ISA Server 2004 and later versions enforce the lockdown mode of operation if writing to the log files takes more than thirty seconds. ISA Server 2004 SP3 and later versions include a new event message to notify the administrator before logging fails.
For more information about the ISA server lockdown mode of operation, click the following article number to view the article in the Microsoft Knowledge Base:
838711
Lockdown mode of operation in ISA Server 2006 or in ISA Server 2004
The new Warning event message is displayed if writing to the log files takes more than the time-out period. This helps administrator take preventive action before the ISA Server enforces the lockdown mode of operation.
Methods to prevent lockdown mode
Administrators can use the following methods to prevent ISA Server from enforcing the lockdown mode of operation.
Method 1
Use Disk Defragmenter to consolidate fragmented files and folders. To do this, follow these steps:
- Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.
- Click the volume where you store the log files, and then click Analyze.
- Click Defragment if the Disk Defragmenter suggests defragmenting the volume.
- Verify disk performance.
Notes- To avoid long commits, you must frequently defragment the disks where you store ISA log files.
- For reliability and better performance, use RAID volumes.
Method 2
If you are using Microsoft SQL Server for logging, modify the file growth size or the file growth percentage for the SQL database.
For more information about how to modify file growth size, visit the following Microsoft Web site:
You can use the following SQL script to modify the file growth size.
Use master
Alter database <DataBaseName>
MODIFY FILE (<FileName> , FILEGROWTH=<GrowthIncrement>)
In the script example, the text that is enclosed in angle brackets (<>) incidates a placeholder. In the script example, <GrowthIncrement> is specified in megabytes (MB) or as a percentage of file size. The default value is 75 MB.
Method 3
Make sure that the firewall log directory and the Web proxy log directory are on different disks. To do this, follow these steps:
- In the ISA Server MMC snap-in, click Monitoring.
- In the Details pane, click the Logging tab.
- On the Tasks tab, click Configure Firewall Logging.
- On the Log tab, click the appropriate Log storage format, and then click Options.
- In the Store the log file in box, note the path of the folder where firewall logs are stored.
- Under Log file storage limits, make appropriate changes to reduce the log file size.
- Click OK, and then click Apply.
- On the Tasks tab, click Web Proxy Logging.
- On the Log tab, click the appropriate log storage format, and then click Options.
- Make sure that the path that you noted in step 5 is not the same path that is listed for Web proxy logging.
Note Make sure that the Web proxy logs are stored to a different disk. - Under Log file storage limits, make appropriate changes to reduce the log file size.
- Click OK, and then click Apply.
Method 4
Restrict the number of fields that are included in the log. To do this, follow these steps:
- In the ISA Server MMC snap-in, click Monitoring.
- In the Details pane, click the Logging tab.
- On the Tasks tab, click Configure Firewall Logging.
- On the Fields tab, select only the fields that you want, click Apply, and then click OK.
- Repeat step 2 through step 4 for Web Proxy Logging.
Method 5
Define rules to decrease the number of lines that are logged. To do this, follow these steps:
- You can define the following rules at the beginning of the firewall policy:
- Deny probable malicious traffic to the firewall itself, and log these tries. For example, deny the following types of probable malicious traffic:
- Deny any other traffic to the firewall computer itself, and do not log the activity.
- You can define the following rules at the end of the firewall policy:
- Deny high-load traffic that is not defined as dangerous, and do not log the activity. For example, deny the following types of high-load traffic:
- Deny any other traffic with logging
enabled.
Note These rules help the ISA server log activities that are required. Additionally, these rules help administrators troubleshoot issues.
How to set the time-out period
To set the time-out period for the raising of the Warning event message, run the following Microsoft Visual Basic script. To do this, follow these steps:
- Start Notepad.
- Copy the following script into a new text file.
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "FireLongLogCommitAfterThisAmountOfSeconds"
Const SE_VPS_VALUE = 15
Sub SetValue()
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue
- Save the file by using the following file name:
FireLongLogcommitAfterThisAmountOfSecontds.vbs
- Double-click the file that you saved in step 3 to run the script.