Remote Administration of ISA Server 2004 Enterprise Edition

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition enables you to administer ISA Server computers from other computers. You can perform all ISA Server administrative tasks remotely, either from a computer running a Terminal Services client, such as a Remote Desktop Connection, or from ISA Server Management installed on the remote computer.

Scenarios

Solutions

Additional Information

Appendix A: Network Object Rule Elements

Remote Management and Roles

There are two aspects to remote management:

• The ability to connect a remote computer to ISA Server. This depends on configuring ISA Server policy to allow a remote connection from that computer.
• The role of the user who connects remotely. For example, the user might be an enterprise administrator, or an array administrator, with different rights to administer ISA Server.

These two aspects are distinct. A computer might be recognized by ISA Server as being allowed to connect, but the user may not have the required privileges to administer ISA Server. After the computer is connected, the user would not be able to perform any ISA Server tasks or monitor array or Configuration Storage server status.

ISA Server Roles

You can use role-based administration to organize your ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you essentially allow that user permissions to perform specific tasks. Roles are defined on the enterprise level, on the enterprise policy level, and on the array level, and allow different levels of configuration and monitoring rights.

Terminal Server and ISA Server Management

Both Terminal Server and ISA Server Management can be used to administer ISA Server computers.

Terminal Server allows you to view the desktop of any computer on which the ISA Server management console is installed. You can then administer ISA Server insofar as you have the permissions to do so.

ISA Server Management is part of the installation of the Configuration Storage server and of ISA Server services, but can also be installed as a stand-alone component for administration of ISA Server computers. You connect a remote ISA Server Management console to a Configuration Storage server, as shown in the following figure.

When you request server-specific information from the remote console, it automatically connects to the arrays to obtain that information. Note that a physical or virtual private network (VPN) connection is required to enable connectivity with the Configuration Storage server and the arrays.

System Requirements for ISA Server Management

ISA Server Management runs on computers running Microsoft Windows Server™ 2003, Windows® 2000 Server, Windows XP, or Windows 2000 Professional.

Scenarios

Typically, your Internet Security and Acceleration (ISA) Server computer will be housed in a central location with your other corporate servers, which is not near your office location. You may want to administer ISA Server from another computer on the same network as the ISA Server computer or from a home computer. You may provide consulting services to clients that are using ISA Server to secure the networks, and are responsible for maintaining and monitoring their ISA Server computers. Remote administration enables you to administer ISA Server in all of these cases.

Solutions

There are two approaches to remote administration:

• Remote administration using Terminal Services. We recommend this approach for management from a virtual private network (VPN) client.
• Remote administration through ISA Server Management. ISA Server Management is part of ISA Server, but can also be installed without other ISA Server components, for administration only.

Remote Administration — Walk-through

This walk-through guides you through the steps necessary to remotely administer your ISA Server computer.

Remote Administration Walk-through Procedure 1: Configure Remote Administration on the ISA Server Computer

Remote administration is enabled by default when you install ISA Server services, although it is only enabled for computers that are listed in a remote management computers computer set, on the array or enterprise level. The computer sets, which are empty by default, are:

• Enterprise Remote Management Computers (enterprise level)
• Remote Management Computers (array level)

If you add a computer to the Enterprise Remote Management Computers computer set, a user (with appropriate permissions) on that computer will be able to manage and monitor any ISA Server array in the enterprise.

If you add a computer to the Remote Management Computers computer set, you will be able to manage any ISA Server array from that computer (assuming appropriate permissions), but you will only be able to monitor the array that owns that computer set. If you want to connect to a Configuration Storage server that is part of an array (where ISA server services and the Configuration Storage server are installed on the same computer), you will only be able to do so for the array that owns the computer set.

Adding computers to the Enterprise Remote Management Computers computer set

In this procedure, you will add computers to the Enterprise Remote Management Computers computer set. If you want to add computers to the Remote Management Computers computer set of an array, perform this procedure under Firewall Policy on an array node.

Perform this procedure when logged on as an enterprise administrator. To add computers to the Enterprise Remote Management Computers computer set, follow these steps:

1. Log on as an enterprise administrator to the Configuration Storage server or to an array member. Expand Enterprise, expand Enterprise Policies, and select an enterprise policy.
2. In the task pane, on the Toolbox tab, select Network Objects, and expand Computer Sets.
3. Right-click Enterprise Remote Management Computers and select Properties.
4. On the General tab, click Add and select Computer to open the New Computer Rule Element dialog box.
5. In the New Computer Rule Element dialog box, provide the name and IP address of the computer you are adding. Alternatively, click Browse to open the Find Internal IP Address dialog box. In this dialog box, you can click Browse again to locate a computer on the corporate network. You can provide a partial name and click Check Names to locate the computer, and then click OK. In the Find Internal IP Address dialog box, click Find to retrieve the IP address of the computer, and then click OK.
6. In the New Computer Rule Element dialog box, click OK.
7. Click OK to close the Enterprise Remote Management Computers Properties page.
8. In the details pane, click Apply to apply your changes.

Confirming that remote management is enabled on the array level

You can confirm that remote management is enabled on the array level. If remote management is not enabled, ISA Server will block the management console’s attempt to connect to the array. (The console will still be able to access the Configuration Storage server.) To confirm that remote management is enabled on the array level, follow these steps:

1. Open Microsoft ISA Server Management (on an array member or on the Configuration Storage server), expand an array node, and click Firewall Policy.

2. In the task pane, on the Tasks tab, click Edit System Policy, to open the System Policy Editor.

3. Under Configuration Groups, in Remote Management, select Microsoft Management Console (MMC). On the General tab, Enable must be selected to enable remote management using ISA Server Management. (This is the default setting when you install ISA Server.)
   

4. On the From tab, in the This rule applies to traffic from these sources list, the Array Servers, Enterprise Remote Management Computers, and Remote Management Computers computer sets are listed by default. This indicates that computers in those computer sets will be able to perform remote administration of the ISA Server computer through ISA Server Management. Computers in the Enterprise Remote Management Computers computer set will be able to manage the enterprise. (Enterprise administrator credentials are also required.) Computers in the Remote Management Computers computer set will be able to manage an array. (Array administrator credentials are also required.) The Array Servers computer set is needed for intra-array communication, and should not be modified. The network, computer set, or other network object that contains computers that you will allow to remotely connect, and only that network, computer set, or network object, must be included in a computer set. You can modify this list using the associated Add, Edit, and Remove buttons. Similarly, you can modify the Exceptions list using the associated Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, exclusive of a specific set of computers. You would add the network to the This rule applies to traffic from these sources list, create a computer set of computers to be excluded, and then add the computer set to the Exceptions list. For more information about network objects, see Appendix A: Network Object Rule Elements in this document.
   

5. Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, Enable must be selected to enable remote management using Terminal Server. (This is the default setting when you install ISA Server.)

6. On the From tab, in the This rule applies to traffic from these sources list, the Enterprise Remote Management Computers and Remote Management Computers computer sets are listed by default. This indicates that computers in these computer sets will be able to perform remote administration of the ISA Server computer through Terminal Server. Computers in the Enterprise Remote Management Computers computer set will be able to manage the enterprise. (Enterprise administrator credentials are also required.) Computers in the Remote Management Computers computer set will be able to manage an array. (Array administrator credentials are also required.) The network, computer set, or other network object that contains computers that you will allow to remotely connect, and only that network, network set, or network object, must be listed. You can modify this list using the associated Add, Edit, and Remove buttons. Similarly, you can modify the Exceptions list using the associated Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, exclusive of a specific set of computers. You would add the network to the This rule applies to traffic from these sources list, create a computer set of computers to be excluded, and then add the computer set to the Exceptions list. For more information about network objects, see Appendix A: Network Object Rule Elements in this document.

   Important

   Remote administration sessions that are in progress when you clear a Remote Management Enable check box will continue to function until terminated from the remote connection, as described in Remote Administration Walk-through Procedure 3: Disconnect from the ISA Server Computer in this document.

   Note

   If you want to manage ISA Server from a roaming VPN client, you must add the VPN Clients network:

   1. On the From tab, click Add.
   2. Expand Networks, click VPN Clients, click Add, and then click Close.
   3. Click OK to close the System Policy Editor.
      You must enable Remote Desktop on the Configuration Storage server to connect to it using Terminal Services.

Enabling Remote Desktop

To enable Remote Desktop, follow these steps:

1. On the desktop, right-click My Computer, and select Properties.

2. On the Remote tab, under Remote Desktop, select Allow users to connect remotely to this computer.

3. Click OK.

   Note

   Users that connect remotely to the Configuration Storage server must have credentials that allow them to log on to that computer.

Remote Administration Walk-through Procedure 2: Configure the Remote Computer

You can configure the remote computer to access the ISA Server computer through either Terminal Server or ISA Server Management, as described in Terminal Server and ISA Server Management in this document.

Configuring and connecting a Terminal Services client

To remotely administer an ISA Server computer using Terminal Server, you must have a Terminal Services client on the remote computer. In Windows Server 2003 and Windows XP, you can use the Remote Desktop Connection as the Terminal Services client. To manually install a Terminal Services client on a computer running Windows 2000 Server, Windows NT® Server 4.0, Windows 98, or Windows 95, follow these steps:

1. On a computer running one of the Windows Server 2003 operating systems, share the client setup folder.
2. From the computer running Windows 2000 Server, Windows NT Server 4.0, Windows 98, or Windows 95, connect to the local area network that contains the computer running one of the Windows Server 2003 operating systems.
3. Click Start, and then click Run.
4. In Open, type the following:
5.    \\computername\Tsclient\Win32\Setup.exe
   Where computername is the network computer name of the computer running one of the Windows Server 2003 operating systems. Click OK.
6. Follow the on-screen instructions.

Connecting a Terminal Services client to ISA Server

To connect a Terminal Services client to ISA Server, follow these steps:

1. On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
2. In Remote Desktop Connection, in Computer, type the name of the ISA Server computer.
3. When the connection is established, provide the user name and password. Note that the user must have the appropriate privileges to administer the ISA Server computer.
4. You should now see the desktop of the ISA Server computer. Open ISA Server Management from the Start menu to begin administering ISA Server.

Configuring a computer with ISA Server Management

To remotely administer an ISA Server computer using ISA Server Management, you must install the ISA Server Management console. To install ISA Server Management, follow these steps:

1. Insert the ISA Server 2004 Enterprise Edition CD (or browse to ISAAutorun.exe on the network share where the program is stored). The setup screen should appear. If it does not, run ISAAutorun.exe.
2. Click Install ISA Server 2004.
3. On the Welcome screen, click Next.
4. On the License Agreement screen, read the license agreement. If you agree, select I accept the terms in the license agreement and click Next.
5. On the Customer Information page, provide the User Name, Organization, and Serial Number information, and then click Next.
6. On the Setup Scenarios page, select Install ISA Server Management Console, and then click Next.
7. On the Component Selection page, review the features, and then click Next.
8. Click Install.

Opening and connecting the management console

To open and connect the management console, follow these steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and click ISA Server Management.

2. In the task pane, on the Tasks tab, click Connect to Configuration Storage Server, to open the Configuration Storage Server Connection Wizard. On the Welcome page, click Next.

3. On the Configuration Storage Server Location page, the default option for a computer that only has the management console installed is On remote computer. Provide or browse to the fully qualified domain name of the Configuration Storage server computer, such as storage1.detroit.fabrikam.com. If you click Browse, you can provide a partial name and click Check Names to locate the computer. When you click OK, the fully qualified domain name will be inserted in the field on the wizard page. Click Next.

4. On the Configuration Storage Server Credentials page, you can select to connect to the Configuration Storage server using the credentials of the current user on the management computer, or provide other credentials. If you are logged on with the credentials of an enterprise or array administrator, select Credentials of the logged-on user. If you are not logged on as an enterprise or array administrator, select Credentials of the following user, and provide the appropriate credentials. Click Next.

5. On the Array Connection Credentials page, you can select to connect to the array using the same credentials with which you connected to the Configuration Storage server or to provide different credentials. If the array is in the same domain as the Configuration Storage server, or in a domain that has a trust relationship with the domain of the Configuration Storage server, you can use the same credentials to connect to the array. However, if the array is in a workgroup, or in a domain that does not have a trust relationship with the domain of the Configuration Storage server, you must select Different credentials, and provide credentials that are recognized locally by the array. Click Next. If you selected Different credentials, the next wizard page (Array Connection Credentials Details page) provides the choice of using the credentials of the user who is logged on or providing different credentials. Click Next.

6. On the summary page, click Finish.

   Note

   You can only be connected to one Configuration Storage server at a time. If you run the Configuration Storage Server Connection Wizard again and connect to a different Configuration Storage server, you will be disconnected from the first Configuration Storage server.

Remote Administration Walk-through Procedure 3: Disconnect from the ISA Server Computer

Follow these procedures to disconnect the remote computer from the ISA Server computer.

Disconnecting from the ISA Server computer when using Terminal Services

To disconnect when using Terminal Services, follow these steps:

1. On the remote computer, in the Remote Desktop Connection window, click Start, and then click Log Off.
2. In the Log Off Windows dialog box, click Log Off.

Disconnecting from the ISA Server computer when using ISA Server Management

To disconnect when using ISA Server Management, follow these steps:

1. On the remote computer, in the ISA Server Management console tree, click the top node, Microsoft Internet Security and Acceleration Server 2004.
2. In the task pane, on the Tasks tab, click Disconnect from Enterprise. In the confirmation dialog box, click Yes to confirm that you want to disconnect.

Remote Administration Walk-through Procedure 4: Run Scripts from a Remote Computer

Scripting allows you to use the ISA Server administration objects to access and control policies and configurations for an enterprise or for any ISA Server array within an organization. ISA Server administration scripting has a number of benefits, such as saving time on tasks that are repetitive or need to be performed on a number of servers or arrays. For more information about ISA Server administration scripting, see ISA Server Software Development Kit Help.

You can create ISA Server administration scripts that will run on remote computers. The script or program on a remote computer must connect to the remote ISA Server Configuration Storage server.

Creating the root object

Use the following code to create the root object for remote administration.

VBScript

Set objFPC  = CreateObject ("FPC.Root")

JScript

objFPCRoot = new ActiveXObject ("FPC.Root");

Visual Basic

Dim objFPC As New FPCLib.FPC

or

Dim objFPC As New FPCLib.FPC

Set objFPC = CreateObject("FPC.Root")

Connecting to the ISA Server computer

To connect to the remote ISA Server Configuration Storage server, use the FPC.ConnectToConfigurationStorageServer method. This method takes the following parameters:

• bstrConfigurationStorageServer [in, optional]. BSTR that specifies the name of the Configuration Storage server. The default value is an empty BSTR. 

• bstrStorageUserName [in, optional]. BSTR that specifies the name of a user with the permissions needed to modify the stored enterprise configuration. The default value is an empty BSTR.

• bstrStorageUserDomain [in, optional]. BSTR that specifies the name of the domain of the user with the permissions needed to modify the stored enterprise configuration. The default value is an empty BSTR.

• bstrStorageUserPassword [in, optional]. BSTR that specifies the password of the user with the permissions needed to modify the stored enterprise configuration. The default value is an empty BSTR.

• bstrMonitoringUserName [in, optional]. BSTR that specifies the name of a user with the permissions needed to read the stored enterprise configuration. The default value is an empty BSTR.

• bstrMonitoringUserDomain [in, optional]. BSTR that specifies the name of the domain of the user with the permissions needed to read the stored enterprise configuration. The default value is an empty BSTR.

• bstrMonitoringUserPassword [in, optional]. BSTR that specifies the password of the user with the permissions needed to read the stored enterprise configuration. The default value is an empty BSTR.

  Note

  When the script or program has completed, the connection is terminated.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).

Appendix A: Network Object Rule Elements

An ISA Server rule element is an object that you use to refine ISA Server policy. For example, a subnet rule element represents a subnet within a network. You can create a policy that applies only to a subnet, or one that applies to a whole network exclusive of the subnet. The network object rule elements allow you to create sets of computers to which a policy will apply, or which will be excluded from a policy. You can use network objects to limit the computers that will have remote access to the ISA Server computer.

The network object rule elements provide a variety of ways to represent computers. The following are rule elements that you are likely to use in setting system policy for remote administration of ISA Server:

• Network. A network rule element represents a network, which is all of the computers connected (directly or through one or more routers) to a single ISA Server computer network adapter.
• Enterprise network. A network rule element that represents an enterprise network, a network defined on the enterprise level that is global to all the arrays in the enterprise. An enterprise network is composed of IP ranges, and does not have any of the other properties that you would define for array networks.
• Network set. A network set rule element represents a grouping of one or more networks. You can use this rule element to apply rules to more than one network.
• Subnet. A subnet rule element represents a network subnet, specified by a network address and a mask.
• Computer. A computer rule element represents a single computer, identified by its IP address.
• Computer set. A computer set rule element is a set of computers, address ranges, and subnets.
• Address range. An address range rule element is a set of computers represented by a continuous range of IP addresses.