Fortinet black logo

External Systems Configuration Guide

Microsoft ISA Server

Microsoft ISA Server

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, memory utilization

Performance Monitoring

WMI

Application type, service mappings

Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O

Performance Monitoring

Syslog(via SNARE)

Application type

W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service Instance, Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "isa server" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP
Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.
    Make sure that Simple Network Management Tool is selected.
    If it isn't selected, select it, and then click Next to install.
  5. Go to Start > Administrative Tools > Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.
    If not, click Add Feature, then select SMNP Service and click Next to install the service.
  5. In the Server Manager window, go to Services > SNMP Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
WMI

Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.
    This is the account you must use to set up the Performance Monitor Users group permissions.
  7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click EditDefault.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable Remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you created in step 3.
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK.
Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account.

Enable DCOM Permissions for the Monitoring Account
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog

Use the Windows Agent Installation Guide to configure sending syslog from your device to FortiSIEM.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9    anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05    21:33:55    w3proxy    ISA    -    212.58.246.82    212.58.246.82    80    156    636    634    http    TCP    GET    http://192.0.2.82/rss/generic_news/front_page/rss.xml    text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed    2011-03-05 21:33:55    -

Settings for Access Credentials

SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

Microsoft ISA Server

Microsoft ISA Server

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, memory utilization

Performance Monitoring

WMI

Application type, service mappings

Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O

Performance Monitoring

Syslog(via SNARE)

Application type

W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service Instance, Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "isa server" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP
Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.
    Make sure that Simple Network Management Tool is selected.
    If it isn't selected, select it, and then click Next to install.
  5. Go to Start > Administrative Tools > Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.
    If not, click Add Feature, then select SMNP Service and click Next to install the service.
  5. In the Server Manager window, go to Services > SNMP Services.
  6. Select and open SNMP Service.
  7. Click the Security tab.
  8. Select Send authentication trap.
  9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  10. Select Accept SNMP packets from these hosts.
  11. Click Add.
  12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
  13. Click Add.
  14. Click Apply.
  15. Under SNMP Service, click Restart service.
WMI

Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.
    This is the account you must use to set up the Performance Monitor Users group permissions.
  7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click EditDefault.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable Remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
  1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you created in step 3.
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK.
Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account.

Enable DCOM Permissions for the Monitoring Account
  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  1. In the Start menu, select Run.
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog

Use the Windows Agent Installation Guide to configure sending syslog from your device to FortiSIEM.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9    anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05    21:33:55    w3proxy    ISA    -    212.58.246.82    212.58.246.82    80    156    636    634    http    TCP    GET    http://192.0.2.82/rss/generic_news/front_page/rss.xml    text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed    2011-03-05 21:33:55    -

Settings for Access Credentials

SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>