Microsoft ISA Server 2006 UNLEASHED phần 10 pptx

Baselining ISA with Document Comparisons Baselining is a process of recording the state of an ISA Server 2006 system so that any changes in its performance can be identified at a later d

3 Under the Remote Monitoring section, select Microsoft Operations Manager

4 Click the checkbox to enable the configuration group

5 Select the To tab and click Add under the section This Rule Applies to Traffic Sent toThese Destinations

6 Enter MOM (or a similar name) in the Name column, the IP address of the MOM

Management server, and a description if necessary and click OK

7 In the Add Network Entities dialog, expand Computers, select the MOM server, andclick Add and Close

8 Remove any other entries from the selection box, and then click OK, Apply, and OK

to save the changes

This procedure should be replaced with one using the new MOM system policy rule Thiswould not require defining any custom protocols The steps are as follows:

1 From the ISA Server Management Console, click on the Firewall Policy node in theconsole tree

2 Click the Edit System Policy link in the Tasks tab of the Tasks pane

3 Under the Remote Monitoring section, select Microsoft Operations Manager

4 Click the checkbox to enable the configuration group

5 Select the To tab and click Add under the section This Rule Applies to Traffic Sent toThese Destinations

6 Enter MOM (or a similar name) in the Name column, the IP address of the MOM

Management server, and a description if necessary, as shown in Figure 19.24, and

click OK

7 In the Add Network Entities dialog, expand Computers, select the MOM server, andclick Add and Close

8 Remove any other entries from the selection box, and then click OK, Apply, and OK

to save the changes

Installing the MOM Agent on the ISA Server

After all prerequisites have been satisfied, the actual MOM agent installation on the ISAserver can begin To start the process, do the following:

1 From the MOM 2005 CD (or a network location), double-click on the

\i386\MOMAgent.msifile

2 At the Welcome screen, click Next to continue

3 At the Destination Folder dialog box, click Next to continue

4 Enter the Management Group Name and Management Server name; they are listed

in the MOM environment Leave the port unchanged at 1260 and the Agent ControlLevel at None, as shown in Figure 19.23 Click Next to continue

5 Select Local System as the MOM Agent Action Account and click Next to continue.

6 Under Active Directory Configuration, select Yes if the ISA server is a domainmember, or select No if it is not a domain member Click Next to continue

3 Click Yes to confirm

Monitoring ISA Functionality and Performance with MOM

After the management pack is installed for ISA and the agent has been installed and iscommunicating, MOM consolidates and reacts to every event and performance countersent to it from the ISA server This information is reflected in the MOM OperationsConsole, as shown in Figure 19.25

Performance data for ISA, such as what is shown in Figure 19.26, can also be displayed inMOM This allows reports and performance metrics to be obtained from ISA

For more information on MOM 2005, see the Microsoft website at the following URL:http://www.microsoft.com/mom

FIGURE 19.23 Manually installing the MOM agent

19FIGURE 19.24 Approving the MOM agent install.

FIGURE 19.25 Viewing ISA alerts

Monitoring ISA with Windows Performance Monitor (Perfmon)

ISA Server 2006 comes with several predefined performance counters that take advantage

of the Windows Performance Monitor (perfmon) utility These counters can be useful forchecking to see whether an ISA server is being overwhelmed To run the Performance

FIGURE 19.26 Viewing server performance in MOM.

Monitor application with preconfigured ISA counters, simply click Start, All Programs,Microsoft ISA Server, ISA Server Performance Monitor

Summary

The ISA server developers did not disappoint when it came to developing the monitoringand troubleshooting tools made available to administrators Using advanced logging to anMSDE or SQL database allows for advanced report generation, fast indexing and searching,and real-time logging ISA alerts, connectivity verifiers, session monitoring, and the ISAdashboard also provide for excellent “out of the box” monitoring functionality

In addition to monitoring with the ISA tools, Microsoft Operations Manager (MOM) 2005can allow for proactive management and troubleshooting capabilities in an ISA Serverenvironment

Reset VPN sessions from the Sessions tab of the Monitoring node if changes are

made to the VPN policy

Use Microsoft Operations Manager (MOM) 2005 or the more recent System CenterOperations Manager 2007 product with the ISA Server 2006 management pack to

monitor an ISA Server 2006 environment whenever possible

Make use of connectivity verifiers to provide “quick glance” views of critical

net-work services

Documenting an ISA

Server 2006 Environment

Understanding the Benefits ofISA Server Documentation

Documenting the ISA Server

2006 Design

Developing MigrationDocumentation

Creating Administration andMaintenance Documentationfor ISA

Preparing Disaster RecoveryDocumentation

Understanding the Importance

of Performance Documentation

Writing Training Documentation

Summary

Best Practices

One of the most commonly skipped but important tasks

in an ISA deployment project is the documentation of the

design and functionality elements of an ISA Server

environ-ment It is one thing to deploy an ISA server to address

specific needs, but it is quite another to try to decipher why

a particular ISA design was put into place or what an ISA

server does years after it goes into place Best practice

dictates that the design, implementation, and functionality

of an ISA server is incorporated into easy-to-understand and

readily available documentation that can be accessed for

disaster recovery purposes or during security audits

This chapter outlines key best-practice documentation

tech-niques that can be used to formalize the design and

imple-mentation of an ISA environment Specific table of contents

and document examples are shown, and documentation

recommendations are given In addition, this chapter also

includes examples of a custom script that can be created to

export firewall policy rules for documentation purposes

Understanding the Benefits of ISA

Server Documentation

Some of the benefits of documentation are immediate and

tangible, whereas others can be harder to pin down The

process of putting the information down on paper

encour-ages a level of analysis and review of the topic at hand that

helps to clarify the goals and contents of the document

This process should also encourage teamwork and

collabo-ration within the organization, as well as interdepartmental

exchange of ideas

For example, an ISA server maintenance document that details downtime for an ual SMTP publishing rule might be reviewed by the marketing manager who is concernedabout the company’s capability to send out emails to the existing and potential client baseduring the scheduled periods of downtime The CIO or IT director should review thedocument as well to make sure that the maintenance process meets his or her concerns,such as meeting an aggressive service-level agreement (SLA).

individ-Consequently, documentation that has specific goals, is well organized and complete, andgoes through a review or approval process should contribute to the overall professionalism

of the organization and its knowledge base The following sections examine some of theother benefits of professional documentation in the ISA Server environment

Using Documentation for Knowledge Management

Quite simply, proper documentation enables an organization to better organize andmanage its data and intellectual property Rather than having the company’s policies andprocedures in a dozen places, such as individual files for each department or, worst of all,

in the minds of many individuals, consolidating this information into logical groupingscan be beneficial

A design document that details the decisions made pertaining to an ISA Server 2006deployment project can consolidate and summarize the key discussions and decisions, aswell as budgetary concerns, timing issues, and the like In addition, there will be onedocument to turn to if questions emerge at a later date

Similarly, if a service-level agreement is created and posted where it can be accessed byany interested parties, it should be very clear what the network users can expect from theISA server infrastructure in terms of uptime or prescheduled downtimes

A document that describes the specific configuration details of a certain server or type ofserver might prove to be very valuable to a manager in another company office whenmaking a purchasing decision The documents also must be readily available so that theycan be found when needed, especially in the case of disaster recovery documents Also, it’shandy to have them available in a number of formats, such as hard copy, in the appropri-ate place on the network, and even via an intranet

CAUTION

It is important to find a balance between making sure the documentation is readily able and making sure that it is kept completely secure ISA Server documentation con-tains particularly sensitive information about the security structure of an environment

avail-Placement of ISA documentation is therefore key: It should be kept in locations that arereadily accessible in the event of an emergency, but that also are highly secured

By simply having these documents available and centralizing them, an organization canmore easily determine the effects of changes to the environment and track those changes.Part of the knowledge-management process needs to be change management, so that

although the information is available to everyone, only authorized individuals can makechanges to the documents

Using Documentation to Outline the Financial Benefits of ISA

Proper ISA Server documentation can be time consuming and adds to infrastructure andproject costs It is often difficult to justify the expense of project documentation However,when the documents are needed, such as in maintenance or disaster recovery scenarios, it

is easy to determine that creating this documentation makes financial sense For example,

in an organization where downtime can cost thousands of dollars per minute, the return

on investment (ROI) on disaster recovery and maintenance documentation is easy to

calculate Likewise, in a company that is growing rapidly and adding staff and new servers

on a regular basis, tested documentation on server builds and administration training canalso have immediate and visible benefits

Well thought-out and professional design and planning documentation should help theorganization avoid costly mistakes in the implementation or migration process, such asbuying too many server licenses or purchasing too many servers

Baselining ISA with Document Comparisons

Baselining is a process of recording the state of an ISA Server 2006 system so that any

changes in its performance can be identified at a later date Baselining also pertains to theoverall network performance, including WAN links, but in those cases, special software

and tools (such as sniffers) may be required to record the information

An ISA Server 2006 system baseline document records the state of the server after it is

implemented in a production environment and can include statistics such as memory

utilization, paging, disk subsystem throughput, and more This information then enablesthe administrator or appropriate IT resource to determine how the system is performing incomparison to initial operation

Using Documentation for ISA Troubleshooting

Troubleshooting documentation is helpful both in terms of the processes that the

company recommends for resolving technical issues, and in documenting the results ofactual troubleshooting challenges Often companies have a database and trouble-ticket

processes in place to record the time a request was made for assistance, the process

followed, and the results This information should then be available to the appropriate

support staff so they know the appropriate resolution if the problem comes up again

Organizations may also choose to document troubleshooting methodologies to use as

training aids and also to ensure that specific steps are taken as a standard practice for

quality of service to the user community

Understanding the Recommended Types of Documentation

There are several main types of documentation, including the following:

Historical/planning (who made which decision)

Support and maintenance (to assist with maintaining the hardware and software onthe network)

Policy (service-level agreements)

Training (for end users or administrators)

It is also critical that any documentation produced be reviewed by other stakeholders inthe organization to make sure that it meets their needs as well, and to simply get inputfrom other sources For technical procedures, the document also must be tested and

“walked through.” With a review process of this sort, the document will be more usefuland more accurate For example, a server build document that has gone through thisprocess (that is, reviewed by the IT manager and security administrator) is more likely to

be complete and useful in case the server in question needs to be rebuilt in an emergency.Documentation that is not historical and that is intended to be used for supporting thenetwork environment or to educate on company policies should be reviewed periodically

to make sure that it is still accurate and reflects the current corporate policies and processes.The discipline of creating effective documentation that satisfies the requirements of theappropriate support personnel as well as management is also an asset to the company andcan have dramatic effects The material in this chapter gives a sense of the range of differ-ent ISA-related documents that can have value to an organization and should help in theprocess of deciding which ones are critical in the organization

Documenting the ISA Server 2006 Design

The process of designing an ISA Server environment can include multiple design sions, various decision rationales, and specific implementation settings It is often diffi-cult, after the design is complete, to retain the knowledge of why particular decisions weremade during the design process Subsequently, one of the first and most important sets ofdocumentation for an ISA environment relates to the design of the environment itself.This type of documentation can take many forms, but typically involves a formal designdocument, a server as-built document, and specific information on configured rules andsettings, which can be ascertained through the creation of a custom script Examples ofthis type of script, which can be extremely valuable in the documentation of ISA settings,

deci-is provided in thdeci-is section of the chapter

For more information on designing an ISA Server environment, refer to Chapter 4,

“Designing an ISA Server 2006 Environment.”

Documenting the ISA Design Process

The first step in the implementation of an ISA Server 2006 environment is the ment and approval of a design Documenting this design contributes to the success of theproject The design document records the decisions made during the design process andprovides a reference for testing, implementation, and support The key components to adesign document include the following:

develop- The goals and objectives of the project

The background or what led up to the design

The approach that will be used to implement the solution

The details of the end state of the project

Goals and objectives can be surprisingly hard to pin down They need to be detailed and

concrete enough to define the results that you want while staying at a high level For

instance, “reduce down time” is too vague to be considered a functional goal, whereas

“implement Network Load Balancing with ISA Server 2006 Enterprise Edition to reduce

downtime to less than one minute in the case of single server failure” is much more specific.Including the background of meetings and brainstorming sessions that led up to the deci-sions for the end state of the project provides the groundwork for the detailed designs

provided later in the document For example, a decision may have been made “becausethe CEO wants it that way,” which affects the post-migration environment Other deci-sions may have come about after many hours of debates over the particulars and requiredtechnical research to come up with the “right” answer Recording this level of informationcan be extremely useful in the future if performance issues are encountered or additionalchanges to the network are being considered

The description of the end state to be implemented can be very high level or can drill

down to more specific configurations of each server, depending on the document’s ence However, it is recommended that the design document not include step-by-step

audi-procedures or other details of how the process is to be accomplished This level of detail isbetter handled, in most cases, in dedicated configuration or training documents, as

discussed later in this chapter

Formalizing ISA Server Configuration with As-Built Documentation

The configuration document, often referred to as an as-built, details a snapshot

configura-tion of the ISA Server 2006 system as it is built This document contains essential tion required to rebuild a server

informa-One way to create an as-built document is to export settings on a server using tools such

as the script illustrated in the next section of this chapter and with built-in Windows ties such as WinMSD WinMSDis a simple export utility that is included in the base Windowsoperating system, and exports server-specific settings to a text file This data can then beimported into formal documentation easily

utili-To export the configuration of an ISA server using WinMSD, perform the following steps:

1 Log in to the ISA server as a local administrator

2 Go to Start, Run, and type winmsdand click Run

3 From the System Information dialog box, shown in Figure 20.1, go to File, Export

4 Enter a name and a location for the exported text file and click Save

After the specific settings on an ISA server have been acquired, they can be formalizedinto as-built documentation The following is an example of an ISA Server 2006 as-builtdocument template:

Introduction

The purpose of this ISA Server 2006 as-built document is to assist an

experienced network administrator or engineer in restoring the server in theevent of a hardware failure This document contains screen shots and

configuration settings for the server at the time it was built If settingsare not implicitly defined in this document, they are assumed to be set todefaults It is not intended to be a comprehensive disaster recovery plan withstep-by-step procedures for rebuilding the server For this document

to remain useful as a recovery aid, it must be updated as configuration

settings change

System Configuration

Hardware Summary

Disk Configuration

Physical Disk Configuration

Logical Disk Configuration

Networks Network Rules

Firewall Policy Rules

VPN Configuration

Antivirus Configuration

Add-Ons

Documenting Specific ISA Configuration with Custom Scripting

The ISA Server Console gives easy view access to firewall policy rules, network rules, VPNconfiguration, and other ISA settings Although individual elements and entire configura-tions can be exported for backup or migration purposes, there is no built-in way to exportthese settings to simple text format for documentation purposes

Fortunately, the ISA Server development team included a relatively straightforward ing mechanism called the FPC object that allows for the export of ISA settings to text,

script-CSV, or other formats This enables administrators with scripting knowledge to generatedocumentation from an ISA server easily, without having to decipher the XML export files.For more information about the FPC object, reference the following Microsoft website:

http://msdn2.microsoft.com/en-us/library/Aa489786.aspx

The following custom script gives an example of the type of capabilities that the FPC

object can give an administrator who is tasked with the documentation of ISA rules It

exports the ISA firewall policy rules on the local server on which it is run All the rules

information is exported to a CSV file

NOTE

The isaconfig.wsf script, along with others referenced in this book, can be downloaded

from the Sams Publishing website by searching for this book title, and then clicking on

the link entitled Downloads

This particular script can be run by executing the following command from the directorywhere the script is located, as illustrated in Figure 20.2:

Cscript isaconfig.wsf /path:C:\Documentation

FIGURE 20.2 Running the ISA Configuration Backup script

Listing 20.1 shows the code for the custom documentation script.

LISTING 20.1 Examining the isaconfig.wsf Documentation Script

cscript isaconfig.wsf /path:”\\remoteserver\sharename”

cscript isaconfig.wsf /path:”c:\isainfo”

‘ This script uses the FPC object to produce a report of the policies in an

‘ ISA configuration As currently written, this script can be run only on the

‘ local ISA server that you are trying to export the configuration from

In conjunction with the FPCArray object the

‘ script can be modified to produce a script that would allow for a centralized

‘ report of all ISA servers in an organization

‘

‘ It is also important to note that this script was developed in an effort to

‘ try to give a visual representation of the policy configuration that is

‘ present on an ISA server Not all the elements that are in a policy are

‘ represented in the report The report is therefore not a complete

‘ configuration and should be used only to document the current policies that

‘ are in place

‘

‘ To expand upon the script and for more information about the FPC object

‘ please see the following URL:

‘

‘

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isasdk/isa/fpc_object.asp

‘

‘ Please note that in all cases usage of the FPC object is limited to a

‘ server that has ISA 2004/2006 or greater installed on it

Dim dtmThisMinute, dtmThisHour

Dim dtmThisDay, dtmThisMonth, dtmThisYear

Set WSHNetwork = CreateObject(“WScript.Network”)

dtmThisDay & “-” & dtmThisHour & “-” & dtmThisMinute & “.csv”

Set objLogFile = FSO.OpenTextFile(strPath & “\” & strFileName, ForWriting, true)

Dim objRoot ‘ The FPCLib.FPC root object

Dim isaArray ‘ An FPCArray object

Set objRoot = CreateObject(“FPC.Root”)

Set isaArray = objRoot.GetContainingArray()

‘ -‘ There are three basic ISA Policy Types (Access Rule, Server Publishing Rule,

‘ Web Publishing Rule)

objLogFile.Write(“All Outbound Taffic”)

ElseIf strProSelctMethod = 2 Then

objLogFile.Write(“Web Publishing Rule”)

If WScript.Arguments.Named.Exists(“silent”) = FALSE Then

WScript.Echo(“Finished export to “ & strPath & “\” & strFileName)

‘ -‘ This function is used to pad date variables that contain only one digit

Function PadDigits(n, totalDigits)

If totalDigits > len(n) then

PadDigits = String(totalDigits-len(n),”0”) & n

Dim objConditions, objConditionsDict

Set objConditions = ObjectPath

Set objConditionsDict = CreateObject(“Scripting.Dictionary”)

Set objConditionsDict = Nothing

Set objConditions = Nothing

Dim objNet, objNetDict

Set objNet = ObjectPath

Set objNetDict = CreateObject(“Scripting.Dictionary”)

Set objNetDict = Nothing

Set objNet = Nothing

This script will work for both ISA 2004 and ISA 2006 servers

Developing Migration Documentation

If migrating from existing security infrastructure, or from previous versions of ISA, it iswise to produce migration documents at the same time or shortly after the design docu-mentation to provide a roadmap of the ISA Server 2006 migration

NOTE

The results of testing the design in a prototype lab or pilot might alter the actual tion steps and procedures In this case, the migration plan document should be modi-fied to take these changes into account

migra-The following is an example of the table of contents from a typical ISA Server 2006migration plan:

ISA Server 2006 Migration Plan

Goals and Objectives

ISA Server 2006 Training

Administration and Maintenance

Creating Project Plans

A project plan is essential for more complex migrations and can be useful for managingsmaller projects—even single-server deployments

Tools such as Microsoft Project facilitate the creation of project plans and enable theassignment of one or more resources per task and the assignment of durations and links tokey predecessors The project plan can also provide an initial estimate of the number ofhours required from each resource and the associated costs if outside resources are to be

used “What if” scenarios are easy to create: Simply add resources to more complex tasks

or cut out optional steps to see the effect on the budget

Note that it’s a good idea to revisit the original project plan after everything is completed(the baseline) to see how accurate it was Many organizations fail to take this step and

miss the opportunity of learning from the planning process to better prepare for the nexttime around

Developing the Test Plan

Thorough testing is critical in the success of any implementation project A test plan

details the resources required for testing (hardware, software, and lab personnel), the tests

or procedures to perform, and the purpose of the test or procedure

It is important to include representatives of every aspect of the network in the ment of the test plan This ensures that all aspects of the ISA Server 2006 environment orproject and its impact are included in the test plan

develop-Numbering Server Migration Procedures

High-level migration procedures should be decided during a design and planning processand confirmed during a prototype/testing phase The initial migration document also

should focus on the tools that will be used to migrate data, users, and applications, as well

as the division of labor for these processes

A draft of the document can be put together, and when the process is tested again, it can

be verified for accuracy When complete, this information can save a great deal of time.The procedures covered can include the following:

Server hardware configuration details

Service pack (SP) and hotfixes to install on each server

Services to enable or disable and appropriate settings

Applications (such as ISA add-ons) to install and their appropriate settings

Security settings

Steps required to migrate functionality to the new server(s)

Steps required to test the new configuration to ensure full functionality

Steps required to remove old servers or firewalls from production

Establishing Migration Checklists

The migration process can often be a long process, based on the amount of security tionality that must be migrated It is very helpful to develop both high-level and detailedchecklists to guide the migration process High-level checklists determine the status of the

func-migration at any given point in the process Detailed checklists ensure that all steps areperformed in a consistent manner This is extremely important if the process is beingrepeated for multiple sites.

The following is an example of an ISA Server 2006 server build checklist:

Task: Initials Notes

Verify BIOS and Firmware Revs

Verify RAID Configuration

Install Windows Server 2003 Standard Edition

Configure Windows Server 2003 Standard Edition

Install Windows Server 2003 Service Pack 1

Install Windows Server 2003 R2 Edition

Install Security Patches

Install System Recovery Console

Install ISA Server 2006 Standard Edition

Install ISA Patches

Install ISA Add-Ons

Configure ISA Networks

Configure ISA Firewall Policy Rules

Install and Configure Backup Agent

Set Up and Configure Smart UPS

Configure MOM/SCOM Agent

Sign off: Date:

Creating Administration and Maintenance

Documentation for ISA

Administration and maintenance documentation can be critical in maintaining a reliableISA environment These documents help an administrator of a particular server or set ofservers organize and keep track of the different steps that need to be taken to ensure thehealth of the systems under his or her care They also facilitate the training of new admin-istrators and reduce the variables and risks involved in these transitions

Note that ISA Server 2006 systems, as discussed previously, can serve several differentfunctions on the network, such as edge firewalls, VPN servers, content-caching servers, orreverse-proxy servers The necessary maintenance procedures may be slightly different foreach one based on its function and importance in the network

One key component to administration or maintenance documentation is a timeline ing when certain procedures should be followed As Chapter 17, “Maintaining ISA Server2006,” discusses, certain daily, weekly, monthly, and quarterly procedures should befollowed These procedures should be documented, and the documentation should includeclearly defined procedures and the frequency with which they should be performed

Preparing Step-by-Step Procedure Documents

Administration and maintenance documentation contains a significant amount of dural documentation These documents can be very helpful for complex processes, or forprocesses that are not performed on a regular basis Procedures range from technical

proce-processes that outline each step to administrative proce-processes that help clarify roles and

responsibilities

Creating Documented Checklists

Administration and maintenance documentation can be extensive, and checklists can bequick reminders for essential processes and procedures Develop comprehensive checkliststhat will help administrators perform their scheduled and unscheduled tasks A timelinechecklist highlighting the daily, weekly, monthly, and quarterly tasks helps keep the ISAenvironment healthy In addition, these checklists function as excellent auditing tools

Outlining Procedural Documents

Procedural documents can be very helpful for complex processes They can apply to nical processes and outline each step, or to administrative processes to help clarify rolesand responsibilities

tech-Flowcharts from Microsoft Visio or a similar product are often sufficient for the more

administrative processes, such as when testing a new ISA patch, approving the addition of

a new server to the network, or scheduling network downtime

Preparing Disaster Recovery Documentation

Disaster recovery policies and procedures are highly recommended for an ISA

environ-ment Every organization should go through the process of contemplating various disasterscenarios For instance, organizations on the West Coast may be more concerned with

earthquakes than those on the East Coast Each disaster can pose a different threat

Therefore, it’s important to determine every possible scenario and begin planning ways tominimize the impact of those disasters

Equally important is analyzing how downtime resulting from a disaster may affect the

company (reputation, time, productivity, expenses, loss in profit or revenue) and mine how much should be invested in remedies to avoid or minimize the effects

deter-A number of different components comprise disaster recovery documentation Withoutthis documentation, full recovery is difficult at best The following is a table of contentsfor the areas to consider when documenting disaster recovery procedures:

Executive Summary or Introduction

Disaster Recovery Scenarios

Disaster Recovery Best Practices

Planning and Designing for Disaster

Business Continuity and Response

Business Hours Response to Emergencies

Recovery Team Members

Recovery Team Responsibilities

Damage Assessment

Off-Hours Response to an Emergency

Recovery Team Responsibilities

Recovery Strategy

Coordination of Equipment Needs

Disaster Recovery Decision Tree

Client Software Configuration

Restoring the Server

Build the Server Hardware

Post Restore

Training Personnel and Practice Disaster Recovery

Outlining Disaster Recovery Planning

The first step of the disaster recovery process is to develop a formal disaster recovery plan.This plan, while time consuming to develop, serves as a guide for the entire organization

in the event of an emergency Disaster scenarios, such as power outages, hard drive ures, and even earthquakes, should be addressed Although it is impossible to develop ascenario for every potential disaster, it is still helpful to develop a plan to recover fordifferent levels of disaster It is recommended that organizations encourage open discus-sions of possible scenarios and the steps required to recover from each one Include repre-sentatives from each department, because each department will have its own priorities inthe event of a disaster The disaster recovery plan should encompass the organization as awhole and focus on determining what it will take to resume normal business functionafter a disaster

fail-Documenting for Backup and Recovery

Backup procedures encompass not just backing up data to tape or another medium, butalso a variety of other tasks, including advanced system recovery, offsite storage, andretention These tasks should be carefully documented to accurately represent what

backup methodologies are implemented and how they are carried out Step-by-step dures, guidelines, policies, and more may be documented

proce-Periodically, the backup documents should be reviewed and tested, especially after any

configuration changes Otherwise, backup documents can become stale and can only addmore work and more problems during recovery attempts

Recovery documentation complements backup documentation This documentation

should include where the backup data resides and how to recover from various types offailures (such as hard drive failure, system failure, and natural disaster) As with backupdocumentation, recovery documentation can take the form of step-by-step guides, poli-cies, frequently asked questions (FAQs), and checklists Moreover, recovery documents

should be reviewed and revised if necessary

ISA backup and recovery provides for unique capabilities, such as import and export to

XML files, so particular attention should be placed on the individual needs of ISA in a

recovery situation For more information on ISA’s backup and restore capabilities, see

Chapter 18, “Backing Up, Restoring, and Recovering an ISA Server 2006 Environment.”

Outlining Monitoring and Performance Documentation for ISA

Monitoring is not typically considered a part of disaster recovery documentation

However, alerting mechanisms can detect and bring attention to issues that may arise

Alerting mechanisms can provide a proactive way to determine whether a disaster may

strike Documenting alerting mechanisms and the actions to take when an alert is receivedcan reduce downtime and administration

Documenting Change Management Procedures

Changes to the environment may occur all the time in an organization, yet often thosechanges are either rarely documented or no set procedures are in place for making thosechanges IT personnel not responsible for the change may be oblivious to those changes,and other administration or maintenance may be adversely affected

Documented change management seeks to bring knowledge consistency throughout IT,control when and how changes are made, and minimize disruption from incorrect or

unplanned changes As a result, documentation of change procedures should include theprocesses to request and approve changes, high-level testing procedures, the actual changeprocedures, and any rollback procedures in case problems arise

Change control can be particularly important in an ISA Server environment, where

improper configuration of an ISA server can leave a network vulnerable to attack

Implementing either a formal or information change control process is therefore highlyrecommended

Understanding the Importance of Performance

Documentation

Documenting performance-related information is a continuous process because of theever-changing metrics involved and the evolving nature of business This type of docu-mentation begins by aligning with the goals, existing policies, and SLAs for the organiza-tion When these areas are clearly defined and detailed, baseline performance values can

be established through use of the System Monitor, Microsoft Operations Manager (MOM),

or third-party tools (such as PerfMon and BMC Patrol) Performance baselines captureperformance-related metrics, such as how much memory is being used, average processorutilization, and more; they also illustrate how the ISA Server 2006 environment is

performing under various workloads

After the baseline performance values are documented and understood, the related information that the monitoring solution is still capturing should be analyzed peri-odically More specifically, pattern and trend analysis needs to be examined on a weeklybasis, if not on a daily basis This analysis can uncover current and potential bottlenecksand proactively ensure that the system operates as efficiently and effectively as possible

performance-Producing Routine Reporting

Although the System Monitor can log performance data and provide reporting when usedwith other products such as Microsoft Excel, it behooves administrators to use productssuch as Microsoft Operations Manager (MOM) 2005 for monitoring and reporting func-tionality For example, MOM can manage and monitor multiple systems and providegraphical reports with customizable levels of detail

For more information on using MOM 2005 with ISA Server 2006, see Chapter 19,

“Monitoring and Troubleshooting an ISA Server 2006 Environment.”

Implementing Management-Level Reporting

Management-level reporting on performance data should be concise and direct but still at

a high level Stakeholders don’t require an ample amount of performance data, but it’simportant to show trends, patterns, and any potential problem areas This extremelyuseful information provides a certain level of insight to management so that decisions can

be made as to what is required to keep the systems operating in top-notch condition.For instance, administrators identify and report to management that, if trends on ISAserver processor utilization continue at the current rate of a 5% increase per month, addi-tional processors will be required in 10 months or less Management can then take thisreport, follow the issue more closely over the next few months, and then determinewhether to allocate funds to purchase additional processors If the decision is made to buymore processors, management has more time to negotiate quantity, processing power, andcost, instead of having to potentially pay higher costs for the processors at short notice

Detailing Technical Reporting

Technical performance information reporting is much more detailed than level reporting Details are given on many different components and facets of the system.For example, many specific counter values may be given to determine disk subsystem

management-utilization In addition, trend and pattern analysis should also be included to show ical information and determine how to plan for future requirements

histor-Writing Training Documentation

Training documentation can entail a myriad of options For example, an organization canhave training documentation for maintenance and administration procedures, installationand configuration of new technologies, common end-user tasks, ways various network

components can be used, future technologies, and much more The documentation

should match current training procedures, and it can also help define what training will

be offered in the future

Outlining Technical Training

Administrators are responsible for the upkeep and management of the ISA environment

As a result, they must be technically prepared to address a variety of issues such as nance and troubleshooting Training documentation should address why the technologiesare being taught and how the technologies pertain to the network environment, and itshould also provide step-by-step hands-on procedures to perform the tasks

mainte-Documenting End-User Training

Training materials and other forms of documentation for end users offer the users a meansfor learning how to use ISA for VPNs, how to log in to OWA through an ISA forms-basedauthentication page, and much more End-user training documentation also serves as agreat reference tool after training has been concluded

Detailing System Usage Policies

To gain control over how the system is to be used, it’s important for an organization toimplement system usage policies Policies can be set on end users as well as on the IT

personnel Policies for end users may include specifying which types of access through theISA firewall are provided, that instant messaging is not allowed on the local machine orthe network, and that users must follow specific steps to obtain technical support, for

example On the other hand, IT personnel policies may dictate that routine system tenance can occur only between 5:00 a.m and 9:00 a.m on Saturdays, for example

Most, if not all, aspects of an ISA Server 2006 network environment can be documented.However, the type of documentation that may benefit the environment depends on eachorganization Overall, documenting the environment is an important aspect of thenetwork and can assist with all aspects of administration, maintenance, support, trou-bleshooting, testing, and design

organiza- Consolidate and centralize documentation for the organization

Document the company’s policies and procedures for security and maintenance

Create well thought-out and professional planning and design documentation toavoid costly mistakes in the implementation or migration process, such as buyingtoo many server licenses or purchasing too many servers

Baseline and document the state of an ISA server so that any changes in its mance can be identified at a later date

perfor- Use tools such as Microsoft Project to facilitate the creation of project plans, enablethe assignment of one or more resources per task, and enable the assignment ofdurations and links to key predecessors

Create disaster recovery documentation that includes step-by-step procedures forrebuilding each ISA server to minimize downtime and administration

Document daily, weekly, monthly, and quarterly maintenance tasks to ensure thehealth of the ISA environment

Use documentation to facilitate training

Document business and technical policies for the organization

domains See domain membership

GPOs, installing firewall clients, 307-308groups

creating for administrative access,437-438

role-based access control with, 435

ActiveSync See EAS (Exchange ActiveSync)

Add-ins node (Management Console), 100application filters, 101-102

web filters, 102

addresses See IP addresses

local user accounts, creating for, 438-439

administrator passwords, when to

modifying network rules, 147multi-networking support, 139-140network rules, 143

networks, ISA concept of, 141-143publishing servers, 152

system policy rules, 153-155packet-filtering firewalls versus, 137archiving event logs, 461

arrays, 169configuring, 171creating, 170-171defining policies, 174inter-array communication IP address,configuring, 178

NLB array network, creating, 173as-built documentation, 519-521ASIC-based firewalls, 9

ASR (Automated System Recovery) sets,updating, 463-464

assigning

IP addressesfor site-to-site VPN connections, 281for VPN clients network, 229-230routing configurations for VPN clients,232-233