The following reports are predefined on ISA Server: á Summary reports á Web Usage reports á Application usage reports á Traffic and utilization reports á Security reports It’s important
Trang 1After reporting is enabled, the data from all the SQL logs is bined to one log database on the ISA Server This occurs once eachday regardless of whether any reports are scheduled The monthlyreport summary process combines all daily databases into a single,monthly summary.
com-To view the reports, open the Internet Security and AccelerationServer\ Servers and Arrays\name\Monitoring\Reports and open thereport type you want to view In the Details pane, double-click thereport It will be displayed in Internet Explorer
The following reports are predefined on ISA Server:
á Summary reports
á Web Usage reports
á Application usage reports
á Traffic and utilization reports
á Security reports
It’s important to realize that each report is made up of several subreports in the form of graphs and charts Table 16.1 lists thecharts and graphs available in each report
Traffic by date Daily traffic Traffic by time of day
TE Who Can Generate Reports? In order
to generate reports you must be in the local Administrators group on the ISA Server If the ISA Server is in an array then you must be in the local Administrators group on every ISA Server computer in the array and able to access and launch DCOM objects on every server in the array.
When Did That Occur? It’s tant to note that data in the reports is not compiled in real-time In fact, data in the reports is from at least the day before Reports and their timeframes are
impor-• Daily—Show previous day’s activity
• Weekly—Show previous week’s activity
• Monthly—Show previous month activity
• Yearly—Show previous year’s activity
• Specified period—Custom
continues
Trang 2Web Usage Report Top Web users
Web traffic by users Top Web sites Traffic by Web sites Protocols
Web traffic by protocols HTTP responses HTTP response breakdown Object types
Web traffic by object types Top browsers
Web traffic by browser Operating system Web traffic by operating system Browser vs operating system Application Usage Report Protocols
Application traffic by protocols Top application users Application traffic by users Top applications
Traffic by application Operating systems Web traffic by operating system Top destination
Traffic by destination Traffic and Utilization Protocols
Traffic by protocols Traffic
Traffic by date Cache performance Cache usage breakdown Connections
Peak simultaneous connections by date Processing time
Processing time by date Daily traffic
Traffic by time of day Errors
Error breakdown Security Authorization failures
Authorization failures by user Dropped packets
Dropped packets by users
TA B L E 1 6 1
RE P O R T S WI T H I N RE P O R T S
Report Subreports
continued
Trang 3Summary ReportsSummary reports combine data from the Web proxy service log andthe firewall service log They illustrate network traffic usage and aresorted by application Many of the items in this report are displayed
in more detail in the other reports This information is valuable tonetwork administrators to help them determine trends traffic pat-terns, as well as the types of applications used to access Web data
Knowing the application use allows decisions to be made on makingsure the ISA Server allows the traffic that is necessary, but does notallow unnecessary traffic Being able to see traffic patterns helpsthem identify peak usage andtrends in usage A portion of a sum-mary report can be found in Figure 16.2
Web UsageWeb usage reports display such items as top Web users, commonresponses, and browsers in use In other words, they are pictures ofhow the Web is being used in the company The information usedcomes from the Web Proxy Service logs Knowing how the Web isbeing used helps to identify whether there are adequate controls onWeb usage as well as who the major users are When attempting toanalyze needs for greater bandwidth, it is useful to know somethingabout the actual usage of the Web A portion of a Web usage report
is displayed in Figure 16.3
F I G U R E 1 6 2
The summary report.
Trang 4Application UsageThe application usage report focuses on incoming and outgoing traffic and shows the following:
Trang 5Traffic and UtilizationThe traffic and utilization report can determine trends in usage Thishelps in planning network capacity and determining bandwidthpolicies By tracking the cache hit ratio ,you can determine potentialareas for improvement, either by enlarging the size of the cache, orscaling out and adding another ISA Server to the array A sampletraffic and utilization report is in Figure 16.5 The Web proxy andfirewall service logs are used to provide:
á Usage by application protocol and direction
Trang 6SecurityThe security report combines data from all three logs The informa-tion in this report can help you identify attacks or security violationsafter they have occurred A sample report is in Figure 16.6.
Trang 7O PTIMIZING P ERFORMANCE
Optimize the performance of the ISA Server computer
Considerations include capacity planning, allocation priorities, and trend analysis
In addition to diagnosing problems, reports, logs, and tools can beused to analyze ISA Server performance and determine what mightneed to be done to optimize its performance There are four areas tolook at:
á Using the Registry to optimize performance
á Analyzing performance using Performance Monitor
á Analyzing performance using reporting and logging
á Controlling RAM used by caching
Using the Registry to Optimize Performance
ISA Server can be managed by the ISA Server Management Console,
by using Administration COM objects and by Registry entries Themajority of this book focuses on using the Management Console
Using Administration COM objects is a little beyond our scope,(you will find them described in the SDK if you are interested)
However, there are Registry settings that you should take note of
Obviously, before making any changes to the Registry, you will usethe normal precautions and find out more of the implications ofmaking these changes Registry keys that can affect cache perfor-mance (located at HKLM\System\CurrentControlSet\Services\
W2cache\Parameters)are described in Table 16.2
TE Cache Off Results In this chapter we
are talking about analyzing and optimizing
ISA Server in situ—that is, in its native
envi-ronment, your network It is interesting to note ISA Servers performance against other caching products at an independent test (see From Web polygraph site http://www.mea- surement-factory.com/results/pub- lic/cacheoff/N03/report.by-alph.htm
l ) In the test an ISA Server with a single processor managed 750 requests per sec- ond An ISA Server with four processors man- aged 2,000 requests /sec These rates are about 10 times the rate produced by Proxy Server Two types of measurements were made “overall throughput” (how many requests users generate) and hit throughput (rate at which the requests are served from cache) ISA Server was the top scorer here for both The difference between the two, or
“response time improvement” is even more important as it says what the caching server
is doing for you ISA Server response time improvement was 50 percent.
Trang 8TA B L E 1 6 2
DE FA U LT SE C U R I T Y GR O U P FI L E PE R M I S S I O N S
Parameter Description Usage
TZ Persistent Maximum time interval If set to one minute and Interval Threshold in minutes that recovery the w3proxy service stops
data will be inconsistent unexpectedly, at most one
minute will be lost while the cache is recovered Recovery MRU Time interval in minutes. Content cache in the last X
Size Threshold What data will be minutes prior to failure of
recovered first? Web proxy service will be How much of it? recovered first.
MaxClientSession Size of pool for client An object is freed and
sessions objects memory returned to system
memory if the pool has
more than X objects Set to
a high value and objects are freed less frequently (but more memory is used) OutstandAccept Number of listeners Set high to minimize the
waiting for a connection number of rejected
to be established; versus connection requests number of accepts
pending for a connection
to be established before rejecting the new connection
Analyzing Performance Using Performance Monitor
Analyze the performance of the ISA Server computer byusing Performance Monitor
When ISA Server installs, it makes two consoles available for use inits management: The ISA Server Management console and the ISAServer Performance Monitor Although the ISA Server ManagementConsole is used to administer the ISA Server, the ISA ServerPerformance Monitor is used to analyze the functioning of the ISAServer itself When opened, it displays the Windows 2000
Performance Monitor and System Monitor preconfigured with ISAServer specific objects and counters (see Figure 16.7) It is important
to understand what these counters mean; a section later in this ter introduces you to some of the more common counters The ISAServer online help can be used to find the meaning of others
Trang 9chap-It is important to note that the design of this console is open; that
is, you can add counters for measurement, extract data to text filesfor analysis, and create logs which gather these statistics in the back-ground at scheduled times
To use the charts, graphs, and logs produced by PerformanceMonitor you should be knowledgeable about:
á Configuring performance monitoring
á Analyzing and optimizing ISA Server using PerformanceMonitor
á Using traditional server objects in ISA Server analysis
Configuring Performance Monitoring
The first decision to make in performance monitoring is in choosingthe monitoring method Two possibilities exist: graphs and logs
Although graphs are real-time and allow you to observe an eventwhile it’s happening, they are usually only valuable for short periods
Graphs can be used to grab a snapshot of ISA Server health at anytime of the day They are good diagnostic tools that may be usedwhen systems seem to be running slow or experiencing other
F I G U R E 1 6 7
ISA Server Performance Monitor.
TE Objects and Counters A performance
object can be thought of as logical group of counters that are associated with a resource
or service (such as memory or processor) A performance counter then is the data item associated with an object It represents some value which can be interpreted as relative performance of that object, or some concrete measurement.
Trang 10problems The ISA Server Performance Monitor opens in graph viewand already collecting statistics and displaying them in a graphicalview To analyze performance you might need to add additionalcounters To do so, follow Step by Step 16.3.
S T E P B Y S T E P
16.3 Add Performance Counters
1 Open ISA Server Performance Monitor (Start, Programs,ISA Server Performance Monitor)
2 Right-click System Monitor node In the Details pane,click Add Counters
3 In the Performance Object box, select the object to monitor
4 To monitor all the counters for this object, click AllCounters
5 Or to select the counter to monitor, click Select Counterfrom list and select those you want to monitor
6 To monitor all instances of the object, click All Instances
7 Or, to select the instance to select, check Select InstancesFrom List, and select the instance you want to monitor
8 Click Add
9 Click Close
Although graphs give you animmediate visual feel for your system,logs can be saved and keep extensive records for monitoring, analyzing, and researching trends over time To capture performancedata in a log, follow Step by Step 16.4 To view it, follow Step byStep 16.5
TE What Is an Instance? As used in
Performance Monitor, an instance identities which object to monitor if there are more than one of the same type For example, a multiprocessor computer would show several processor instances.
Trang 11S T E P B Y S T E P
16.4 Logging Performance Data (Creating a Counter Log)
1 Open ISA Server Performance Monitor
2 Double-click Performance Log and Alerts, and then clickCounter Logs
3 Right-click a blank area of the Details pane and click NewLog Settings
4 In the name box, type a name for the log Click OK
5 On the General page, click Add
6 Select a counter(s) to add in the normal manner (see Figure 16.8)
7 Use the Log Files tab to set a path for storing the file
8 Use the Schedule tab (see Figure 16.9) to schedule thestart of logging Click OK
9 To manually start logging, right-click the log in theDetails pane and click Start
10 To manually stop logging, click Stop
S T E P B Y S T E P
16.5 Viewing Log Files
1 Click System Monitor
2 Click View Log File data button
3 Select the log file
Trang 12Optimizing ISA Server Using Performance Monitor
Making graphs and logs is all fine and well, but the purpose behinddoing so is to analyze the performance of the ISA Server system anduse that information to optimize it, to determine when to add addi-tional systems in order to optimize the array, or to boost hardware.There are two important things to understand: when to monitor andwhat to monitor—or what performance counters mean
Deciding how often to monitor depends on the nature of your ISAServer installation How many users does it support? How busy isWeb access? When are peak times? Are you monitoring to find theanswer to specific problems? To research trends over time? One ofthe first uses of ISA Server Performance Monitor is to create a base-line graph of system performance A baseline graph reflects the per-formance of a system when it is first installed, configured and putunder load Measurements should be taken at low and peak times toarrive at ordinary statistics for the current operation
When you are monitoring, how frequently do you take a ment? Graphs in Performance Monitor are compiled from statisticsgathered at intervals that you set If you are logging data, you canreasonably set the log to capture information every 15 minutes ifyou are taking measurements over a long period of time If you aremeasuring for several hours, 300 seconds might be an adequate rate.This will put less stress on the system and yet gather broad trendsover time If you are monitoring for a specific problem, you might
measure-be gathering information at a specific time and will want to updateinformation frequently However, some problems, such as memoryleaks show up over time; hopefully, you have been periodically mea-suring and capturing that
Deciding which counters to measure, and how to use them, is amore difficult process There are many objects and counters Table16.3 defines a few of the more interesting counters and how theymight be used
Trang 13determine load on system.
Active UDP connections Total number of active Used in comparison with (firewall) UDP connections performance indicators to
determine the load on the system.
Cache Hit Ratio(%) Compares total cache High %—Faster response (Web proxy) fetches as percent of times.
total successful requests Zero—Caching is not
—how effective is the enabled.
cache (since last time Low—May indicated Web proxy was started) configuration problem.
Cache Running Hit Requests served from A more accurate Ratio (%) cache % of total evaluation of cache (Web proxy) successful requests effectiveness.
served (for last 10,000 requests).
Client bytes total/sec Client bytes sent/sec This tells you the total (Web proxy) plus client bytes bytes transferred between
received/sec ISA Server computer
and Web proxy clients.
Current average Average time to process Lower numbers—Faster milliseconds/requests a request responses Do compare (Web proxy) at peak and off peak times.
If this number is tently high, the system is working at max capacity—
consis-consider adding a new server.
Current users Current Web proxy Monitor peak and off peak
clients to see indication of server
usage.
Disk cache allocated How much is actually Determine if you need (KB) used a larger cache or if you are (Web proxy) not using what you have
allocated.
continues
Trang 14MAX URLs cached Maximum number of Another approach to usage.
URLs stored in the cache Has impllications for
pre-fetching of frequently used pages.
Memory cache allocated How much space used Implications for requiring space by memory cache more memory or realizing
it is being underutilized Memory usage ratio Ratio between amount Because ISA Server tends percent of fetches from memory to favor usage of RAM over
cache and from disk cache drive, if more is being used
from cache, perhaps not enough memory is available for ISA Server to use Request/sec Number incoming Higher means more re- (Web proxy) requests to Web proxy sources required to service
service request, use in
conjunct-ion with failing requests/sec.
If failing is high in tion to requests, ISA Server
propor-is not coping with the load SecureNAT Mappings The number of mappings How much is a secureNAT (firewall) created by a secureNAT client using the service.
memory URL allocated MAX URLs cached Maximum number of Another approach to usage.
URLs stored in the cache Has implications for
pre-fetching of frequently used pages.
Memory cache How much space used Implications for requiring allocated space by memory cache more memory or realizing it
Trang 15Memory usage ratio Ratio between amount Because ISA Server tends percent of fetches from memory to favor usage of RAM
cache and from disk cache over drive, if more is being
used from cache then haps not enough memory is available for ISA Server to use.
per-Requests/sec Number incoming Higher means more (Web proxy) requests to Web proxy sources required to service
re-service request, use in conjunction
with failing requests/sec If failing is high in proportion
to requests; ISA Server is not coping with the load.
SecureNAT Mappings The number of mappings How much is a secureNAT (firewall) created by a secureNAT client using the service.
off-in one second? memory URL retreival rate
to see how cache disk and memory cache are being utilized.
Understanding Standard Objects and Counters to Monitor for System and Network Health
It’s also important to measure standard objects and counters Items
to monitor include
á Disk Physical disk writes/reads per second Amount of disk
free space Don’t forget to add logical disk counter by enteringdiskperf –yv at the command prompt and diskperf –yd forphysical disk counters Don’t forget to reboot for these coun-ters to take affect Disk bottlenecks can often be detected byobserving the average disk queue length
(Object)