ISA Server 2004 Best Practice Analyzer

by [Published on 16 Feb. 2006 / Last Updated on 20 May 2013]

In this article I will show you how to install and use the ISA Best Practice Analyzer (ISABPA). You can use ISABPA to analyze your ISA Server 2004 environment for security holes, performance problems and configuration mismatches.


Get your copy of the German language "Microsoft ISA Server 2004 - Das Handbuch"

Let's begin

The ISA Server Best Practices Analyzer is a diagnostic tool like the well known EXBPA (Exchange Best Practice Analyzer Tool) that automatically performs specific tests on configuration data collected on the local ISA Server 2004 computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings. You can use ISABPA for both ISA Server 2004 Standard and ISA Server 2004 Enterprise.

The resulting report details critical configuration issues, potential problems, and information about the ISA Server 2004.

First we need to download the ISA Server 2004 Best Practice Analyzer (ISABPA). After downloading you can install the ISABPA tool following the instructions of the wizard.

Please note:
ISABPA requires and installs .NET Framework 1.1.

Installation

Follow the installation instructions of the Microsoft ISA Server Best Practice Analyzer Tool Setup.


Figure 1: Installation of ISABPA

The installation process takes only some minutes.


Figure 2: Installation process

After installation ISABPA starts automatically unless you clear the checkbox.


Figure 3: Launch ISABPA after installation

Updating ISABPA

After installing ISABPA you can start a new Best Practice scan. If you haven't used the ISA Best Practice Analyzer for a long period of time, it is recommended to look for an update of ISABPAs configuration. To update ISABPA click Update the ISA Server Best Practice Analyzer under See also.


Figure 4: Update ISABPA

ISABPA looks for online updates on the Microsoft website. If the update process finds new updates, ISABPA will be updated and the tool will be restarted.

After updating ISABPA you can start a new Best Practice scan by clicking the Start a new Best Practices scan button.


Figure 5: Start a new Best Practice scan

You can choose between three scantypes:

  • Health Check + ISAInfo
  • Health Check
  • Run ISAInfo

The ISABPA health check executes an ISA Server 2004 diagnose based on the configuration file downloaded from the Microsoft website.

Isainfo is the well known tool to collect information about the ISA Server configuration and to display the configuration settings. You can download ISAInfo as a separate installation from here. ISAInfo is included in the ISA Server Best Practice Analyzer tool.


Figure 6: Start a scan

An ISABPA scan requires only a few minutes to execute. After collecting data, you can view the report of this Best Practices Scan.

Click View the report of this Best Practice scan.


Figure 7: View a best practice scan

In this example I have used an ISA Server 2004 without SP1 running on Microsoft Virtual Server 2005 R2. ISABPA reports that ISA Server 2004 is running on Microsoft Virtual OC which is not correct.


Figure 8: Analyze collected information

If you are using ISABPA for the first time or if you are an ISA beginner, you should spend some time reading the ISABPA help file which contains a lot of information about ISA Server, the analyzing process of ISABPA and best Practice recommendations.


Figure 9: ISABPA help file

After executing ISABPAs Health Check you can execute ISAINFO within ISABPA – theoretically. I had tried opening ISAINFO with ISABPA Version 2.5.3439.50 and the configuration file 4.0.3440.277 but I did not succeed. ISAInfo will NOT display information created by ISABPA. I also tried the ISAINFO option from ISABPA with different ISA Server 2004 Enterprise servers and ISA Server 2004 Standard servers in german and English language but with no success.


Figure 10: ISABPA – Run ISAInfo

ISABPA executes the ISAINFO tool correctly. ISAINFO creates an ISAINFO XML-file but this information will not be displayed in ISABPA. I assume that this is a bug in ISABPA.

To overcome this limitation you can start ISAINFO manually and open the XML file created by ISABPA. You can find the ISAINFO XML file in the ISABPA installation directory.


Figure 11: Manually executing ISAINFO

It is possible to automate the execution of ISABPA scans. To enable scheduled scanning click Schedule a scan and enable scan scheduling and the start time and run frequency.


Figure 12: Scheduling ISABPA scans

Bugs


  • ISABPA reports ISA installed on Virtual Server 2005 R2 as Virtual PC.
  • It is not possible to automatically create an ISAInfo Report. ISAInfo will be installed with ISABPA but you must manually execute ISAInfo with the XML file created by ISABPA.
  • One guy in the German ISA Server newsgroup posted that ISABPA doesn't listed any installed certificate although it was installed.
  • The Link to the ISA Server 2004 Security Hardening Guide is wrong. The correct link is: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

I spoke with a member of the ISA Server Product team and they said that the first bug (wrong report of Virtual PC) and the wrong link will be corrected in a next ISABPA update/version.

ISABPA listed missing certificates only when there was no corresponding private key for this certificate.

For running ISAINFO on ISABPA you have to install the ISAINFO XML Parser which is not included in ISABPA.

Conclusion

In this article I have shown you how to use the ISABPA – ISA Server 2004 Best Practice Analyzer to analyze your existing ISA Server environment to find security holes, performance bottlenecks and configuration mismatches.

Related Links

ISABPA Download
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in TMG/UAG Server, Exchange, System Center, Security for Windows Server 2012 and Windows Server 2012 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004.

Latest Contributions

Featured Links