The Use of Alert Actions in Internet Security and Acceleration Server 2000 (284800)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q284800

SUMMARY

This article discusses the use of the alert service in Microsoft Internet Security and Acceleration (ISA) Server. When you use the alert actions in the alert service, you must carefully consider the repercussions when you set each alert action. The default settings are suitable for most situations but not all situations.

MORE INFORMATION

Alert actions can be triggered by events that occur on a computer either frequently or infrequently. You must consider how each alert action may be triggered in your environment and configure each to warn you. Do not configure alert actions with settings that can easily overwhelm you by frequent warning messages.

This action is especially important if you configure the alert action to perform tasks when ISA Server uses related network or computer resources. For example, when users send e-mail messages which generates traffic on your e-mail server, or when users run a program which may use excessive memory if used too often, or when users stop and start services which may have other side effects.

On the Event tab, when you click Actions will be executed when the selected conditions occur, you can assign the properties of the alert action to determine how frequently or infrequently an alert action is issued.

Some of the settings that are available to you when you use an alert action:
  • Number of occurrences before alert is issued:

    Use this setting for alert actions that can be used frequently. Set the number according to what you think is a reasonable value based on the event being tracked. The alert action is triggered after the event has occurred the number of times specified in this setting.
  • Number of events per second before alert is issued.

    This setting defines a condition based on time and is similar to the preceding setting.
  • Recurring actions are performed:

    • Immediately
    • After manual reset of alert
    • If time since last execution is more than: __ minutes
    This setting ensures that an alert action is re-issued if a condition persists. You can set certain alert actions to be generated again immediately, or after a few minutes if the condition persists (for example, when the intrusion detection or service does not respond).
An example of a poorly configured alert action is:

You configure an alert action to send an e-mail message and to run a program that does not exit by itself, and either of the first two settings in the preceding list are set to a low number (for example, 1) and the second setting in the list is set to Immediately.

If a related event occurs frequently, its behavior can cause the alert action to be triggered rapidly, for example, several times a second. This behavior can cause an excessive amount of e-mail messages to be generated, which can potentially overwhelm your e-mail server and your (e-mail) Inbox. This behavior includes the saturation of the link that connects you to the e-mail server and the potential start up of programs so often that it uses up all available memory.
Modification Type:MinorLast Reviewed:1/15/2006
Keywords:Kbisa2004yes kbenv kbinfo KB284800
©2004 Microsoft Corporation. All rights reserved.