2 1/2 Conferences

I’ll be attending the SMBSummit a Disneyland from March 15-17. This conference is organized by the SMB Technology Network. If you are looking for good technical information on SBS and good business information on running a small consulting firm this is the place to be.

http://www.smbsummit.com

I am also hoping to attend Jeff Middleton’s Small Business IT Disaster Recovery and Crises Recovery conference from May 26th – June 2nd. Jeff’s conference is the 1 1/2 part in the title of this post. The first two days are land based in New Orleans. The remaining 5 are on a Cruiseship leaving New Orleans headed for Mexico. You can attend the first part, the second part or both. It’s a round table discussion type conference with leaders rather than speakers happening for the majority of it. Great concept. Should also be a great time. There’s plenty of fun time built into this one.

http://conference2007.sbsmigration.com

Hope to meet you there!

Creating a Visited Websites Report by User

Many admins learned how to create reports by opening up the log files in ISA 2000 and using Excel features to organize the data in a meaningful way. Contrary to popular opinion, you can use Excel to generate a report using ISA 2004 with MSDE logging much easier than in ISA 2000 flat files.

Start by trimming out what you don’t want to see, right in ISA.

In the monitoring tab create a query with the information you want to view.

Logging last 7 days
Protocol HTTP
Action Allowed Connection
Rule SBS Internet Access Rule
Client Username Not Equal Annonymous

This will display in the monitoring viewer a list of packets going to websites. Press the Copy to Clipboard and then paste into Excel to start organizating the data into a report.

How ISA MSDE Logging Works

Recently on a mailing list a question was asked for someone to explain how ISA does logging to MSDE and why you sometimes see a lot of log files for the same day. Dana Epp, of Scorpion Software, quickly responded with a very concise and clear response.

When using MSDE, ISA stores the logs in daily database files. If you make any policy changes to the firewall, it stops the instance and restarts it with a new name. As an example for today the database would be called ISALOG_20070110_FWS_000. (That is the format YYYYMMDD in case you missed it). If you stopped and restarted ISA, it would then be ISALOG_20070110_FWS_001. You would need to function concat() { [native code]}the 000 and the 001 to get the complete set of log events for the day. For the web proxy, its “_WEB_” instead of of “_FWS_”. Microsoft does this to apparently prevent data corruption, although I have yet to see how that matters in this regard. There is no reason it couldn’t be merged. (IMNSHO). I think they do it to prevent the DB size limitation for MSDN databases.

Depending on your audit log retention policy, you might have up to a month or two of these hanging around. What Firewall Dashboard
(Dana’s ISA add-on) does is merge all the data together, consolidate all the events down to remove log events not helpful in analysis, and import them into the FWDB database instance. Thats how we can literally go from a few hundred thousand events down to a few hundred, depending on the scenario.

The actual table structure for the whole lot is stored under the ISA directory. If you wish to see the structure of the data, its in *.sql scripts in the base dir of ISA.

If you are finding that the files are hanging around past the date you want, you can freely delete them… with one caveat. If you are consolidating the data with the ISA reporting engine, make sure you aren’t deleting the summary/archive data.

There is a KB on configuring logging for ISA. Not sure if you would find that useful or not. You can see it at:
http://support.microsoft.com/?id=302372

Thank you!

I’d like to put in a big thank you to several people that made a difference in the world of ISA support in 2006.

Jim Harrison – Without Jim there would be no ISA community. He’s a man of infinite patience and belief in community. We only managed to push him over the edge twice this year and given how many buttons were pushed, only twice says a lot for his character and ability to see beyond the surface bull to the real issues.

Susan Bradley – The World News, the Great Library of Susan, the ever helpful and passionate about community nearly to a fault Susan. If you haven’t heard the name then you must live underwater someplace. No one can read Susan and always agree with her but that’s part of what makes her voice invaluable. Susan isn’t afraid to ask the difficult, the unsaid, or to point out the elephant in the room and when you need her support she’s right there. I love that.

Tom Shinder – Given Tom’s opinions about SBS some will question my sanity for mentioning him here, but just as many will question my mention of Susan above. Truth be told the combined passion that these two have for their respective communities, if harnessed, could resolve the west coast summer power problems. Tom’s dedication to ISA and community through his articles and forum support surpasses the rest of us combined. His comments can be harshly worded but I value them even so. Besides, I think we have an understanding.

Andy Goodman – Andy will probably fall off his chair if he’s sees this but Andy has done some excellent work detailing what needs to be done to stop CRM and ISA from trying to kill one another and CRM works as an SSL site to boot. Since Microsoft put out the SBS version of CRM and didn’t include instructions that made any sense, they owe him some thanks as well. But since that probably isn’t coming Andy, you’ll have to get by with just mine.

Eriq Neale – Because he said after reading the chapters I wrote for his book that he’s converting his clients over to ISA. When your boss says that, well, you’ve got to say thank you.

Thanks also to the readers. Most of you find this blog through Google or links from other blogs. I get a couple of comments every week usually direct to my mailbox. Thanks for those; they mean a lot.

Adding Exchange Defender for SMTP Security

A price we pay for putting ISA on the same physical box as our Exchange server in SBS 2003 is that we’re unable to make use of the SMTP features in ISA. You can however use Exchange Defender, a third party SMTP filtering service, to reduce incoming spam. (among other nice features) If you are planning to implement Exchange Defender you’ll want to have a look at Susan Bradley’s article on how to configure ISA to work with it. You can find it here. I’ll add this reference to the App section on the blog website as well.