Configure Microsoft ISA Server

    Firewall Analyzer supports Microsoft Internet Security and Acceleration (ISA) Server 2000,2004, & 2006. 

    Note:

    Supported ISA Log Formats in Firewall Analyzer:
    Firewall Analyzer supports W3C extended log file format for Packet filters, ISA Server Firewall Service, and ISA Server Web Proxy Service. ISA Server File log format is supported for ISA Server Web Proxy Service only.

     

    Configure Microsoft ISA Server

    1. Open the "ISA Management" console.
    2. Select "Monitoring Configuration" from the left-hand side console tree, and then select the "Logs" folder.
    3. In the "Logs" folder, right click on each of the listed component (like Packet filters, ISA Server Firewall Service, ISA Server Web Proxy Service), select "Properties" and set the log format to W3C extended log file format.

    For more information, refer the Microsoft ISA Server documentation.

    Once you have configured the ISA Server, then in Firewall Analyzer you can Import this log file.

    • You can schedule the import of logs using localhost. You can share the ISA log folder and can map it to network drive of Firewall Analyzer server. Then, you can schedule the local import to import periodically.
      In case if you are running Firewall Analyzer as a service, you should ensure that Firewall Analyzer has enough permission to access the file in shared folder.
    • If you want Firewall Analyzer to periodically import the ISA Server logs use FTP import provision in "Remote Host", with the time interval less than the time interval set in the ISA Server.
    Note:  We recommend Local Import Schedule option over Remote Host FTP Import option.

    Firewall Analyzer handles Dynamic Filename change of ISA Server log files. 

    Note:​ Micosoft ISA Proxy server creates log file with new name (with time stamp appended) everyday. If the Micosoft ISA Proxy log files are to be imported, you do not have to change the filename daily, instead select the Change filename dynamically option while importing the logs. Selecting the option displays the the Filename pattern: text box to enter the time stamp pattern that the Proxy server appends when the Proxy server creates the log file daily. A help tip icon displays, (when you hover the mouse on the icon) the mapping of the Timestamp in Filename to the Pattern to be given. Enter the pattern as required.

     

    Configuring Microsoft ISA Server 2004 & 2006

    By default Microsoft ISA Server 2004 & 2006 stores log files into MSDE databases (Microsoft SQL Desktop Engine).

    Log files options placement in ISA Management Console 2004 & 2006

    In order to switch log files format from MSDE to W3C please do the following:

    • Run ISA Management Console
    • Select Monitoring item on the left pane
    • Select Logging tab on the center pane
    • Select Tasks tab on the right pane

    You will need to change log files format for Firewall and Web proxy. Please choose Configure Firewall Logging and Configure Web Proxy Logging items and perform actions shown below for each.

    Log file format settings for Firewall and Web Proxy

    Check on File option. In the dropdown list select W3C extended log file format. Enable logging for this service option should be enabled. If you want to change log files location, press Options button, another dialog will appear where you can change the log files path, Compress log files and Delete log files older than should remain disabled. Select Fields tab and check that all necessary fields are enabled. Please see table below for the list of necessary fields.

    Necessary Fields  

    Firewall log files Web proxy log files
    • Log Date
    • Log Time
    • Transport
    • Client IP and port
    • Destination IP and port
    • Action
    • Protocol
    • Bytes sent
    • Bytes sent Delta
    • Bytes recevied
    • Bytes recevied Delta
    • Client Username
    • Client Agent
    • Client IP
    • Client Username
    • Client Agent
    • Log Date
    • Log Time
    • Bytes Recevied
    • Bytes Sent
    • Protocol
    • URL
    • Object source
    • HTTP Status Code

    ProxyInspector work only with log files since access to the log files is significantly faster than access to SQL databases(nevertheless you can import data from existing MSDE databases using Database | Move data from ISA 2004 & 2006 MSDE databases). ProxyInspector supports both W3C and ISA Native log files formats. Recommended format is W3C.

    Refer the Microsoft ISA server log analyzer page to find out how Firewall Analyzer fits best as a ISA log analyzer software.