•    Published: May 29, 2007
•    Updated: May 29, 2007
•    Section: Tutorials :: Configuration - General
•    Author: Thomas Shinder
•    Printable Version
•    Adjust font size:  
•    Rating: 4.7/5 - 3 Votes

Service Pack 3 for the 2004 ISA Firewall.
The new service pack for the 2004 ISA Firewall hit the streets a couple of weeks ago and now that I’ve had some time to kick the tires on it and see how it works, I can now tell you what’s going on with it. Service Pack 3 for the 2004 ISA Firewall not only includes all the hotfixes released since Service Pack 2, but also includes some cool new features which I think you’ll like.
Discuss this article

However, before you begin your SP3 trek, I suggest that you read about some potential problems with SP3 on the ISA Firewall Team blog. Once you get over the installation hurdle, I think you’ll find that everything afterwards will go smoothly.
SP3 includes the following new features or capabilities:
•    Improved Log Viewer
•    Enhanced Log Filtering
•    Improved Management of Log Filters
•    New Diagnostic Logging
•    Integration with ISA Firewall Best Practices Analyzer
Improved Log Viewer
The ISA Firewall had a pretty good log viewer before the release of service pack 3. You could filter the logs and you could see them in real time. You could enable or disable viewing various columns in the log viewer to make things easier to read. However, often I got the feeling that I was having to scroll over too much to see the information that I was really interested in.
With SP3, you’ll see the Log Viewer has a new pane. In the figure below, the new Log Viewer pane in at the bottom of the screen where is says No query results are currently in the log view. Here you will be able to see key details of a particular log entry without having to scroll across to the columns of interest.

Figure 1
The figure below shows you an example of the type of information that appears in the new details window for log entries. We can see that for the selected log file entry that following information:
Log type
Status
Rule
Source
Destination
Protocol
User
Additional information:
Number of bytes sent
Processing time
original client IP address
Client Agent
The information that appears in the new details pane is very handy, because it contains most of the key information we’re mostly interested in for any single log entry.
 
Figure 2
Enhanced Log Filtering
You might have notice in the figure above that the lines in the log file now appear in different colors. The new color scheme allows you to more easily identify log file entries of interest. The default color scheme is:
GREEN:
Allowed Connection
User Cleared Quarantine (who actually uses ××× quarantine anyway?)
BLACK:
Closed Connection
Closed ××× Connection
Connection Status
Initiated Connection
Initiated ××× Connection
RED:
Denied Connection
Failed Connection Attempt
Failed ××× Connection Attempt
orANGE:
Quarantine Timeout
You can see the default color scheme in the figure below. You have the option to change the colors from the default settings by clicking on the Color button. However, you cannot customize the log entry types that you can colorize. Notice that you can export and import color schemes by clicking on the Export Color Scheme and Import Color Scheme button. If you get things totally out of whack, you can always return to the default color scheme by clicking the Restore Defaults button.

Figure 3
Discuss this article

Improved Log Filter Management and Configuration
Before SP3, if you wanted to save or import a custom log filter, you had to exit the Edit Filter dialog box and click the Import Filter or Export Filter buttons on the task pane. It would make more sense to have these options available in the Edit Filter dialog box itself. The ISA Firewall team realized this too and included this functionality in the Edit Filter dialog box. As you can see in the figure below, we have two new buttons that allow you to save your current filter settings and to load custom filter settings: Save Filter and Load Filter.

Figure 4
There are also some new filtering options included with Service Pack 3: Not One Of and One of, as you can see in the figure below.

Figure 5
For example, if you select Protocol in the Filter by drop down box and select the Not One Of option, you are given the choices available in the Value box. Put checkmarks in the boxes of the entries that you do not want to see in the log. This is bit more convenient than having to create multiple Not Contains entries in the log file.

Figure 6
Now suppose you select Protocol in the Filter by drop down box and select the One Of condition. In the Value section you’ll see the same list of options and checkboxes. In this case, you’d put the checkmark in the checkboxes for those entries that you do want to see. Again, this is a lot easier than having to create a lot of Not Equal or Not Contains entries.
 
Figure 7
New Diagnostic Logging
Probably the most impressive feature included with Service Pack 3 for the 2004 ISA Firewall is the new diagnostic logging feature. Using diagnostic logging, you can extremely granular information for each connection make to or through the ISA Firewall. The information included with the diagnostic logging is so detailed that you can actually get real insight into how the ISA Firewall evaluates each rule and component of the connection and the ISA Firewall’s decision making process.
The figure below shows the configuration interface for the new diagnostic logging feature. There are two types of events that you can log:
Firewall Policy Log information about firewall policy rules, including Web proxy traffic
Authentication Log information about firewall policy rule authentication
There are a number of ways you can view the log data. I wrote another article on the new diagnostic logging, so I won’t go through the details here. In fact, that article should be published the week before this article is released. Check the ISAserver.org Web site for it if you haven’t read it already.
 
Figure 8
Integration with ISA Firewall Best Practices Analyzer (ISA Firewall BPA)
The ISA Firewall BPA is a tool that you can use to find common installation and configuration errors made on the ISA Firewall. The ISA Firewall BPA integrates with the ISAinfo tool, so when you use the ISA Firewall BPA, you get a comprehensive view of your system and ISA Firewall configuration.
The ISA Firewall BPA is actually a separate download and isn’t included with Service Pack 3. However, once you install it, you can access the ISA Firewall BPA from the new Troubleshooting node in the left pane of the ISA Firewall console.
After running the ISA Firewall BPA, you’ll get detailed reports about your configuration and any issues found. In the figure below you can see that I had a few issues with the ISA Firewall that I ran the BPA on. When you click on an issue, there will be a link shown that allows you to get more information on the problem and how you might be able to fix it.

Figure 9
Other informational items are also available from the report. In the figure below you can see information about the version of the BPA used, the service pack and version of the ISA Firewall, the size of the system disk, the number of processors, and other useful info. Of course, you can also save your reports to a file so that you can send them off to Jim Harrison for analysis.

Figure 10
I highly recommend that you check out the ISA Firewall BPA’s Help file. There is a ton of interesting information about ISA Firewall issues that you won’t find anywhere else. This information will also help you be a better ISA Firewall troubleshooter and aid your future attempts to get the initial installation done right the first time.
 
Figure 11
Support for Publishing Exchange Server 2007
This is something that’s advertised in the Service Pack 3 release materials, but to be honest, I don’t see anything very interesting about the Exchange 2007 support other than a new path is added (/owa) when you choose to publish an Exchange 2007 Web site. That isn’t to say that publishing Exchange 2007 is easy, because it is not. In fact, the Exchange team did a really great job at trying to drive ISA Firewall admins nuts because of the undocumented requirements they have for alternative subject names on their certificates. This is an undocumented issue and something that I’ll write about later. But if you’ve been having problem publishing OWA/ActiveSync/RPC-HTTP for Exchange 2007, I feel your pain. As soon as I get a machine with a VT enabled processor I’ll share with you the details of the problem and the solution.
Discuss this article

Summary
Unlike Service Pack 2 for the 2004 ISA Firewall, SP3 introduces no changes in how the core firewall mechanisms work. Instead, we’re treated to some new logging and diagnostic features that will make it easier to troubleshoot connectivity issues to and through the ISA Firewall. The enhanced log viewer is a hands-down winner in my book. You might not appreciate it from the screenshot I showed earlier in this article, but once you start using it, you’ll wonder how you ever lived without it. The diagnostic logging feature is very powerful and potentially complex, but don’t worry, I’ve done a detailed article on how to get this working and how to put it to use in troubleshooting ISA Firewall connectivity problems.