ISA Server Remote Administration

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : March 13, 2004

On This Page

Overview
Concepts
Additional Information

Overview

Microsoft® Internet Security and Acceleration (ISA) Server 2000 supports remote administration using the following techniques:

  • Installing the ISA Management Microsoft Management Console (MMC) component on a client computer and connecting through MMC to a remote ISA Server computer.

  • Running Terminal Services client on a local computer and connecting to a remote ISA Server computer with a Terminal Services session.

Each of these methods has advantages and disadvantages. MMC enables you to manage and monitor multiple ISA Server computers at the same time, but there is a refresh overhead because configuration changes are transmitted to the remote ISA Server computer. Terminal server allows you to view the ISA Server desktop directly. Terminal server provides faster refresh rates, because configuration changes are made directly on the ISA Server computer. However, you need a Terminal Services session for each ISA Server computer that you want to manage.

Concepts

This section provides an overview of the remote administration alternatives and configuration instructions.

Remote administration using ISA Management

You can manage a remote ISA Server computer from a local computer that does not have ISA Server installed, by installing ISA Management MMC on the local computer. Note the following:

  • The ISA Management MMC can be installed on computers running Microsoft Windows® 2000 Professional or later.

  • When remotely administering ISA Server using the ISA Management snap-in, ensure that the patch level of the remote ISA Server computer and the local computer are at least identical. For example, if the ISA Server computer has ISA Server Service Pack 1 installed, the remote management computer must also have at least ISA Server Service Pack 1 installed.

  • To manage ISA Server remotely, you must be a member of the Local Administrators or Server Operators group on the ISA Server computer. If ISA Server is operating in a Windows NT® domain environment, or an Active Directory® directory service domain, both the user account and the server computer must be members of the same domain or within trusted domains.

  • Ensure that the account used for remote management has appropriate DCOM permissions on the ISA Server computer. To do this, open DCOM Config by typing dcomcnfg at the command prompt on the ISA Server computer, and check the default access permissions on the Default Security tab. Using dcomcnfg, you can also improve remote MMC security by prohibiting remote administration, or configuring encryption settings for the ISA Server remote session.

  • Remote management using the ISA Management MMC snap-in uses DCOM remote procedure calls (RPCs) for remote management, and opens UDP-135 (NetBIOS Port Mapper) and TCP-139 (NetBIOS Session service) on the ISA Server computer.

To install the ISA Management MMC snap-in for remote management

  1. Use the ISA Server CD to run ISA Server Setup on the local computer.

  2. In the installation options, select Custom Installation.

  3. In Custom Installation, do the following:

    1. Clear the ISA Services check box.

    2. If the remote ISA Server that you want to manage hosts H.323 Gatekeeper, select Add-in services, and then click Change Option. Ensure that the Install H.323 Gatekeeper Services check box is selected, and then click OK.

    3. Select the Administration tools check box, and then click Change Option. Select ISA Management. If the remote ISA Server computer that you want to manage hosts H.323 Gatekeeper, select the Select All check box. Then, click OK.

  4. Follow the on-screen instructions to complete Setup.

To connect to a remote ISA Server computer

  1. In the ISA Management console tree, right-click Internet Security and Acceleration Server, and then click Connect to.

  2. In Connect to:

    1. To manage a stand-alone ISA Server computer, click Connect to this stand-alone server, and then type the name of the remote ISA Server computer.

    2. To manage an ISA Server computer that is part of an array, click Connect to enterprise and arrays, and then type the name of the remote ISA Server array computer. This option is only available when the ISA Management MMC is installed from an ISA Server Enterprise Edition CD.

    3. Specify the name of the ISA Server computer to manage in the format computer_name, or specify by IP address.

      Note that specifying an IP address to connect to a remote ISA Server computer may fail if computer authentication in Active Directory requires Kerberos.

      To disconnect from a remote ISA Server computer, right-click the applicable remote ISA Server computer or array member, and click Disconnect.

Remote administration using Terminal Services

As an alternative to remote administration using the ISA Management snap-in, you can use Terminal Services to manage ISA Server remotely, either from a computer in the local network, or from an external network such as the Internet.

For remote management, the Terminal Services client must be installed on the remote computer, and Terminal Services must be enabled on the ISA Server computer.

Installing Terminal Services

The Terminal Services client communicates over a TCP/IP network connection using the Microsoft Remote Desktop Protocol (RDP). The latest Terminal Services client software is installed by default on Windows Server„¢ 2003 and Windows XP, and can also be downloaded for other Windows operating systems from Microsoft at Remote Desktop Connection Software Download (https://go.microsoft.com/fwlink/?LinkId=24478).

To Enable Terminal Services on Windows Server 2003

  1. In Control Panel, open System, and then select the Remote tab.

  2. In the Remote Desktop section, select Allow users to connect remotely to this computer, and then click Apply.

  3. The Terminal Services client program, Mstsc.exe, allows for a quick connection to any server running Terminal Services. Type the name of the server (IP address, DNS, or WINS name) in the Server box, and press Enter, or pick the server from the available server list.

To Enable Terminal Services on Windows 2000

  1. In Control Panel, click to open Add/Remove Programs, and then click Add/Remove Windows Components.

  2. In the Windows Components page, highlight Terminal Services, and then click Details. Note that Terminal Services Licensing Service is not required in Remote Administration mode.

  3. In the Terminal Services component page, select Enable Terminal Services, click OK, and then click Next.

  4. In the Terminal Services Setup page, select Remote Administration mode. Click Next and complete the wizard.

Running Terminal Services on the ISA Server computer

After Terminal Services has been enabled on the ISA Server computer, it listens on all network adapters by default. You may want to change this default setting in the following scenario:

  • If you want to publish Terminal Services from computers in the internal network while running Terminal Services on the ISA Server computer, there may be port contention issues. With the default setting, any Terminal server request that arrives at the ISA Server external adapter will be answered by Terminal Services running on the ISA Server computer. To free up the external adapter, configure Terminal Services running on the ISA Server computer to listen to only the internal network adapter. For instructions, see the section that follows later in this document, "Remote management from the external network."
Remote management from the internal network

To manage ISA Server using Terminal Services client from a computer on the local internal network, set up Terminal Services as described previously, and then connect using the correct logon credentials to access the ISA Server computer. Note that unless otherwise configured, the computer running Terminal Services only allows local administrators to connect.

Remote management from the external network

There are a number of choices for remote administration of the ISA Server computer from an external network such as the Internet, including:

  • Enable packet filtering, and open a packet filter to make Terminal Services available on the ISA Server external interface.

  • Publish Terminal server on the ISA Server computer to make it available to external clients.

  • Set up a virtual private network (VPN) tunnel and use a Remote Desktop connection.

Creating a packet filter

You can make Terminal Services available on the external interface of the ISA Server computer by creating a packet filter for Terminal Services, as you do for all services running on the ISA Server computer that listen to the Internet. This packet filter enables Terminal server clients to connect to a Terminal Services session running on the ISA Server computer by using RDP protocol over TCP port 3389. Ensure that packet filtering is enabled, and then do the following:

To create a packet filter

  1. In ISA Management, click to expand arrayname , and then click to expand Access Policy.

  2. Right-click IP Packet Filters, point to New, and then click Filter.

  3. Type a name for the filter, and then click Next.

  4. For arrays only, select Only this server for the filter, and then click Next.

  5. In the Filter Mode page, select Allow packet transmission, and then click Next.

  6. In the Filter Type page, select Custom, and then click Next.

  7. In the Filter Settings page, configure the following:

    • IP protocol: TCP

    • Direction: Inbound

    • Local port: Fixed port

    • Port number: 3389

    • Remote port: All ports

  8. In the Local Computer page, select Default IP addresses for each external interface on the ISA Server computer, and then click Next.

  9. In the Remote Computers page, select All remote computers, or Only this remote computer (enter an IP address for the specified computer), and then click Next. The setting you select specifies the terminal client computer that can access the Terminal Services session.

  10. Click Finish to complete the wizard.

Publishing Terminal server on the ISA Server computer

Alternatively, you can Terminal Services to listen only on the internal adapter, and then use a server publishing rule to publish it, just like any other published server. To do this, you need to do the following:

  • Step 1: Create an RDP Protocol definition.

  • Step 2: Bind to the internal network adapter.

  • Step 3: Create an RDP server publishing rule to make Terminal Services available to external clients.

Step 1: Create a protocol definition

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. Click to expand the Policy Elements node, right-click Protocol Definitions, click New, and then click Definition.

  3. In the New Protocol Definition Wizard, type RDP Server for the protocol definition, and then click Next.

  4. On the Primary Connection Information page, specify the following:

    • In Port, type 3389.

    • In Protocol Type, select TCP.

    • In Direction, select Inbound.

      Then, click Next.

  5. On the Secondary Connections Page, in Do you want to use secondary connections, click No. Click Next, and then click Finish to complete the wizard.

Step 2: Bind Terminal Services to the internal adapter

  1. Click Start, point to Programs, click Administrative Tools, and then click Terminal Services Configuration.

  2. Click the Connections folder, and then click the RDP-TCP connection.

  3. Right-click this connection and click Properties.

  4. Click the Network Adapter tab and click to select the internal network adapter in the Network Adapter check box.

  5. Restart the server so that this change can take effect.

Step 3: Create a publishing rule

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. Click to expand arrayname, expand the Publishing node, right-click Server Publishing Rules, point to New, and then click Rule.

  3. In the New Server Publishing Rule Wizard, type ISA RDP, and then click Next.

  4. In Address Mapping, in IP address of internal server, type the internal IP address of the ISA Server computer.

  5. In Address Mapping, in External IP address on ISA Server, type the external IP address on the ISA Server computer that this publishing rule will use, and then click Next.

  6. In Protocol Settings, in the list of protocols, select the RDP Server protocol definition you created previously, and then click Next.

  7. In Client Type, select the client type to which the rule will apply. Click Next, and then click Finish.

Tightening security

By default, all Terminal Services sessions connect using medium encryption. This may be sufficient for remote administration from the internal network, but you should change the default setting to high if you are administering ISA Server from a computer in an external network. For details, see Terminal Services Configuration in Windows Help.

Additional Information

The following articles may be useful when configuring remote administration.

Microsoft articles

Article 313354: You Cannot Create Reports from Remote Administration.

Article 275210: How to Allow Access to Terminal Services on ISA from the External Interface.

Article 329155: The Web Filter [%1] failed to reload configuration.

"The Server May Be Too Busy" Error Message If Terminal Services Installed in Remote Administration Mode

Article 294720: How To Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server

Article 304350: How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000

Article 290384: "ISA Server Cannot Load the Property Page" Error Message with Error Code 0x80004002

The following are useful articles from the Isaserver.org website. Note that Web addresses can change, so you might be unable to connect to the websites mentioned here.

Publishing Windows 2000 Terminal Services to a Non-Standard Port (https://isaserver.org/tutorials/
Publishing_Windows_2000_Terminal_Services_to_a_NonStandard_Port_.html)

Publishing Terminal Services and the TSAC Client (https://isaserver.org/tutorials/
Publishing_Terminal_Services_and_the_TSAC_Client__Updated.html)