OK, I've tested the availability of System Policy access rules when an ISA
server is in "lockdown" mode, and they just don't work. So, I'm calling
"horse-hockey" on that. Has anyone else added remote management rules to
the System Policy and forced ISA into lockdown mode by not allowing it to
log, and still accessed the server via RDP or otherwise?
Further, if you are logging to a SQL database, it seems like you are
*forced* to disable lockdown-mode all-together. Any maintenance at all to
the ISALog database on the SQL server seems to totally fsk the logging
connection. The ODBC logging is kind of punked anyway-- even though you're
inserting records to a table with nvarchar and varchar data types, the ISA
ODBC connector "pads" the data sent. So even if you have a 25 char
ClientUserName, ISA pads the data and fills the field. This is why the
default log file is so damned big-- given this, we HAVE to parse the data
into something more manageable. 1 Gig per day for 85 or so users is really
nuts. But I've got my own process that posts into a table of my own design,
and trims the data in the process. This has to run every night-- but when
it does, ISA punks out on logging, and goes into lockdown mode. And I'm not
logging to some ghetto box, either-- this is to a cluster of 2 Dell 2650
dual-proc MoFo's with a half terabyte shared SCSI array. I can extrapolate
a million decimal places of Pi on these boxes in seconds (I've done it. My
favorite is the eight 8's in a row at about 300 million).
If this were documented, it would be OK- but it kind of sucks to build a
robust infrastructure with detailed logging only to have to disable lockdown
mode if you do so. I *like* lockdown mode. But I don't like that the
system policy doesn't seem to work in LDM, nor that you have to switch to
MSDE logging just to run a job to clean up the data that your Enterprise
Firewall solution is logging...
Anyone? Beuller? Anyone?
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."