How to customize actions by using alert definitions in ISA Server 2004 (838121)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
INTRODUCTIONThis article describes how to customize actions in Microsoft Internet Security and Acceleration (ISA) Server 2004 by using alert definitions. MORE INFORMATIONISA Server 2004 contains a list of alert definitions together with their associated events. To view these items, follow these steps: - Start the ISA Server Management tool.
- Expand ServerName, where ServerName is the name of your ISA Server computer.
- Click Monitoring, click the Alerts tab, and then click Configure Alert Definitions.
- Click an alert definition, click Edit, and then click the Events tab.
In ISA Server 2004, an event is a trigger condition that is generated by an ISA Server service when a particular runtime condition occurs. An event is identified by the event type, together with a particular "additional condition" or conditions. For example, if you click Network configuration changed in the Alert Definitions list, click Edit, click the Events tab, and then view the contents of the Additional condition list, the following items appear: Any network configuration change NIC Enabled NIC Disabled IP added or removed Network connected Network disconnected network address modified In this list, the Any network configuration change item is a "meta" item that effectively matches all the possible additional conditions that may occur. Each event has one of these "meta" or "wildcard" conditions. In ISA Server 2004, an alert is the event-handling configuration. Part of this configuration is the handled event. The handled event is identified by the event type together with the item that appears in the Additional condition list. ISA Server 2004 is configured with an alert for each event type. By default, each of the event types is configured to use the wildcard "additional condition" item. Because of this, you may want to modify the alert definition to define a specific event. For example, you may want to run a command to stop the IPSEC services ( net stop PolicyAgent) if a network becomes disconnected, or if a network adapter is disabled. If you perform this action by using the default configuration, the command runs when any network configuration change occurs. This includes the enabling of a network adapter or when the network is connected. Additionally, you might want to create additional alerts to define multiple actions for the same event. For example, you may want to configure one particular alert to send an e-mail message that contains specific text when an event that contains a particular condition occurs, and a second alert to send an e-mail message that contains different text when that same event occurs, but when that second event contains a different condition. ExampleThe following example shows how to configure an alert for a network configuration change event. To modify an alert: - Start the ISA Server Management tool.
- Expand ServerName, click Monitoring, click the Alerts tab, and then click Configure Alert Definitions.
- Click Network configuration changed, and then click Edit.
- Click to select the Enable check box, click Warning in the Severity list, and then click the Events tab.
- In the Additional condition list, click NIC Disabled.
- Leave the Immediately option selected under Each subsequent time the thresholds are met, trigger the alert, and then click the Actions tab.
- Click to select the Send e-mail check box, type the name of your SMTP server in the SMTP server box, type your e-mail address in the From box, type a valid recipient e-mail address in the To box, and then click Test.
- When you receive the following message, click OK:The simulation was completed successfully.
An e-mail message was sent. - Click OK two times, click Apply to update the firewall policy, and then click OK.
To create a new alert: - In the ISA Server Management tool, click Monitoring, click the Alerts tab, and then click Configure Alert Definitions.
- Click Add, and then type a descriptive name for the alert in the Alert name box. In this example, type Network reconnected.
- Click Next, click Network configuration changed in the Event list, click NIC Enabled in the Additional condition list, and then click Next.
- In the Severity list, click Information, and then click Next.
- Click to select both the following check boxes, and then click Next:
Send an e-mail message Report the event to the Windows event log - In the SMTP server box, type the name of your SMTP server, type your e-mail address in the From box, type a valid recipient e-mail address in the To box, and then click Next.
- Review the alert configuration information, click Finish, and then click OK.
- Click Apply to update the firewall policy, and then click OK.
Test the alert definition configuration by disabling, and then enabling a network adapter on the ISA Server computer.
Modification Type: | Major | Last Reviewed: | 11/24/2004 |
---|
Keywords: | kbFirewall kbhowto kbinfo KB838121 kbAudITPRO |
---|
|