen places, such as individual files for each department or, worst of all, in the minds of many individuals, consolidating this information into logical groupings can be beneficial. A design document that details the decisions made pertaining to an ISA Server 2006 deployment project can consolidate and summarize the key discussions and decisions, as well as budgetary concerns, timing issues, and the like. In addition, there will be one document to turn to if questions emerge at a later date. Similarly, if a service-level agreement is created and posted where it can be accessed by any interested parties, it should be very clear what the network users can expect from the ISA server infrastructure in terms of uptime or prescheduled downtimes. A document that describes the specific configuration details of a certain server or type of server might prove to be very valuable to a manager in another company office when making a purchasing decision. The documents also must be readily available so that they can be found when needed, especially in the case of disaster recovery documents. Also, it’s handy to have them available in a number of formats, such as hard copy, in the appropri- ate place on the network, and even via an intranet. CAUTION It is important to find a balance between making sure the documentation is readily avail- able and making sure that it is kept completely secure. ISA Server documentation con- tains particularly sensitive information about the security structure of an environment. Placement of ISA documentation is therefore key: It should be kept in locations that are readily accessible in the event of an emergency, but that also are highly secured. By simply having these documents available and centralizing them, an organization can more easily determine the effects of changes to the environment and track those changes. Part of the knowledge-management process needs to be change management, so that 517 Understanding the Benefits of ISA Server Documentation 20 although the information is available to everyone, only authorized individuals can make changes to the documents. Using Documentation to Outline the Financial Benefits of ISA Proper ISA Server documentation can be time consuming and adds to infrastructure and project costs. It is often difficult to justify the expense of project documentation. However, when the documents are needed, such as in maintenance or disaster recovery scenarios, it is easy to determine that creating this documentation makes financial sense. For example, in an organization where downtime can cost thousands of dollars per minute, the return on investment (ROI) on disaster recovery and maintenance documentation is easy to calculate. Likewise, in a company that is growing rapidly and adding staff and new servers on a regular basis, tested documentation on server builds and administration training can also have immediate and visible benefits. Well thought-out and professional design and planning documentation should help the organization avoid costly mistakes in the implementation or migration process, such as buying too many server licenses or purchasing too many servers. Baselining ISA with Document Comparisons Baselining is a process of recording the state of an ISA Server 2006 system so that any changes in its performance can be identified at a later date. Baselining also pertains to the overall network performance, including WAN links, but in those cases, special software and tools (such as sniffers) may be required to record the information. An ISA Server 2006 system baseline document records the state of the server after it is implemented in a production environment and can include statistics such as memory utilization, paging, disk subsystem throughput, and more. This information then enables the administrator or appropriate IT resource to determine how the system is performing in comparison to initial operation. Using Documentation for ISA Troubleshooting Troubleshooting documentation is helpful both in terms of the processes that the company recommends for resolving technical issues, and in documenting the results of actual troubleshooting challenges. Often companies have a database and trouble-ticket processes in place to record the time a request was made for assistance, the process followed, and the results. This information should then be available to the appropriate support staff so they know the appropriate resolution if the problem comes up again. Organizations may also choose to document troubleshooting methodologies to use as training aids and also to ensure that specific steps are taken as a standard practice for quality of service to the user community. 518 CHAPTER 20 Documenting an ISA Server 2006 Environment Understanding the Recommended Types of Documentation There are several main types of documentation, including the following: . Historical/planning (who made which decision) . Support and maintenance (to assist with maintaining the hardware and software on the network) . Policy (service-level agreements) . Training (for end users or administrators) It is also critical that any documentation produced be reviewed by other stakeholders in the organization to make sure that it meets their needs as well, and to simply get input from other sources. For technical procedures, the document also must be tested and “walked through.” With a review process of this sort, the document will be more useful and more accurate. For example, a server build document that has gone through this process (that is, reviewed by the IT manager and security administrator) is more likely to be complete and useful in case the server in question needs to be rebuilt in an emergency. Documentation that is not historical and that is intended to be used for supporting the network environment or to educate on company policies should be reviewed periodically to make sure that it is still accurate and reflects the current corporate policies and processes. The discipline of creating effective documentation that satisfies the requirements of the appropriate support personnel as well as management is also an asset to the company and can have dramatic effects. The material in this chapter gives a sense of the range of differ- ent ISA-related documents that can have value to an organization and should help in the process of deciding which ones are critical in the organization. Documenting the ISA Server 2006 Design The process of designing an ISA Server environment can include multiple design deci- sions, various decision rationales, and specific implementation settings. It is often diffi- cult, after the design is complete, to retain the knowledge of why particular decisions were made during the design process. Subsequently, one of the first and most important sets of documentation for an ISA environment relates to the design of the environment itself. This type of documentation can take many forms, but typically involves a formal design document, a server as-built document, and specific information on configured rules and settings, which can be ascertained through the creation of a custom script. Examples of this type of script, which can be extremely valuable in the documentation of ISA settings, is provided in this section of the chapter. For more information on designing an ISA Server environment, refer to Chapter 4, “Designing an ISA Server 2006 Environment.” [...]... referred to as an as-built, details a snapshot configuration of the ISA Server 2006 system as it is built This document contains essential information required to rebuild a server 520 CHAPTER 20 Documenting an ISA Server 2006 Environment To export the configuration of an ISA server using WinMSD, perform the following steps: 1 Log in to the ISA server as a local administrator 2 Go to Start, Run, and type... CHAPTER 20 Documenting an ISA Server 2006 Environment NOTE This script will work for both ISA 2004 and ISA 2006 servers Developing Migration Documentation If migrating from existing security infrastructure, or from previous versions of ISA, it is wise to produce migration documents at the same time or shortly after the design documentation to provide a roadmap of the ISA Server 2006 migration NOTE The... Verify RAID Configuration Install Windows Server 2003 Standard Edition Configure Windows Server 2003 Standard Edition Install Windows Server 2003 Service Pack 1 Install Windows Server 2003 R2 Edition Install Security Patches Install System Recovery Console Install ISA Server 2006 Standard Edition Install ISA Patches Install ISA Add-Ons Configure ISA Networks Configure ISA Firewall Policy Rules Install and... an example of the table of contents from a typical ISA Server 2006 migration plan: ISA Server 2006 Migration Plan Goals and Objectives Approach Roles Process Phase I - Design and Planning Phase II - Prototype Phase III - Pilot Phase IV - Implementation Phase V - Support Migration Process Summary of Migration Resources Project Scheduling ISA Server 2006 Training Administration and Maintenance Creating... WinMSD to export Windows settings for ISA documentation 4 Enter a name and a location for the exported text file and click Save After the specific settings on an ISA server have been acquired, they can be formalized into as-built documentation The following is an example of an ISA Server 2006 as-built document template: Introduction The purpose of this ISA Server 2006 as-built document is to assist an... intrusion detection settings, 109 IP protection, 110 IPSec pre-shared keys, 247-248 ISA servers for IAS authentication, 242-243 as IAS client, 238-239 ISA Server 2006 See also Management Console to allow MOM communications, 508-509 for content caching, 205-206 MAPI (Message Application Programming Interface), 369 filtering rules, 369, 371 MOM settings, 507 for non-domain member ISA servers, 508 Registry settings,... Configuration TCP/IP Configuration ISA Configuration Documenting the ISA Server 2006 Design 521 Networks Network Rules Firewall Policy Rules VPN Configuration Antivirus Configuration Add-Ons Documenting Specific ISA Configuration with Custom Scripting The ISA Server Console gives easy view access to firewall policy rules, network rules, VPN configuration, and other ISA settings Although individual elements... as Microsoft Excel, it behooves administrators to use products such as Microsoft Operations Manager (MOM) 2005 for monitoring and reporting functionality For example, MOM can manage and monitor multiple systems and provide graphical reports with customizable levels of detail For more information on using MOM 2005 with ISA Server 2006, see Chapter 19, “Monitoring and Troubleshooting an ISA Server 2006. .. node (Management Console), 100 application filters, 101 -102 web filters, 102 540 addresses addresses See IP addresses administration Application Settings tab options (configuring web publishing rules), 396 administrative access, 437-441 Application Usage Reports, 500 delegating, 103 -105 , 164 application-layer firewalls, 10- 11 documentation, 532-533 deployment as, 20, 135-138 ISA administrators, roles... See selecting client roles, assigning to ISA server, 53-54 clients, 297 firewall clients capabilities of, 298 configuring, 308 configuring editing per-user rules, 309- 310 543 profiles installing, 305-308 creating, 261-266 ISA Server 2006 deployment strategy, 23 installing, 267 Code Red virus, 382 preparation for, 300-304 compression IAS clients, configuring ISA servers as, 238-239 proxy clients, configuring, . application with preconfigured ISA counters, simply click Start, All Programs, Microsoft ISA Server, ISA Server Performance Monitor. Summary The ISA server developers did not disappoint when it came. blank CHAPTER 20 Documenting an ISA Server 2006 Environment IN THIS CHAPTER: . Understanding the Benefits of ISA Server Documentation . Documenting the ISA Server 2006 Design . Developing Migration Documentation three basic ISA Policy Types (Access Rule, Server Publishing Rule, ‘ Web Publishing Rule) CHAPTER 20 Documenting an ISA Server 2006 Environment 525 20 Documenting the ISA Server 2006 Design Select