ProxyInspector 3.x Standard edition manuals :: Microsoft ISA Server 2000/2004/2006 & TMG 2010

Microsoft ISA Server 2000/2004/2006 & TMG 2010

Contents  Previous  Next

Important!

These settings should be configured prior to the first import operation, as they apply to the import stage only.

 

Main settings

 

PI3-4-01

 

Log files path — you need to specify the location of log files. The path can point to a local or network resource (in the UNC format), for instance “Ñ:\Program Files\Microsoft ISA Server\isalogs” or “\\officeserver\logs”. If the path points to the location of MSDE log files, this can only be a local folder.

 

Process web proxy log files — enable this option to allow processing of log files of the Web Proxy service (for ISA 2000) or Web Proxy application filter (for ISA 2004/2006). File names have the following form:

WEBEXT?????????.log ISA 2000, W3C format

WEB?????????.log ISA 2000, IIS format

ISALOG_????????_WEB_???.w3c ISA 2004/2006, W3C format

ISALOG_????????_WEB_???.iis ISA 2004/2006, IIS format

Disable this option to disable processing of log files. The option is enabled by default and we recommend keeping it on.

 

Process firewall log files — enable this option to allow processing of the firewall service log files. File names have the following form:

FWSEXT?????????.log ISA 2000, W3C format

FWS?????????.log ISA 2000, IIS format

ISALOG_????????_FWS_???.w3c ISA 2004/2006, W3C format

ISALOG_????????_FWS_???.iis ISA 2004/2006, IIS format

Disable this option to disable processing of log files. The option is enabled by default and we recommend keeping it on.

 

Do not process HTTP records (only for ISA 2004/2006/TMG) — allows you to prevent duplication of traffic records in reports. Due to some peculiarities of the ISA 2004/2006/TMG architecture, all web traffic is registered in log files twice: in the firewall service logs and the web proxy logs. We recommend leaving this option on.

 

Use IP address instead of 'anonymous' username — if this option is enabled, user “anonymous” will be replaced with the IP address the request came from. Enabling this option can be justified only in cases of static (no DHCP used) IP distribution and use of user name substitution.

 

Strip anything before '/' and '\' from username — allows you to shorten user names in the “Domain\User” form to the “User” form. It is recommended to leave this option enabled for networks with a single NT domain.

 

Do not process UDP Bind records (ISA 2000 only) — allows you to ignore UDP sessions with a Bind status that have duplicate records in log files. This option works for Firewall service log files only. It is recommended to leave this option on.

 

Do not process UDP Map records (ISA 2000 only) — allows you to ignore UDP sessions with an UdpMap status. This option works for Firewall service log files only.

 
 
 

MSDE log files

 

Import MSDE log files — allows ProxyInspector to import MSDE log files (Microsoft SQL Server Desktop Engine). You need to enable this option to import data from ISA Server MSDE log files. Otherwise MSDE files will not be imported.

 

It is necessary to specify the instance name of the MSDE engine:

Default instance — use Microsoft SQL Server or SQL Express installed with the Default instance option;

Use ISA 2004/2006 (MSFW) instance — use a copy of MSDE/SQL Express installed with the ISA Server;

Use MS SQL 2005 Express (SQLEXPRESS) instance — use a separately installed instance of SQL Express installed with SQLExpress;

Custom instance — use the instance specified in the corresponding line.

 

ProxyInspector can import MSDE logs from a remote PC (when the ISA Server and ProxyInspector are installed on different computers). You should enable the ISA Server is installed on a remote PC option for this and select the name and authorization type of the remote host.

 

To import remote MSDE logs, you should additionally configure your ISA Server to enable remote access to MSDE databases.

1. Run C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SVRNETCN.exe on the PC with the ISA Server

2. Select MSFW in the new dialog box and add the TCP/IP protocol to the group of allowed protocols

3. Specify port 1433 for the TCP/IP protocol (click the Properties... button)

4. Click OK to close the protocol properties dialog box. Then click OK to close the ISA Server network connection properties dialog box.

5. Restart the MSDE service. To do it, open Start -> Programs -> ISA Server Management, click 'Monitoring', switch to the Services tab, right-click the Microsoft Data Engine service and select Stop. Attention! Internet access can be temporary unavailable after this action. Wait for the service to stop and then start it. Make sure that all ISA Server services are started. It is necessary to start them if they are stopped.

6. Create a firewall rule for the Microsoft SQL protocol for the ISA Server PC. Open the ISA Server Management -> Firewall Policy -> Tasks tab. Click Create New Access Rule in the Firewall Policy Tasks section. Specify the name of the firewall rule in the new window, for example "Allow Remote MSDE Access". Select Allow as a rule action, add both (TCP and UDP) Microsoft SQL protocols, specify the list of client IPs for this rule. You can use a pre-defined Remote Management Computers group or create a new one. As a destination, select Local Host from the Networks group, add All Users as a user group.

7. Add computers with ProxyInspector to the Remote Management Computers group. Run ISA Management, select Firewall Policy, click the Toolbox tab and select the Computer Sets folder. Double-click the Remote Management Computers item and add the necessary computers to the group. Click Apply at the top of the ISA Management window to apply all changes.

 

Filtering by the s-object-source field

 

PI3-4-02

 

Filter Web Proxy logs using s-object-source field values — enabling this option allows the filtration of Web-proxy log file records by the s-object-source field and configuration of the list of fields located below. To register external traffic only, leave the following options enabled: Inet è VFInet.

 

Do not process lines with 401/407 codes in sc-status field — allows you to ignore authorization requests and rejections. These requests are internal to the network, but are saved to the log file. This option can be enabled only for Web-proxy logs with a “sc-status” field. It is recommended to leave this option enabled.

 

Do not process lines with 12209 code in sc-status field — allows you to ignore connection errors resulting from denied authorizations. These requests are internal to the network, but are saved to the log file. This option can be enabled only for Web-proxy logs with a “sc-status” field. This option is disabled by default.

 

You must also configure the local addresses table.