Re: ISA Server Having Issues.

From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 13:16:17 -0700

1 GB weblog files per day for an SBS?!
The most one of my clients generates, and it's <plenty> of
traffic 24/7 is about 50mb per day, and IMO this client is
very unusual.

As Jim suggests, I would also <highly> recommend you
<immediately> run AV on all your Users. And, if you're
using your Server as a Workstation (shame if that's so),
run it on your Server as well.

Also, it might be a bit late but install all the virus
blocking scripts from Jim's isatools.org. That won't
prevent or solve infection, but might limit some of the
traffic.

Also, remember <never> run AV against your message store
on the Server.

If you take the time to read your logs... at least the
source addresses... you'll at least be able to determine
which of your hosts are generating the traffic. Also, use
simple techniques like physically disconnecting hosts from
your network.

Hint: My guess is that you won't have to read an entire
log to see where most of your problems are... grab about a
thousand records and export into Excel for sorting.

And, NetMon and the GFI Realtime monitor(freeware from
GFI) might be quick, informative tools.

Tony Su

>-----Original Message-----
>Okay. My goal for the next 30 days is to learn how to
>read ISA logs and start reviewing them. Scouts honor.
We
>do have Norton Antivirus Corporate edition running on our
>domain and it is kept up to date. I really need to get
>this problem resolved so people can access email without
>restarting ISA server every other minute.
>
>
>>-----Original Message-----
>>You don't regularly review your ISA logs?
>>shame, shame... ;-)
>>
>>Do you have any form of anti-virus running on your
>internal clients or ISA?
>>If not, you have a big job ahead of you.
>>--
>> Jim Harrison [ISASE]
>> Read the help, books and articles!
>>
>> This posting is provided "AS IS" with no warranties,
and
>confers no rights.
>>
>>
>>"Terry" <tvstory@mainstream-mktg.com> wrote in message
>news:2086701c45949$e08e3fc0$a501280a@phx.gbl...
>>I didn't even think of the ISA logs. Go figure. What
>>excactly am I looking for? The IPPEX log does show
mostly
>>BLOCKED lines. The FWS logs show a lot of entries, a lot
>>of winupdate.exe for some reason. The Webex docs are too
>>big to open. All my Webext docs are generally over 1GB
>>for some reason; always have been.
>>
>>If there is an infected LAT host, what steps would need
to
>>be taken? Thanks!!
>>
>>>-----Original Message-----
>>>Review your ISA logs for lots of denied traffic.
>>>This behavior is often the result of an infected LAT
>host.
>>>
>>>--
>>> Jim Harrison [ISASE]
>>> Read the help, books and articles!
>>>
>>> This posting is provided "AS IS" with no warranties,
and
>>confers no rights.
>>>
>>>
>>>"Terry" <tvstory@mainstream-mktg.com> wrote in message
>>news:2026f01c45944$0449cc50$a601280a@phx.gbl...
>>>Hello,
>>>
>>>Our business runs on SBS2000 and utilizes the ISA
Server.
>>>For some reason, it started being flaky. The first
>>>symptom is that the Firewall Client says "ISA Server1 is
>>>inaccessible. The second symptom is that Outlook and
>>>streaming audio stop working. File sharing with the
>>>server works as does the WWW. We also use the proxy
>>>server. No errors are reported in the event viewer.
>>>
>>>Restarting the Microsoft ISA Server Control, Web Proxy,
>>>and Firewall services fixes the problem but only for
>about
>>>a minute (occationally longer but not lately). I
>>>completely rebooted the server last night but the
>problems
>>>were back by 9am this morning.
>>>
>>>The lack of error logs leaves me with my hands up in the
>>>air. Does anyone have suggestions? Thanks!!!
>>>
>>>
>>>.
>>>
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Re: DHCP Problem
    ... Unable to contact a DHCP server. ... The client computer's logs are a mess due to not being able to renew ip ... Denied Connections started showing up in the ISA logs seconds ...
    (microsoft.public.backoffice.smallbiz)
  • Re: DHCP Problem
    ... Unable to contact a DHCP server. ... The client computer's logs are a mess due to not being able to renew ip ... Denied Connections started showing up in the ISA logs seconds later. ...
    (microsoft.public.backoffice.smallbiz)
  • Re: win98 clients cant connect to 2k3 RAS/VPN server
    ... and look at the logs. ... > In august, I setup a 2k3 server to run RAS as mainly a VPN server, and I ... > security updates have cause the Win98 clients to NOT create a VPN ... and the win98 clients connect without ANY problems at all. ...
    (microsoft.public.win2000.ras_routing)
  • Re: DHCP Problem
    ... The event logs on the server are mostly clean. ... Denied Connections started showing up in the ISA logs seconds later. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Cant connect to the 2003 dc
    ... What do Event logs say on domain controller? ... How is DNS set up on the clients (what server clients use for DNS)? ... > network were able to log on to the network. ...
    (microsoft.public.windows.server.networking)