Remote Management Concepts in ISA Server 2006

  • Article

Typically, your Microsoft® Internet Security and Acceleration (ISA) Server 2006 computer will be located centrally with your other corporate servers, and not near your office location. You may want to administer ISA Server from another computer on the same network as the ISA Server computer or from a home computer. You may provide consulting services to clients who are using ISA Server to secure their networks, and you may be responsible for maintaining and monitoring their ISA Server computers. Remote administration enables you to administer ISA Server in all of these cases.

Remote administration of ISA Server can be done using a number of methods:

  • Installing the ISA Server 2006 Microsoft Management Console (MMC) component on a computer running the Microsoft Windows Server™ 2003 operating system with Service Pack 1 (SP1) or running Windows® XP, and managing the ISA Server firewall from this computer.
  • Using Terminal Services Remote Desktop to create a Remote Desktop Protocol (RDP) connection, in the following configurations:
    • Create an RDP connection directly to the ISA Server firewall.
    • For Enterprise Edition, create an RDP connection to the Configuration Storage server, and run the ISA Server Management MMC snap-in.
    • Create an RDP connection to a computer running the ISA Server Management MMC snap-in, rather than allowing an RDP connection directly to the ISA Server firewall.

It is important to consider a remote management strategy carefully. It defines who can administer the ISA Server firewall, and misconfiguration can result in a compromised system.

Deployment Considerations

When deploying a strategy for ISA Server remote management, consider the following differences between Remote Desktop and MMC:

  • MMC enables you to manage and monitor multiple ISA Server computers at the same time, but there is a refresh overhead because configuration changes are transmitted to the remote ISA Server computer.
  • Terminal Server RDP allows you to view the ISA Server desktop directly. RDP provides faster refresh rates, because configuration changes are made directly on the ISA Server computer. Over geographically dispersed locations, RDP may provide better performance. However, you need an RDP session for each ISA Server computer that you want to manage.
  • If you use Remote Desktop Connection to remotely manage the ISA Server computer, you must use the default RDP port (TCP port 3389).
  • If you administer ISA Server remotely from a remote virtual private network (VPN) client computer, we recommend using Terminal Server rather than MMC. Some administrative actions in ISA Server require the restart of services. One of these services is the Routing and Remote Access service, and if this is stopped during ISA Server administration, the remote MMC connection will be terminated before the services can be started again. This is not an issue when using RDP.
  • When remotely administering ISA Server using the ISA Server Management MMC snap-in, ensure that the patch level of the remote ISA Server computer and the local computer are at least identical. For example, a service pack installed on the ISA Server computer should also be installed on the computer running ISA Server Management.
  • ISA Server domain or workgroup deployment affects the authentication method used for the account credentials presented for remote management. In a domain environment, credentials are recognized by the domain controller. In a workgroup environment, ISA Server must be able to authenticate user credentials provided against a local account.

Best Practices

Use the following tips and hints to help keep remote administration secure:

  • To avoid logging on directly to the ISA Server computer when using RDP, consider using an RDP connection to a computer running only the ISA Server Management snap-in component, and then managing ISA Server from that computer.
  • Keep the encryption level at the maximum level. Remote Desktop clients running Windows Server 2003 SP1 or Windows XP encrypt data using a 128-bit encryption scheme. For more information, see the Microsoft Knowledge Base article 814590, "How to Enable and to Configure Remote Desktop for Administration in Windows Server 2003."
  • Enforce strong passwords for user accounts that have Remote Desktop access to ISA Server. Where possible, clients should create a new local user name with a long name and strong password.
  • The predefined remote management computer sets should have as few IP addresses as possible. Add only single IP addresses that are required. Note the following:
    • To keep IP addresses well-defined, configure computers from which you want to initiate remote management with static IP addresses, or configure a client Dynamic Host Configuration Protocol (DHCP) reservation to ensure the same IP address.
    • When configuring remote access from VPN clients, do not add the entire VPN Clients network to the remote management computer sets. Instead, create custom rules requiring user authentication.
    • For remote management from the Internet, an MMC connection or an RDP connection direct to the ISA Server computer will require the user to have a static IP address. Such a configuration is not secure. As an alternative, a VPN connection can be configured to the corporate network, and then an RDP tunnel can be used over the VPN connection.
  • If RDP or MMC access is not required, disable the associated system policy rule.
  • By default, when you enable Remote Desktop connections, accounts that belong to the administrators group on the local computer can connect remotely. For tighter control, add only the new local user account you create to the Remote Desktop users group, and remove the local administrators group from the Remote Desktop users group.
  • Consider configuring RDP with Transport Layer Security (TLS). Windows Server 2003 SP1 enhances Terminal Services security by configuring Remote Desktop Connection to use TLS 1.0 for server authentication, and to encrypt terminal server communications. Authentication is done using a server certificate. Set up an auditing policy to track logon attempts. For more information, see "Configuring authentication and encryption" at the Microsoft TechNet Web site.

Remote Management in ISA Server Enterprise Edition

In ISA Server 2006 Enterprise Edition, you connect the remote computer to the Configuration Storage server. When you request server-specific information from the remote computer, the Configuration Storage server automatically connects to the arrays to obtain that information. A physical or VPN connection is required to enable connectivity with the Configuration Storage server and the arrays. This is shown in the following figure.

The following limitations apply:

  • If you want to connect to a Configuration Storage server that is installed on an ISA Server array member and not on a separate computer, you will only be able to do so for the array on which the remote management computer set is defined.
  • To manage computers in different arrays, add an access rule on the remote administration computer, to allow communication between it and the remotely managed ISA Server computers. The access rule should specify that the outbound MS Firewall Control protocol is allowed from the source network Local Host to the destination network on which the managed ISA Server computers are located.
  • You can only be connected to one Configuration Storage server at a time. If you run the Configuration Storage Server Connection Wizard again, and connect to a different Configuration Storage server, you will be disconnected from the first Configuration Storage server.

Configure RDP

Remote Desktop Connection can be used to remotely administer ISA Server computers using the Remote Desktop Protocol (RDP). You can use an RDP connection to connect directly to the ISA Server computer (or Configuration Storage server in ISA Server 2006 Enterprise Edition). Or, to avoid connecting directly to the ISA Server firewall, you can connect to a computer running ISA Server Management. After connecting, you administer ISA Server in accordance with assigned user permissions.

Configuring remote management using RDP consists of the following steps:

  1. Verify that Remote Desktop is installed on the computer to be used for remote management.
  2. Enable Remote Desktop access on the ISA Server computer, or the Configuration Storage server (in ISA Server 2006 Enterprise Edition). By default, after you enable the setting Enable Remote Desktop on this computer, any account that is a member of the Administrators group on the local computer will have Remote Desktop access. For other accounts, add the user to the Remote Desktop users group to allow access.
  3. Modify ISA Server system policy rules to allow access from the computer that will be used for RDP access. ISA Server system policy rules allow access for various protocols to and from the ISA Server computer (Local Host network). The remote management system policy group consists of rules that allow a predefined group of remote management computers RDP, MMC, and PING access. Add the computer you want to use for remote management to the predefined group, and verify that the rule is enabled. Alternatively, you can add an ISA Server network object directly to the rule instead of into the predefined group. Although you can add any network object, such as an entire network, subnet, or IP address range, we recommend that you add individual computers only. Back up system policy before making changes.
  4. Verify ISA Server permissions to check that users managing ISA Server remotely have the required ISA Server permissions.
  5. Modify Terminal Services configuration properties if required. By default, Terminal Services listens on all network adapters. This may be an issue if you want to publish an internal RDP server through ISA Server, in addition to listening for RDP requests for the ISA Server computer itself. This may cause port contention issues, because any Terminal Services request arriving at the ISA Server computer will be answered by Terminal Services running on the ISA Server computer. To work around this issue, you can configure Terminal Services running on the ISA Server computer to listen on the network adapter of the Internal network only.
  6. Make an RDP connection.

Verify that Remote Desktop Is Installed

Use the following procedure to verify that Remote Desktop is installed.

To install Remote Desktop

  • On computers running Windows Server 2003 and Windows XP, Remote Desktop is installed by default. If it is not installed, run Setup and add it as an additional component. For earlier operating systems, download the Remote Desktop Client at Remote Desktop Connection Software Download.

Allow Remote Connections on the ISA Server Computer or Configuration Storage Server

Use the following procedure to allow remote connections on the ISA Server computer or on the Configuration Storage server in Enterprise Edition.

To allow remote connections on the ISA Server computer or Configuration Storage server

  1. Open Control Panel.

  2. Double-click System to open the System properties page.

  3. On the Remote tab, select Enable Remote Desktop on this computer.

Configure System Policy Rules

To configure system policy rules, you first back up the current system policy rules. Then, you add computers to remote management computer sets used in the rules, and verify the settings.

Back Up System Policy Rules

Before making changes, back up the current system policy rules by using the ISA Server export feature.

To export system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Export System Policy, to start the Export Wizard.

  3. Follow the on-screen instructions. On the Export File Location page, you may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2March2006.

  4. When the wizard is complete, click Finish.

Add Computers to Remote Management Computer Sets

Computers from which you want to remotely manage ISA Server can be added to the predefined computer sets. These computer sets are empty following installation. Until you add computers to the computers sets, remote management is not available even though the rules are enabled by default.

  • For ISA Server Standard Edition, add remote administration computers to the Remote Management Computers computer set.
  • In ISA Server Enterprise Edition, to allow computers to remotely administer a specific array, add the computers to the Remote Management Computers computer set for the specific array. For remote administration of the enterprise and all arrays in it, add the computers to the Enterprise Remote Management Computers computer set.

To add computers to the Remote Management Computers computer set

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  3. Right-click Remote Management Computers, and then click Properties.

  4. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Remote Management Computers Properties dialog box.

  5. Click Apply in the details pane to apply changes.

To add computers to the Enterprise Remote Management Computers computer set

  1. Log on as an enterprise administrator to the Configuration Storage server or to an array member.

  2. In ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Enterprise, expand Enterprise Policies, and select an enterprise policy.

  3. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  4. Right-click Enterprise Remote Management Computers, and then click Properties.

  5. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

  6. Click Apply in the details pane to apply changes.

Verify Remote Management System Policy Rules

The following system policy rules are used for remote management over RDP.

Configuration group Rule name Rule description

Terminal server

Allow remote management from selected computers using Terminal Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using RDP (Terminal Services).

In Enterprise Edition, it also allows access from the Enterprise Remote Management Computers computer set.

ICMP (Ping)

Allow ICMP (PING) requests from selected computers to ISA Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the PING protocol, and vice versa. In Enterprise Edition, it also allows access from the Enterprise Remote Management Computers computer set.

Verify that rules are enabled as required, and add computers directly to the rule if required, as described in the following procedure.

To configure remote management system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, verify that Enable this configuration group is selected.

  4. To add remote computers to the default computer sets allowed for remote management, on the From tab of the rule, in the This rule applies to traffic from these sources list, click Add to add network objects to the rule source.

  5. Click Apply in the details pane to apply the changes.

You can also modify this list using the Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, excluding a specific computer set. To do this, you would add the network to the list, create a computer set of the computers to be excluded, and add the computer set to the Exceptions list.

Remote administration sessions that are in progress when you clear a Remote Management Enable this configuration group check box continue to function until the remote connection is disconnected.

Verify User Permissions

ISA Server uses role-based administration to organize ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you give the user permissions to perform specific tasks:

  • In ISA Server Standard Edition, you can assign administrative roles to allow users to view ISA Server status, view and configure ISA Server monitoring, or configure all ISA Server features (ISA Server Administrator).
  • In ISA Server Enterprise Edition, roles are defined on the enterprise level, on the enterprise policy level, and on the array level. At the array level, you can specify that users are allowed to view array status only, view status and configure monitoring, or configure all array features (Array Administrator). At the enterprise level, you can allow users to view enterprise configuration only, or give them full control over the enterprise and array configurations (Enterprise Administrator).

After configuring remote administration from a client computer, ensure that users connecting from the remote computer to the ISA Server computer have the required permissions for the remote administration tasks they need to accomplish. For more information about configuring user permissions, see "Role-based Administration Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Modify Terminal Services Configurationhttps://go.microsoft.com/fwlink/?LinkId=60945 Settings

Use the following procedure to modify Terminal Services properties.

To modify Terminal Services properties

  1. On the ISA Server computer on which you want to enable remote administration, click Start, point to All Programs, and then select Administrative Tools. If it is not available on the Start menu, open Control Panel and select Administrative Tools.

  2. In Administrative Tools, double-click Terminal Services Configuration.

  3. Click the Connections node, right-click RDP-Tcp in the details pane, and then click Properties.

  4. To specify the network adapter associated with Terminal Services, on the Network Adapter tab, select the required adapter from the Network adapter drop-down list.

Connect with Remote Desktop Connection

Use the following procedure to connection with Remote Desktop Connection.

To connect with Remote Desktop Connection

  1. On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.

  2. In Computer, type the name of the ISA Server computer.

  3. When the connection is established, provide the user name and password. The user must have the appropriate privileges to administer the ISA Server computer.

  4. When the desktop of the remote computer appears, open ISA Server Management from the Start menu to begin administering ISA Server.

  5. Alternatively, you can open a remote desktop connection to the ISA Server computer by typing the following at a command prompt: mstsc /v:ISAServer_Name.

Configure MMC

ISA Server Management is part of the installation of the ISA Server firewall or Configuration Storage server (in ISA Server 2006 Enterprise Edition), but it can also be installed as a stand-alone component for administration of ISA Server computers. You can connect to and display information from multiple ISA Server computers using the ISA Server Management snap-in. Install the ISA Server Management MMC component by running ISA Server 2006 Setup. MMC runs on computers running Windows Server 2003 SP1 or Windows XP. A number of limitations apply:

  • You cannot run the ISA Server 2004 MMC or the ISA Server 2000 MMC on the same computer as the ISA Server 2006 MMC.
  • You cannot install the ISA Server 2006 MMC on a computer running Firewall Client software.
  • You cannot run the ISA Server Management snap-in or ISA Server 2006 Standard Edition on the same computer as the ISA Server Management snap-in for ISA Server 2006 Enterprise Edition.
  • You cannot manage ISA Server 2004 computers or ISA Server 2000 computers, using the ISA Server 2006 MMC.

Configuring the ISA Server 2006 remote management MMC consists of the following steps:

  1. Run ISA Server 2006 Setup to install the ISA Server Management MMC snap-in as a stand-alone component.
  2. Modify ISA Server system policy rules to allow access from the computer on which the ISA Server Management MMC component is installed. ISA Server system policy rules allow access for various protocols to and from the ISA Server computer (Local Host network). The remote management system policy group consists of rules that allow a predefined group of remote management computers RDP, MMC, and PING access. Add the computer you want to use for remote management to the predefined group, and verify that the rule is enabled. Alternatively, you can add an ISA Server network object directly to the rule instead of into the predefined group. Although you can add any network object, such as an entire network, subnet, or IP address range, we recommend that you add individual computers only. Back up system policy rules before making changes.
  3. Verify ISA Server permissions to check that users managing ISA Server remotely have the required ISA Server permissions.
  4. Connect remotely using the ISA Server Management MMC snap-in. If you are an administrator on the ISA Server computer and you want to log on with the local user account that is currently logged on, specify that you want to connect using the credentials of the user who is logged on. If the ISA Server computer is in a different domain, or in a workgroup scenario, your credentials will not be recognized. In this case, choose to connect using user credentials that you specify. The credentials specified must have administrator rights on the ISA Server computer. We recommend that you disconnect from the ISA Server computer when the remote administration tasks are complete.

Install ISA Server Management MMC Snap-In

Use the following procedures to install ISA Server Management and the remote administration component.

To install the remote administration component in ISA Server 2006 Standard Edition

  1. Insert the ISA Server 2006 Standard Edition CD (or browse to ISAAutorun.exe on the network share where the program is stored). The setup screen should appear. If it does not, run ISAAutorun.exe.

  2. Click Install ISA Server 2006.

  3. On the Welcome screen, click Next.

  4. In the License Agreement screen, read the license agreement. If you agree, select I accept the terms in the license agreement and click Next.

  5. On the Customer Information page, provide the User Name, Organization, and Serial Number information, and then click Next.

  6. On the Setup Type page, select Custom, and then click Next.

  7. On the Component page, verify that only ISA Server Management is selected, and then click Next.

  8. Click Install.

    You must be an administrator on the local computer to run ISA Server Setup.

To install the remote administration component in ISA Server 2006 Enterprise Edition

  1. Insert the ISA Server 2006 Enterprise Edition CD (or browse to ISAAutorun.exe on the network share where the program is stored). The setup screen should appear. If it does not, run ISAAutorun.exe.

  2. Click Install ISA Server 2006.

  3. On the Welcome screen, click Next.

  4. On the License Agreement screen, read the license agreement. If you agree, select I accept the terms in the license agreement and click Next.

  5. On the Customer Information page, provide the User Name, Organization, and Serial Number information, and then click Next.

  6. On the Setup Scenarios page, select Install ISA Server Management Console, and then click Next.

  7. On the Component Selection page, verify that only ISA Server Management will be installed, and then click Next.

  8. Click Install.

    You need to be an administrator on the local computer to run ISA Server Setup.

Configure System Policy Rules

To configure system policy rules, you first back up the current system policy rules. You add computers to the remote management computer sets, and then verify remote management system policy rules.

Back Up System Policy Rules

Before making changes, back up the current system policy rules by using the ISA Server export feature.

To export system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Export System Policy, to open the Export Wizard.

  3. Follow the on-screen instructions. On the Export File Location page, you may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2March2006.

  4. When the Export Wizard is complete, click Finish.

Add Computers to Remote Management Computer Sets

Computers from which you want to remotely manage ISA Server can be added to the predefined computer sets. These computer sets are empty following installation. Until you add the computers to the computers sets, remote management is not available even though the rules are enabled by default.

  • For ISA Server Standard Edition, add remote administration computers to the Remote Management Computers computer set.
  • In ISA Server Enterprise Edition, to allow computers to remotely administer a specific array, add the computers to the Remote Management Computers computer set for the specific array. For remote administration of the enterprise and all arrays in it, add the computers to the Enterprise Remote Management Computers computer set.

To add computers to the Remote Management Computers computer set

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  3. Right-click Remote Management Computers, and then click Properties.

  4. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Remote Management Computers Properties dialog box.

  5. Click Apply in the details pane to apply changes.

To add computers to the Enterprise Remote Management Computers computer set

  1. Log on as an enterprise administrator to the Configuration Storage server or to an array member.

  2. In ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Enterprise, expand Enterprise Policies, and select an enterprise policy.

  3. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  4. Right-click Enterprise Remote Management Computers, and then click Properties.

  5. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

  6. Click Apply in the details pane to apply changes.

Verify Remote Management System Policy Rules

The following system policy rules are used for remote management using the ISA Server Management MMC snap-in.

Configuration group Rule name Rule description

Microsoft Management Console

Allow remote management from selected computers using MMC

Allow MS Firewall Control communication to selected computers

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols.

In Enterprise Edition, it also allows access from the Array Servers computer set and the Enterprise Remote Management Computers computer set.

ICMP (Ping)

Allow ICMP (PING) requests from selected computers to ISA Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the PING protocol, and vice versa. In Enterprise Edition, it also allows access from the Enterprise Remote Management Computers computer set.

Verify that rules are enabled as required, and add computers directly to the rule if required, as described in the following procedure.

To configure remote management system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, select Microsoft Management Console (MMC). On the General tab, verify that Enable this configuration group is selected.

  4. To add remote computers to the default computer sets allowed for remote management, on the From tab of the rule, in the This rule applies to traffic from these sources list, click Add to add network objects to the rule source.

  5. Click Apply in the details pane to apply the changes.

You can also modify this list using the Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, excluding a specific computer set. To do this, you would add the network to the list, create a computer set of the computers to be excluded, and add the computer set to the Exceptions list.

Remote administration sessions that are in progress when you clear a Remote Management Enable this configuration group check box continue to function until the remote connection is disconnected.

Verify User Permissions

ISA Server uses role-based administration to organize ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you give the user permissions to perform specific tasks:

  • In ISA Server Standard Edition, you can assign administrative roles to allow users to view ISA Server status, view and configure ISA Server monitoring, or configure all ISA Server features (ISA Server Administrator).
  • In ISA Server Enterprise Edition, roles are defined on the enterprise level, on the enterprise policy level, and on the array level. At the array level, you can specify that users are allowed to view array status only, view status and configure monitoring, or configure all array features (Array Administrator). At the enterprise level, you can allow users to view enterprise configuration only, or give them full control over the enterprise and array configurations (Enterprise Administrator).

After configuring remote administration from a client computer, ensure that users connecting from the remote computer to the ISA Server computer have the required permissions for the remote administration tasks they need to accomplish. For more information about configuring user permissions, see "Role-based Administration Concepts in ISA Server 2006" at the TechNet Web site.

Connect Remotely Using ISA Server Management

Use the following procedures to connect remotely using ISA Server Management, and to disconnect from the ISA Server computer.

To connect remotely in ISA Server Standard Edition

  1. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2006.

  2. In ISA Server Management, on the Tasks tab, click Connect to Local or Remote ISA Server.

  3. In the Connect To dialog box, verify that Another computer (remote management) is selected. Type the name of the ISA Server computer, or click Browse to browse to the computer.

  4. Provide credentials as follows:

    • If the ISA Server computer that you are connecting to is in the same domain as your computer, so that the domain controller will recognize your credentials, and if you are an administrator on the ISA Server computer, select Connect using the credentials of the logged on user.
    • If the ISA Server computer is in a different domain or in a workgroup, your credentials will not be recognized. In this case, select Connect using other user credentials, and provide the user name, password, and domain of a user that is an administrator on the ISA Server computer.

  5. You can now perform administrative tasks on the remote ISA Server computer. Repeat this procedure to connect to additional ISA Server computers.

To connect remotely in ISA Server Enterprise Edition

  1. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2006.

  2. In ISA Server Management, on the Tasks tab, click Connect to Configuration Storage Server to open the Configuration Storage Server Connection Wizard. On the Welcome page, click Next.

  3. In the Configuration Storage Server Location page, verify that the setting On remote computer is enabled. Specify the fully qualified domain name of the Configuration Storage server computer, such as storage1.detroit.fabrikam.com. If you click Browse, you can provide a partial name and click Check Names to locate the computer. When you click OK, the fully qualified domain name will be inserted in the field on the wizard page. Then click Next.

  4. On the Configuration Storage Server Credentials page, if you are logged on with the credentials of an enterprise or array administrator, select Credentials of the logged-on user. If not, select Credentials of the following user, and provide credentials with the appropriate permissions. For a domain user, in Domain, specify the domain name. Then click Next.

  5. On the Array Connection Credentials page, if the array is in the same domain as the Configuration Storage server, or in a domain that has a trust relationship with the domain of the Configuration Storage server, select The same credentials used to connect to the Configuration Storage server. If the array is in a workgroup, or in a domain without a trust relationship, select Different credentials, and provide credentials that are recognized locally by the array. Then click Next, and click Finish to complete the wizard.

  6. You can now perform administrative tasks on the remote ISA Server computer. Repeat this procedure to connect to additional ISA Server computers.

Note

You can only be connected to one Configuration Storage server at a time. If you run the Configuration Storage Server Connection Wizard again, and connect to a different Configuration Storage server, you will be disconnected from the first Configuration Storage server.

To disconnect from the ISA Server computer

  1. In the ISA Server Management console tree, click Microsoft Internet Security and Acceleration Server 2006.

  2. Do one of the following:

    • In ISA Server 2006 Standard Edition, click Server_Name, and then on the Tasks tab, click Disconnect Selected Server from Management Console.
    • In ISA Server 2006 Enterprise Edition, on the Tasks tab, click Disconnect from Enterprise. Click Yes to confirm that you want to disconnect.

Enable DCOM Traffic

With the Microsoft Management Console rules enabled, remote procedure call (RPC) traffic is allowed to the Local Host network. However, by default, Distributed Component Object Model (DCOM) traffic is blocked, and these rules cannot be modified to allow DCOM traffic. If you want to allow DCOM traffic, disable the system policy rule: Allow remote management from selected computers using MMC. Then create a rule with the same parameters and disable the strict RPC setting on the rule. After creating the rule, in the rule properties, configure the RPC protocol and clear the Enforce strict RPC compliance setting. For best security practice, we recommend that the customized rule be enabled temporarily to allow DCOM traffic for the required task, and then disabled when the task is complete.

Add Computers to Remote Management Computer Sets

Computers from which you want to remotely manage ISA Server must be added to the computer set allowed for remote management. Follow these steps to add network objects to the predefined computer sets.

To add computers to the Remote Management Computers computer set

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  3. Right-click Remote Management Computers, and then click Properties.

  4. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Remote Management Computers Properties dialog box.

  5. Click Apply in the details pane to apply changes.

To add computers to the Enterprise Remote Management Computers computer set

  1. Log on as an enterprise administrator to the Configuration Storage server or to an array member.

  2. In ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Enterprise, expand Enterprise Policies, and select an enterprise policy.

  3. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  4. Right-click Enterprise Remote Management Computers, and then click Properties.

  5. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

  6. Click Apply in the details pane to apply changes.

Configure Remote Management System Policy Rules

Verify that system policy rules allowing remote management are enabled as required. You can also add individual computers to the rule sources if required.

To configure remote management system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, enable the required system policy rule. Following installation, these rules are enabled by default, but verify settings as follows:

    • For Microsoft Management Console (MMC), on the General tab, select Enable this configuration group.
    • For Terminal Server, on the General tab, select Enable this configuration group.

  4. To add remote computers to the default computer sets allowed for remote management, on the From tab of each rule, in the This rule applies to traffic from these sources list, click Add to add computers to the rule source.

  5. Click Apply in the details pane to apply the changes.

You can also modify this list using the Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, excluding a specific computer set. To do this, you would add the network to the list, create a computer set of the computers to be excluded, and add the computer set to the Exceptions list.

Remote administration sessions that are in progress when you clear a Remote Management Enable this configuration group check box continue to function until the remote connection is disconnected.

Enable DCOM Traffic

With the Microsoft Management Console rules enabled, remote procedure call (RPC) traffic is allowed to the Local Host network. However, by default, Distributed Component Object Model (DCOM) traffic is blocked. If you want to allow DCOM traffic, disable the system policy rule: Allow remote management from selected computers using MMC. Then create a rule allowing RPC traffic. After creating the rule, in the rule properties, configure the RPC protocol and clear the Enforce strict RPC compliance setting.

Configure Remote Administration from a VPN Client

From a VPN client computer, you can administer ISA Server remotely using RDP. MMC remote management from a remote VPN client is not recommended.

You can configure remote administration from a VPN client as follows:

  • Configure an RDP connection directly from the VPN client to the ISA Server computer.
  • Configure an RDP connection to a computer designed as an RDP server in the Internal network, and then a second RDP connection from the RDP server to the ISA Server computer. This is preferable to avoid direct connections to the ISA Server computer.

Configure RDP

Configuring remote management using RDP consists of the following steps:

  1. Verify that Remote Desktop is installed on the computer to be used for remote management.
  2. Enable Remote Desktop access on the ISA Server computer, or the Configuration Storage server (in ISA Server 2006 Enterprise Edition). By default, after you enable the setting Allow users to connect remotely to this computer, any account that is a member of the Administrators group on the local computer will have Remote Desktop access. For other accounts, add the user to the Remote Desktop users group to allow access.
  3. Modify ISA Server system policy rules to allow access from the computer that will be used for RDP access. ISA Server system policy rules allow access for various protocols to and from the ISA Server computer (Local Host network). The remote management system policy group consists of rules that allow a predefined group of remote management computers RDP, MMC, and PING access. Add the computer you want to use for remote management to the predefined group, and verify that the rule is enabled. Alternatively, you can add an ISA Server network object directly to the rule instead of into the predefined group. Although you can add any network object, such as an entire network, subnet, or IP address range, we recommend that you add individual computers only. Back up system policy rules before making changes.
  4. Verify ISA Server permissions to check that users managing ISA Server remotely have the required ISA Server permissions.
  5. Modify Terminal Services configuration properties if required. By default, Terminal Services listens on all network adapters. This may be an issue if you want to publish an internal RDP server through ISA Server, in addition to listening for RDP requests for the ISA Server computer itself. This may cause port contention issues, because any Terminal Services request arriving at the ISA Server computer will be answered by Terminal Services running on the ISA Server computer. To work around this issue, you can configure Terminal Services running on the ISA Server computer to listen on the network adapter of the Internal network only.
  6. Make an RDP connection.

Verify that Remote Desktop Is Installed

Use the following procedure to verify that Remote Desktop is installed.

To install Remote Desktop

  • On computers running Windows Server 2003 and Windows XP, Remote Desktop is installed by default. If it is not installed, run Setup and add it as an additional component. For earlier operating systems, download the Remote Desktop Client from Remote Desktop Connection Software Download.

Allow Remote Connections on the ISA Server Computer or Configuration Storage Server

Use the following procedure to allow remote connections on the ISA Server computer or Configuration Storage Server in Enterprise Edition.

To allow remote connections on the ISA Server computer or Configuration Storage server

  1. Open Control Panel.

  2. Double-click System to open the System properties page.

  3. On the Remote tab, enable Allow users to connect remotely to this computer.

Configure System Policy Rules

To configure system policy rules, you first back up the current system policy rules. You add computers to the remote management computer sets, and then verify remote management system policy rules.

Back Up System Policy Rules

Before making changes, back up the current system policy rules by using the ISA Server export feature.

To export system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Export System Policy, to open the Export Wizard.

  3. Follow the on-screen instructions. On the Export File Location page, you may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2March2006.

  4. When the wizard is complete, click Finish.

Add Computers to Remote Management Computer Sets

Computers from which you want to remotely manage ISA Server can be added to the predefined computer sets. These computer sets are empty following installation. Until you add computers to the computers sets, remote management is not available even though the rules are enabled by default.

  • For ISA Server Standard Edition, add remote administration computers to the Remote Management Computers computer set.
  • In ISA Server Enterprise Edition, to allow computers to remotely administer a specific array, add the computers to the Remote Management Computers computer set for the specific array. For remote administration of the enterprise and all arrays in it, add the computers to the Enterprise Remote Management Computers computer set.

To add computers to the Remote Management Computers computer set

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  3. Right-click Remote Management Computers, and then click Properties.

  4. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Remote Management Computers Properties dialog box.

  5. Click Apply in the details pane to apply changes.

To add computers to the Enterprise Remote Management Computers computer set

  1. Log on as an enterprise administrator to the Configuration Storage server or to an array member.

  2. In ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Enterprise, expand Enterprise Policies, and select an enterprise policy.

  3. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.

  4. Right-click Enterprise Remote Management Computers, and then click Properties.

  5. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

  6. Click Apply in the details pane to apply changes.

Verify Remote Management System Policy Rules

The following system policy rules are used for remote management over RDP.

Configuration group Rule name Rule description

Terminal server

Allow remote management from selected computers using Terminal Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using RDP (Terminal Services).

In Enterprise Edition, it also allows access from the Enterprise Remote Management Computers computer set.

ICMP (Ping)

Allow ICMP (PING) requests from selected computers to ISA Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the PING protocol, and vice versa. In Enterprise Edition, it also allows access from the Enterprise Remote Management Computers computer set.

Verify that rules are enabled as required, and add computers directly to the rule if required, as described in the following procedure.

To configure remote management system policy rules

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, verify that Enable this configuration group is selected.

  4. To add remote computers to the default computer sets allowed for remote management, on the From tab of the rule, in the This rule applies to traffic from these sources list, click Add to add network objects to the rule source.

  5. Click Apply in the details pane to apply the changes.

You can also modify this list using the Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, excluding a specific computer set. To do this, you would add the network to the list, create a computer set of the computers to be excluded, and add the computer set to the Exceptions list.

Remote administration sessions that are in progress when you clear a Remote Management Enable this configuration group check box continue to function until the remote connection is disconnected.

Verify User Permissions

ISA Server uses role-based administration to organize ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you give the user permissions to perform specific tasks:

  • In ISA Server Standard Edition, you can assign administrative roles to allow users to view ISA Server status, view and configure ISA Server monitoring, or configure all ISA Server features (ISA Server Administrator).
  • In ISA Server Enterprise Edition, roles are defined on the enterprise level, on the enterprise policy level, and on the array level. At the array level, you can specify that users are allowed to view array status only, view status and configure monitoring, or configure all array features (Array Administrator). At the enterprise level, you can allow users to view enterprise configuration only, or give them full control over the enterprise and array configurations (Enterprise Administrator).

After configuring remote administration from a client computer, ensure that users connecting from the remote computer to the ISA Server computer have the required permissions for the remote administration tasks they need to accomplish. For more information about configuring user permissions, see "Role-based Administration Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Modify Terminal Services Configuration Settings

Use the following procedure to modify Terminal Services properties.

To modify Terminal Services properties

  1. On the ISA Server computer on which you want to enable remote administration, click Start, point to All Programs, and then select Administrative Tools. If it is not available on the Start menu, open Control Panel and select Administrative Tools.

  2. In Administrative Tools, double-click Terminal Services Configuration.

  3. Click the Connections node, right-click RDP-Tcp in the details pane, and then click Properties.

  4. To specify the network adapter associated with Terminal Services, on the Network Adapter tab, select the required adapter from the Network adapter drop-down list.

Connect with Remote Desktop Connection

Use the following procedure to connect with Remote Desktop Connection.

To connect with Remote Desktop Connection

  1. On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.

  2. In Computer, type the name of the ISA Server computer.

  3. When the connection is established, provide the user name and password. The user must have the appropriate privileges to administer the ISA Server computer.

  4. When the desktop of the remote computer appears, open ISA Server Management from the Start menu to begin administering ISA Server.

  5. Alternatively, you can open a remote desktop connection to the ISA Server computer by typing the following at a command prompt: mstsc /v:ISAServer_Name.

Limit VPN Client Access

For best security practice, you may want to limit the VPN clients that are allowed for remote management, instead of adding the entire VPN Clients network to the Remote Management Computers computer set.

Limit VPN Client Access

In ISA Server 2006 Standard Edition, or ISA Server 2006 Enterprise Edition with a single array member, do not add the VPN Clients network to the predefined Remote Management Computers computer set. Instead, create an allow access rule at the enterprise or array-level to allow the RDP protocol, with the following settings:

  • From: VPN Clients network
  • To: Local Host network
  • Protocol: RDP (Terminal Services). Do not use the RDP (Terminal Services) Server protocol. This is used only when server publishing an internal resoure
  • Users: Allow access only to user accounts to which you want to allow remote VPN access. Create a new user group for these users if required.

Limit VPN Client Access in ISA Server Enterprise Edition with Multiple Array Members

Limiting VPN client access in ISA Server 2006 Enterprise Edition with multiple array members is more complicated. If the array member that handles the VPN client request is not the array member that handles the connection to the remote site, it forwards the request, applying network address translation (NAT), to the appropriate array member. In the process, client information is lost, so that when the second array member receives the request, the request may be denied by firewall policy. In a route relationship, user information is only available to the array member handling the VPN client request.

As a solution, configure intra-array communication so that if user credentials are verified and the request is allowed by the first array member, this array member applies NAT and sends the request to the array member that handles the remote site VPN connection. User and client IP address information is lost, but the second member checks the intra-array request against the intra-array allow rule, and forwards the request to the remote site. Configure this scenario as follows:

  1. Create a network rule between the VPN Clients network and the predefined Array Servers computer set, as follows:
    • Rule type: NAT
    • From: VPN Clients
    • To: Array Servers computer set
  2. Create an allow access rule as follows:
    • Protocol: RDP (Terminal Services)
    • From: VPN Clients and Array Servers computer set
    • To: Array Servers computer set
    • Users: Allow access only to user accounts to which you want to allow remote VPN access. Create a new user group for these users if required.

Configure an RDP Connection to an RDP Server

As an alternative configuration, you can configure remote administration with a VPN client using two RDP connections. This configuration includes an RDP connection from the VPN client to a computer on the Internal network designated as an RDP server, and another RDP connection from the RDP server to the ISA Server computer. You set up this configuration as follows:

  1. Create an Active Directory® directory service group for VPN users with RDP access, and add the required user accounts to this group. Remote access permissions for user accounts should be configured to allow access.
  2. Enable and configure remote VPN client access in ISA Server, and specify VPN access for the group you created.
  3. Designate a computer in the Internal network to be used as the RDP server, and configure it to accept remote desktop connections.
  4. Set up an access rule allowing the RDP protocol (port 3389) from the VPN Clients network to the designated RDP server. Specify that the rule applies only to the group you created.
  5. Set up an access rule allowing the RDP protocol from the designated RDP server to the Local Host network.

Run Scripts Remotely

Scripting allows you to use the ISA Server administration objects to access and control policies and configurations for an enterprise or for any ISA Server array within an organization. ISA Server administration scripting has a number of benefits, such as saving time on tasks that are repetitive or tasks that need to be performed on a number of servers or arrays. For more information about ISA Server administration scripting, see the ISA Server Software Development Kit Help.

You can create ISA Server administration scripts that will run on remote computers. The script or program on a remote computer must connect to the remote ISA Server computer.

Create the Root Object

Use the code that follows to create the root object for remote administration.

VBScript

Set objFPC  = CreateObject ("FPC.Root")

JScript

objFPCRoot = new ActiveXObject ("FPC.Root");

Visual Basic

Dim objFPC As New FPCLib.FPC

or

Dim objFPC As New FPCLib.FPC
Set objFPC = CreateObject("FPC.Root")

Connect to the ISA Server Computer

To connect to the remote ISA Server computer, use the FPCArrays.Connect method. This method takes the following parameters:

  • Server [in] BSTR that specifies the server to which to connect.
  • UserName [in, optional] BSTR that specifies the user name. The default value is an empty BSTR.
  • Domain [in, optional] BSTR that specifies the name of the user’s domain. The default value is an empty BSTR.
  • Password [in, optional] BSTR that specifies the password. The default value is an empty BSTR.

When the script or program has completed, the connection to the ISA Server computer is terminated.

Additional Resources

ISA Server feature guides, scenario walk-throughs, troubleshooting documents, and best practices papers are available at the ISA Server Guidance Center.