Embed Size (px)
DESCRIPTION
operations guide
Citation preview
Operations Guide
Internet Security and Acceleration Server 2006
Microsoft Corporation
Published: May, 2007
1
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, FrontPage, Visual Studio, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
2
Contents
ISA Server Operations Guide
Operations
Daily
Resource availability
Internet access
Availability of published servers
Availability of authentication servers
Cache
Services
Event Viewer
Daily backups
Dashboard
Alerts
Weekly
Disk space
Reports
Create and delete ISA Server rules
Monthly
Backup and restore testing
Performance Logs and Alerts
Reports
Security updates
Quarterly
Rules and configuration analysis
Certificate review
Reports
3
ISA Server Operations Guide
Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that
helps protect your mission critical applications from Internet-based threats. ISA Server enables
your business to do more, with secure access to Microsoft applications and data. Secure your
Microsoft application infrastructure by protecting your corporate applications, services, and data
across all network layers with stateful packet inspection, application-layer filtering, and
comprehensive publishing tools. Streamline your network with simplified administrator and user
experiences through a unified firewall and virtual private network (VPN) architecture. Safeguard
your information technology environment to reduce security risks and costs, and help eliminate
the effects that malicious software and attackers have on your business.
This document discusses some of the different ISA Server operations activities, and when these
activities should be performed. This document assumes that ISA Server has already been
installed, configured, and is properly running in your environment. This document does not cover
installing, configuring, or troubleshooting ISA Server. It covers what an ISA Server administrator
should check on a daily, weekly, monthly, and quarterly basis to assist in keeping ISA Server
running as expected. The information in this document can also help the ISA Server administrator
plan for future growth.
For more information about installing, configuring, and troubleshooting ISA Server 2006, see the
Microsoft ISA Server TechCenter at the Microsoft TechNet Web site.
OperationsYour ISA Server operations activities occur at different frequencies:
Daily
Weekly
Monthly
Quarterly
DailyOn a daily basis, you should check the items in the following sections to make sure that your
users are able to access the resources they require through ISA Server. The items should be
checked at least on a daily basis, to ensure that ISA Server computers and the surrounding
environment are functioning properly.
5
Note:
There are many methods or techniques that can be used to achieve these tasks. This
document describes several methods. If you have another method that works for you,
continue to use it. If you have suggestions for additional methods, send an e-mail
message to ISA Server Documentation Feedback.
Resource availability
Because ISA Server enables you to provide secure access to the Internet and secure access to
internal resources, you should check that these resources are available on a daily basis. For
example, if you are publishing an internal Web site so users can access the site remotely and the
Web server is accidentally turned off, users will be unable to access this resource. When things
do not work properly, it might not be an ISA Server issue. In addition to checking that internal
resources are working, verify that the servers and services required by ISA Server to provide
access to the necessary resources required by your users are also functioning.
Internet access
If you have configured ISA Server to protect users when they are surfing the Internet through ISA
Server, you want to make sure the Internet is accessible by using one of the following methods:
Manually test Internet connectivity from an internal workstation:
a. From your workstation, open Microsoft Internet Explorer® and browse to a public Web
site, such as http://www.microsoft.com.
b. If access to a site fails, try another site because the first site might be unavailable.
c. If access to multiple sites fails, test Internet access to these sites from ISA Server.
For more information about troubleshooting Internet access, see "Troubleshooting Web
Access for Internal Clients" at the Microsoft TechNet Web site.
Configure ISA Server connectivity verifiers to test Internet connectivity. Manually testing
Internet connectivity can be time-consuming. You can configure ISA Server to check
connectivity to specific URLs, and if connectivity fails, ISA Server generates an ISA Server
alert. To configure connectivity verifiers:
a. Configure a connectivity verifier in the ISA Server Management console to check access
to public Web sites. We recommend creating multiple connectivity verifiers to test
connectivity to multiple sites because one site might be unavailable temporarily.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status of
configured connectivity verifiers. If the status of all configured Internet connectivity
verifiers is failed, you should check the connection to the Internet.
6
For more information about troubleshooting Internet access, see "Troubleshooting Web
Access for Internal Clients" at the Microsoft TechNet Web site.
The following is a list of benefits of using ISA Server connectivity verifiers:
In addition to automating checking Internet connectivity, an ISA Server alert is generated
each time a connectivity verifier fails, providing you with the time of day and frequency that a
connectivity verifier has failed.
ISA Server alerts can be configured to send an e-mail message, run a program, report to an
event log, stop selected services, and start selected services after a specific number of
failures. This can provide you with advanced warning that you are experiencing Internet
connectivity issues. Instead of users informing you of an issue, you can inform users that a
known issue is being handled.
When a server responds to the connectivity verifier but not within the specified time-out
period, ISA Server will generate a Slow Connectivity alert. The default threshold for a new
connectivity verifier is 5,000 milliseconds or 5 seconds. If the default is not long enough, you
can either lengthen the time-out period or configure the connectivity verifier not to generate
an alert when the server response is not within the specified time-out.
7
Note:
For more information about configuring connectivity verifiers, see the ISA Server product
Help.
Availability of published servers
If ISA Server is configured to publish internal servers so users can access internal resources
remotely, make sure that these servers are available by using one of the following methods:
Manually test connectivity to each published server:
a. For a published Web server, from your workstation, open Internet Explorer and browse to
the internal site name configured when you published the Web site, such as
http://www.corp.contoso.com.
b. If you have published non-Web server protocols, use the associated client application to
connect to the server. For example, if you published a Domain Name System (DNS)
server, open the DNS Microsoft Management Console (MMC) snap-in and connect to the
DNS server's IP address.
Configure ISA Server connectivity verifiers to test connectivity to internal resources. Manually
testing connectivity to internal resources can be time-consuming. You can configure ISA
Server to check connectivity to the specified internal URLs or servers, and if connectivity fails,
ISA Server generates an ISA Server alert. To configure connectivity verifiers:
8
a. Configure a connectivity verifier in ISA Server Management to check access to internal
resources.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status of
configured connectivity verifiers. If the status indicates connectivity problems, select the
Alerts tab to see which connectivity verifier has failed.
If Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations
Manager 2007 is installed in your environment, configure MOM 2005or System Center
Operations Manager 2007 to monitor internal resources. MOM and System Center
Operations Manager utilize management packs to enhance the intelligent operations
management for a variety of server applications.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft
System Center Operations Manager Web site.
If you are unable to manually connect to the published server or if the connectivity verifier fails,
confirm that the published server is available and running properly.
9
For a list of benefits of using connectivity verifiers, see the list of benefits in Internet access earlier
in this document.
Availability of authentication servers
One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific
users. By default, ISA Server can authenticate users against local accounts on the ISA Server
computer. ISA Server can communicate with Active Directory® directory service servers (for
Microsoft Windows® authentication), with RSA authentication managers (for RSA SecurID
authentication), with Remote Authentication Dial-In User Service (RADIUS) servers, and with
Lightweight Directory Access Protocol (LDAP) (for Web publishing only).
When the selected authentication method is not available, users are not granted access to the
requested resource. For more information about the different authentication methods supported
by ISA Server, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.
On a daily basis, you should check that the authentication methods that ISA Server requires are
available using one of the following methods:
Manually test connectivity to the authentication servers:
If Active Directory has been selected as the authentication method, in most cases, when
you log on to your computer, you have tested if Active Directory is available and running.
For RSA SecurID and RADIUS authentication, see the vendor's product documentation
about how to test that the authentication services are available.
For LDAP authentication, you can use the LDP.exe tool to test the connectivity to the
LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES
%\Support Tools.
Configure ISA Server connectivity verifiers to test connectivity to the required authentication
servers. Manually testing connectivity to the authentication servers can be time-consuming.
You can configure ISA Server to check connectivity to the specified authentication servers,
and if connectivity fails, ISA Server generates an ISA Server alert. To configure connectivity
verifiers:
a. Configure a connectivity verifier in ISA Server Management to check connectivity to
authentication servers.
b. On a daily basis, check the Dashboard in ISA Server Management to see the status of
configured connectivity verifiers. If the status indicates connectivity problems, select the
Alerts tab to see which server has failed.
10
If MOM 2005or System Center Operations Manager 2007 is installed in your environment,
configure MOM 2005or System Center Operations Manager 2007 to monitor Active Directory,
RSA, and RADIUS servers. MOM and System Center Operations Manager utilize
management packs to enhance the intelligent operations management for a variety of server
applications.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft
System Center Operations Manager Web site.
For a list of benefits of using connectivity verifiers, see the list of benefits in Internet access earlier
in this document.
Cache
The following are the main benefits to enabling cache:
Faster Internet user access Web requests are served from the cache instead of requiring
a connection to a remote Internet server. In Web publishing scenarios, reverse caching
11
speeds up access for Internet users requesting Web content from corporate Web servers
published by ISA Server.
Reduced traffic on the Internet connection Because frequently requested objects are
served from the cache, bandwidth is saved on the Internet connection. In Web publishing
scenarios, reverse caching reduces the load on the published Web server.
For more information about ISA Server cache, see "Caching and CARP in ISA Server 2006" at
the Microsoft TechNet Web site.
Note:
Caching is not enabled by default. If you want to take advantage of ISA Server caching,
you must enable this feature.
When caching is enabled on your ISA Server computers, you should check on a daily basis that
Web requests are being served by the cache directly instead of making a request to the Internet.
To make sure Web requests are being delivered by cache content directly, check ISA Server
logging:
1. In ISA Server Management, select the Logging page on the Monitoring node.
2. Edit the existing filter to show HTTP traffic only.
3. Add the following columns to the log results pane: Object Source and Cache Information.
The Object Source column indicates the source that was used to retrieve the current object,
and the Cache Information column indicates the reason why an object was or was not
cached.
4. When a Web request is delivered by cache content, the Object Source for the request will be
Cache. How caching is configured determines how many Web requests are delivered from
cache instead of from the Internet.
12
Note:
For information about how to modify the default filter conditions to display data that meets
specific criteria in the log viewer, see the "Querying the Logs" section in "Monitoring,
Logging, and Reporting Features in ISA Server 2006" at the Microsoft TechNet Web site.
As shown in the preceding screen shot, not every Web request is cached. HTTP defines several
ways for a Web server to specify how long a document can be cached before it expires, or not to
cache the page. To determine why an object was not delivered from cache, record the value in
the Cache Information column and look up the value in the "Web Proxy: Cache Information Log
Values" section in "ISA Server Logging Fields and Values" at the Microsoft TechNet Web site.
Services
You should check the status of services on your ISA Server computer to confirm that the required
services show Started, especially the services that are configured to start automatically when the
computer is started. Use one of the following methods:
Open the Services MMC snap-in to view the status of all services running on the ISA Server
computer. From a command prompt, run services.msc to open the Services snap-in.
You can also check the status, and start and stop the following ISA Server services from the
Services tab on the Monitoring node in ISA Server Management:
13
Microsoft Firewall
Microsoft ISA Server Job Scheduler
Routing and Remote Access
Network Load Balancing (ISA Server Enterprise Edition)
Microsoft Data Engine
If MOM 2005or System Center Operations Manager 2007 is installed in your environment,
configure MOM 2005 or System Center Operations Manager 2007 to monitor services
running on the ISA Server computer.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft
System Center Operations Manager Web site.
Event Viewer
On a daily basis, you should check the event logs for all of your ISA Server computers for any
unusual Warning and Error events. ISA Server events are logged to the Application log in Event
Viewer.
From a command prompt, run eventvwr.msc to open the Event Viewer MMC snap-in.
You can filter event logs to show only the event types you select. For example, to only view
Warning and Error event types, you can create a filter that only shows Warning and Error event
types.
For more information about Event Viewer, see Microsoft Windows Server® 2003 product Help.
14
For additional information about specific events and error messages, see the Events and
Message Center at the Microsoft TechNet Web site.
To view information about a specific event
1. Select Internet Security and Acceleration Server for the Microsoft product field.
2. Enter the event ID in the ID field or enter additional information, and click Go.
15
Daily backups
If you are running daily backups of your servers, confirm that the backup finished successfully. To
determine the status of each backup job, refer to your vendor's product documentation.
For more information about backing up your ISA Server computer, see "How to Back Up and
Restore an ISA Server Enterprise Configuration" at the Microsoft TechNet Web site.
Dashboard
On a daily basis, you should check the Dashboard tab on the Monitoring node. If a warning or
error status icon appears, your attention is needed. For additional information, open the required
tab on the Monitoring node.
Alerts
Confirm the status of ISA Server alerts from the Dashboard tab on the Monitoring node. An OK
status icon indicates that there are no alerts that have not been acknowledged or reset. An error
status icon indicates that there are alerts that need your attention. Go to the Alerts tab to view
more information and to acknowledge or reset the alerts.
16
WeeklyOn a weekly basis, check the items described in the following sections.
Disk space
Check the amount of free disk space on all drives on the ISA Server computers in your
environment. If a computer runs out of disk space or logging fails, ISA Server goes into lockdown
mode. If free disk space is low, you should back up files that are not needed and then delete
these files.
When in lockdown mode, the following functionality applies:
The Firewall Packet Filter Engine (fweng) applies the firewall policy.
Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing
connection is established, that connection can be used to respond to incoming traffic. For
example, a DNS query can receive a DNS response, on the same connection.
No incoming traffic is allowed, unless a system policy rule that specifically allows the traffic is
enabled. The one exception is Dynamic Host Configuration Protocol (DHCP) traffic, which is
17
always allowed. DHCP requests on User Datagram Protocol (UDP) port 67 are allowed from
the Local Host network to all networks, and DHCP replies on UDP port 68 are allowed back
in.
The following system policy rules are still applicable:
Allow Internet Control Message Protocol (ICMP) from trusted servers to the local host.
Allow remote management of the firewall using MMC (RPC through port 3847).
Allow remote management of the firewall using Remote Desktop Protocol (RDP).
VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote
site networks in site-to-site VPN scenarios.
Any changes to the network configuration while in lockdown mode are applied only after the
Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically
move a network segment and reconfigure ISA Server to match the physical changes, the new
topology is in effect only after ISA Server exits lockdown mode.
ISA Server does not trigger any alerts.
When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as
previously. Any changes made to the ISA Server configuration are applied after ISA Server exits
lockdown mode.
To configure a low disk space alert, see "How To: Configure a Low Disk Space Alert by Using the
Performance Logs and Alerts Feature in Windows Server 2003" at the Microsoft Support Web
site.
If MOM 2005or System Center Operations Manager 2007 is installed in your environment, you
can configure low disk space alerts for the ISA Server computer.
For more information about MOM 2005, see the Microsoft Operations Manager Web site.
For more information about System Center Operations Manager 2007, see the Microsoft System
Center Operations Manager Web site.
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Schedule reports to run on a weekly basis and review these reports to analyze application and
traffic patterns. Reporting provides you with historical information that is helpful when evaluating
performance issues. For example, if users are stating that the Internet is slow, you can look at
current and historical Traffic and Utilization reports, and see if a large increase in HTTP traffic has
occurred. With the reports, you have the information and can explain the reason for the slow
response.
18
Create and delete ISA Server rules
When rules are added to a firewall, they are sometimes added without prior planning, because
users need something immediately so that a new project can start. If the rules are not created
quickly, project delays may occur. A new rule is typically added as the first rule, so that you can
verify that the rule works and that no other rule will block the new rule. If the new rule allows
access and is the first rule, it takes precedence over a current rule that may not allow access. As
a result, users who should not have access will now be allowed access.
To properly manage a firewall, follow a schedule for making changes to the firewall. Advise your
users that required changes to ISA Server will be made on a specific day of the week and
emphasize the importance of this policy. There will be exceptions to this rule, but the exceptions
should be infrequent. Gather from your users the information that you need to create the ISA
Server rule. Consider creating a form that is required to be filled out for any new firewall rule
requests. This provides you with a written record of the request.
Several days before you are scheduled to make the changes, review the change requests.
Confirm that you have the required information, review the existing firewall policy, determine
where the new rule will be located, and evaluate if an existing rule needs to be modified.
For more information about firewall policy design, see "Best Practices Firewall Policy for ISA
Server 2006" at the Microsoft TechNet Web site.
MonthlyOn a monthly basis, check the items described in the following sections.
Backup and restore testing
Take time to develop a backup and restore plan, and then test your backup and restore plan, to
be sure it is working. Testing your backup and restore strategy on a monthly basis confirms that
the plan works, that your backups are valid, and that you can restore as expected.
For more information about backing up your ISA Server computer, see "How to Back Up and
Restore an ISA Server Enterprise Configuration" at the Microsoft TechNet Web site.
Performance Logs and Alerts
The Performance Logs and Alerts MMC snap-in is a tool that can be used to help with monitoring
and troubleshooting. This document does not discuss how to use Performance Logs and Alerts to
help with troubleshooting. This document discusses how to use Performance Logs and Alerts to
help monitor and analyze your ISA Server computers.
For proper ISA Server analysis, you need to create a baseline of your ISA Server computer
performance. After ISA Server has been installed and configured properly, you should create a
baseline by creating and saving a counter log over a two-week period using a time interval of
between five and ten minutes.
19
To create a performance counter log, see "Create a counter log" at the Microsoft TechNet Web
site.
A monthly counter log should be created using the same time interval of between five and ten
minutes. At the end of each month, the performance counter log should be analyzed against the
baseline counter log. This analysis should help you foresee when you will need to make changes
to your environment as the company grows.
After major changes have been made to an environment, a new baseline counter log should be
created.
For a complete list of the ISA Server performance objects and counters, see "Performance
Counters" at the Microsoft TechNet Web site.
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Configure ISA Server to generate built-in reports automatically on a monthly basis. ISA Server
has the following built-in reports:
Summary
Web Usage
Application Usage
Traffic and Utilization
Security
Review these reports to analyze application usage patterns, traffic patterns, and security incident
patterns for month-to-month usage, such as from June to July of the same year and from June of
this year to June of last year.
For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features
in ISA Server 2006" at the Microsoft TechNet Web site.
Security updates
Microsoft typically releases security hotfixes on the first Tuesday of every month. Review
released hotfixes and determine if the hotfix is required for ISA Server computers.
QuarterlyOn a quarterly basis, check the items described in the following sections.
20
Rules and configuration analysis
After changes are made to your ISA Server configuration and changes occur in the environment,
rules that were required a few months ago may no longer be needed. Or, a rule may have been
added quickly to meet a project deadline, but was not put in the correct location for optimum
performance.
On a quarterly basis, review the existing ISA Server configuration. This review should include the
following:
Review the Remote Management Computers computer set (and Enterprise Remote
Management Computers computer set if you are running ISA Server Enterprise Edition). If
you have allowed remote management of your ISA Server computers, verify that only the
required computers, address ranges, and subnets are included in the Remote Management
Computers computer set (and the Enterprise Remote Management Computers computer
set). Remove any entries that are no longer required. All computers included in these
computer sets can remotely manage the ISA Server computers when the Microsoft
Management Console (MMC) and Terminal Server system policies are enabled. These
policies are part of the Remote Management group.
Review access and publishing rules. Make sure that all access and publishing rules are still
required. Rules that are no longer needed should be disabled for a few months, and then at
the next quarterly rules analysis, you can delete the disabled rules. You might also want to
change the name of the rule, indicating that the rule can be deleted next quarter. If you are
not sure if a rule is still needed and logging is enabled for the rule, you can query the logs for
the rule name to determine when the last time the rule appeared in the logs.
Review networks and network rules. Review the existing networks and network rules that are
currently configured. Remove any networks that no longer exist.
Review the site-to-site VPN configuration. Review existing site-to-site VPN connections and
confirm that each one is still required and used.
Certificate review
Certificates are important in ISA Server publishing scenarios and ISA Server deployments in a
workgroup environment. If these certificates expire, a warning message is displayed when users
attempt to connect to the ISA Sever computer, or the ISA Server computer cannot connect to the
published server or to the Configuration Storage server (in ISA Server Enterprise Edition) to
retrieve and apply policy updates.
Check the expiration date on all certificates on the ISA Server computer and the published Web
servers on a quarterly basis. This will provide you with enough time to renew the certificate before
it expires.
To check the expiration date on the installed certificates, do one of the following:
Use the Microsoft ISA Server Best Practices Analyzer Tool:
21
a. Download and run the ISA Server Best Practices Analyzer Tool on your ISA Server
computers. To download the ISA Server Best Practices Analyzer, see "Microsoft Internet
Security and Acceleration (ISA) Server Best Practices Analyzer Tool" at the Microsoft
Download Center Web site. The ISA Server Best Practices Analyzer checks the
expiration date of the certificates on the ISA Server computer and the published Web
servers. The ISA Server Best Practices Analyzer shows a warning message when a
certificate is expiring within the next two weeks and an error message when a certificate
has expired.
b. Renew certificates that have expired or are going to expire according to the instructions
of the issuing certification authority.
Use the Certificates MMC snap-in:
a. Open the Certificates MMC snap-in for the Computer account on the ISA Server
computer and internal Web server.
b. Expand the Personal folder and select the Certificates folder.
c. Double-click the Expiration Date column to sort the certificates based upon expiration
dates.
d. Renew certificates that have expired or are expiring according to the instructions of the
issuing certification authority.
When you are running ISA Server Enterprise Edition in a mixed workgroup/domain environment,
check the certificate installed on the Configuration Storage server. This certificate is stored in the
Certificates folder of the ISASTGCTRL service.
22
Reports
With ISA Server reporting, you can create a permanent record of common usage patterns, and
summarize and analyze log information. Reports can be scheduled to be generated on a daily,
weekly, or monthly basis, or on specific dates. Reports can be copied to another server, such as a
Web server or file server, making the reports available to users who do not have access rights to
ISA Server Management.
Configure ISA Server to generate built-in reports automatically on a quarterly basis. ISA Server
has the following built-in reports:
Summary
Web Usage
Application Usage
Traffic and Utilization
Security
Review these reports to analyze application usage patterns, traffic patterns, and security incident
patterns for quarter-to-quarter usage, such as from the first quarter to the second quarter and
from the second quarter of this year to last year's second quarter.
For more information about ISA Server reports, see "Monitoring, Logging, and Reporting Features
in ISA Server 2006" at the Microsoft TechNet Web site.
23
