Skip Navigation LinksHome > SSW Standards > Rules > SSW Rules to Better ISA Server

MS ISA Server (Internet Security and Acceleration Server) provides safe and fast Internet access for our office. It integrates a multi-stage firewall and scalable web cache which limits our bandwidth usage.

However, to run MS ISA Server in a most efficient way, we have developed a few rules for a better ISA usage.

Do you agree with them all? Are we missing some? Let us know what you think.

Rules to Better ISA Server
1. Do you use triggers for automatically announcements of server events?
2. Can I block those annoying Internet banners and save bandwidth?
3. Do you log to SQL server?
4. Do you use custom reports?
5. Do you require everyone to authenticate with your Internet connection?

  1. Do you use triggers for automatically announcements of server events?

  2. We have triggers on two different database tables, FirewallLog and WebProxyLog, which log all files downloaded from the web and uploaded to the web. These triggers created by MS SQL Server Enterprise Manager announce automatically all file transfers bigger than 50 MBs. Thus the network administrator can rest assured that the monthly bandwidth is not going to differ hudgley during the month as no monster downloads are performed without an acknowledgement.  Note that this will not get all large downloads. If a client uses a file splitter program like many download managers and peer to peer programs then there will be a couple smaller size downloads and this trigger will not be called.

  3. Can I block those annoying Internet banners and save bandwidth?

  4. There are two ways of blocking annoying banners with your ISA 2000 Server. Have a look into our Knowledge Base.
    There currently is no script file for ISA 2004. Once we make one or receive one then we will put it up for public download.

  5. Do you log to SQL server?

  6. By default ISA 2000 server logs to text files. ISA 2004 is better and stores the data in a MSDE database. The only problem with this is that you cannot connect to this MSDE database by default. You have to enable TCP/IP and Named Pipes though the SQL Server Network Utility.
    SQL named pipes

    Also it only stored the last months data. After this time summary files are made to summarize the month.
    Generally you want to keep data for a couple months and show the trend over time.

    The solution is to log to your own SQL server and manage the data however you choose.

    Warning: This log can get extremely big very fast. Our database is about 17gig and we only keep 6 months of data.

    A good idea is to have a job that runs weekly that will delete any OLD data to spare some space.

    Also ISA performance is degraded when using ODBC logging (as opposed to text logging). This is true whether the SQL server is on the same machine or over the network. They both use per-entry logging to SQL and will both stop serving requests if the logging destination fails. This is not limited to SQL logging; if text or database logging fails, then ISA will stop serving requests. If the logging destination is unresponsive during startup, the services will not start.
    This is by design, since firewall logs are often used as evidence.


  7. Do you use custom reports?

    Now that we have got the data in SQL and at our disposal we can make some meaningful reports

    We can use reporting services to query the data directly and spit out some reports. Exception reports can be made. Things like which employees are Checking external mail (Hotmail, Yahoo, GMail) within work hours.

    OLAP is also another great way to report on this mammoth amount of data. Once a cube has been made and processed, management can quickly and easily query this data though Data Analyzer or Excel. Reports such as bandwidth by employee by time by date can easily be achieved. Because the SQL database has been interrogated earlier that day these reports with would take a long time to produce can come up instantly.

  8. Do you require everyone to authenticate with your Internet connection?

    We have these nice OLAP cubes from SQL for our Internet usage. However they are not very meaningful as we only know the clients IP and not who. You could always ping the IP address to find the computer then find out who owns that computer but that is a lot of work.

    The solution is to enforce authentication to the proxy. This will slow users a little as every time they want to access some external content there computer has to authenticate every packet.

    When a customer/supplier turns up and wants a wireless Internet connection at your office, what do you say?

    The answer should be

    "No we don't allow wireless access to people not on our domain for security reasons. Instead there is a hub in the boardroom. Under it there is a sticker with manually IP addresses you can use."

    This will be a special IP address which will bypass the authentication rule


Daniel Hyles
Adam Cogan