Remote Administration of ISA Server 2004

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2004 enables you to administer ISA Server computers from other computers. You can perform all ISA Server administrative tasks remotely, either from a computer running a Terminal Services client, such as a Remote Desktop Connection, or from Microsoft Management Console (MMC) installed on the remote computer.

You can also manage several ISA Server computers from a single ISA Server computer.

Scenarios

Solutions

Terminal Server and Microsoft Management Console

Terminal Server and MMC each have advantages in the administration of an ISA Server computer.

Terminal Server allows you to view the desktop of the ISA Server computer as if you were sitting in front of the monitor attached to the ISA Server computer. This results in faster refresh rates, as the work of refreshing the view is done by the ISA Server computer, and only the information that comprises the picture on the monitor has to be transmitted to the remote computer. However, each Terminal Server session enables you to view only a single ISA Server computer.

MMC has slower refresh rates than Terminal Server, because the configuration changes that you may have made have to be transmitted to the remote computer. However, MMC allows you to connect to and display information from many ISA Server computers at once. This is useful for central administration of geographically dispersed ISA Server computers, or in a situation where you provide consulting for several companies running ISA Server. MMC is part of the typical ISA Server installation, but can also be installed as a stand-alone component for administration of ISA Server computers.

Note

When managing ISA Server from a VPN client, we recommend that you use Terminal Server rather than MMC. Some administrative actions in ISA Server require you to restart services. When you do so, Routing and Remote Access service is among the services that are stopped, thereby ending your remote MMC connection before the services can be started again. This is not an issue in Terminal Server remote management.

Scenarios

Typically, your ISA Server computer will be housed in a central location with your other corporate servers, which is not near your office location. You may want to administer ISA Server from another computer on the same network as the ISA Server computer or from a home computer. You may provide consulting services to clients that are using ISA Server to secure the networks, and are responsible for maintaining and monitoring their ISA Server computers. You may want to manage several ISA Server computers located on various networks. Remote administration enables you to administer ISA Server in all of these cases.

Solutions

There are two approaches to remote administration:

  • Remote administration using Terminal Services. We recommend this approach for management from a VPN client.
  • Remote administration through the Microsoft Management Console (MMC). MMC is part of ISA Server, but can also be installed without the ISA Server firewall functionality, for administration only.

Note

If you are going to administer several ISA Server computers from one ISA Server computer, you will have to create an access rule to allow connectivity from the administration ISA Server computer to the other ISA Server computers. This is described in Remote Administration Walk-through Procedure 4: Create an Access Rule in this document.

Network Topology

The following sections describe the network topology for remote administration.

System Requirements for ISA Server MMC

ISA Server MMC runs on computers running Windows® XP, Windows 2000 Professional, or Windows 2000 Server.

ISA Server

The placement of ISA Server relative to other networks affects the approach to remote administration only with regards to authentication of the remote client. The provision of credentials differs if the ISA Server computer is installed in a workgroup rather than on a domain whose domain controller recognizes user credentials. Both situations are covered in the procedures provided in this document.

Remote Administration Walk-through

This walk-through guides you through the steps necessary to remotely administer your ISA Server computer.

Remote Administration Walk-through Procedure 1: Export System Policy

Configuring remote administration requires that you make changes in the system policy of your ISA Server computer. We recommend that you export the system policy configuration to a file before you make any changes to the system policy, so that you can easily revert to the original policy if the need arises. Follow these steps to export the system policy.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
  2. In the task pane, on the Tasks tab, click Export System Policy, to open the Export Configuration dialog box.
  3. Provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2June2004.
  4. Click Export.
  5. When the export operation is complete, click OK.

Remote Administration Walk-through Procedure 2: Configure Remote Administration on the ISA Server Computer

Remote administration is enabled by default when you install ISA Server, though it is only enabled for the Remote Management Computers computer set, which is empty by default. Follow this procedure to confirm that remote administration is enabled, and to configure what networks are allowed remote administration. This procedure also indicates how to disable remote administration.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy, to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, select Microsoft Management Console (MMC). On the General tab, select Enable to enable remote management using MMC. (This is the default setting when you install ISA Server.)

  4. On the From tab, in the This rule applies to traffic from these sources list, the Remote Management Computers computer set is listed by default. This indicates that computers in that computer set will be able to perform remote administration of the ISA Server computer through MMC. The network, computer set, or other network object that contains computers that you are going to allow to remotely connect, and only that network object, must be listed. For more information about network objects, see Appendix B: Network Object Rule Elements in this document. You can modify this list using the associated Add, Edit, and Remove buttons. Similarly, you can modify the Exceptions list using the associated Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, exclusive of a specific set of computers. You would add the network to the This rule applies to traffic from these sources list, create a computer set of computers to be excluded, and then add the computer set to the Exceptions list.

    Note

    The Remote Management Computers computer set is an empty computer set created when you install ISA Server. To add computers to the computer set, follow the procedure in Appendix A: Adding Computers to the Remote Management Computers Computer Set in this document.

  5. Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, select Enable to enable remote management using Terminal Server. (This is the default setting when you install ISA Server.)

  6. On the From tab, in the This rule applies to traffic from these sources list, the Remote Management Computers computer set is listed by default. This indicates that computers in that computer set will be able to perform remote administration of the ISA Server computer through Terminal Server. The network, computer set, or other network object that contains computers that you are going to allow to remotely connect, and only that network object, must be listed. For more information about network objects, see Appendix B: Network Object Rule Elements in this document. You can modify this list using the associated Add, Edit, and Remove buttons. Similarly, you can modify the Exceptions list using the associated Add, Edit, and Remove buttons. For example, you may want all of the computers on a particular network to be allowed remote administration access, exclusive of a specific set of computers. You would add the network to the This rule applies to traffic from these sources list, create a computer set of computers to be excluded, and then add the computer set to the Exceptions list.

    Important

    Remote administration sessions that are in progress when you clear a Remote Management Enable check box will continue to function until terminated from the remote connection as described in Remote Administration Walk-through Procedure 6: Disconnect from the ISA Server Computer in this document.

Remote Administration Walk-through Procedure 3: Configure the Remote Computer

You can configure the remote computer to access the ISA Server computer through either Terminal Server or MMC. The advantages and disadvantages of each are described in Terminal Server and Microsoft Management Console in this document.

Configuring a Terminal Services client

To remotely administer an ISA Server computer using Terminal Server, you must have a Terminal Services client on the remote computer. In Windows Server„¢ 2003 and Windows XP, you can use the Remote Desktop Connection as the Terminal Services client. Follow these steps to manually install a Terminal Services client on a computer running Windows 2000, Windows NT® 4.0, Windows 98, or Windows 95.

  1. On a computer running one of the Windows Server 2003 family operating systems, share the client setup folder.
  2. From the computer running Windows 2000, Windows NT 4.0, Windows 98, or Windows 95, connect to the local area network that contains the computer running one of the Windows Server 2003 family operating systems.
  3. Click Start, and then click Run.
  4. In Open, type the following:

      \\computername\Tsclient\Win32\Setup.exe

Where computername is the network computer name of the computer running one of the Windows Server 2003 family operating systems. Click OK.

Configuring a computer with MMC

To remotely administer an ISA Server computer using MMC, you must install the MMC client. If you are administering from an ISA Server computer, you can skip this step.

  1. Insert the ISA Server 2004 CD. The setup screen should appear. If it does not, run Isaautorun.exe.
  2. Click Install ISA Server 2004.
  3. On the Welcome screen, click Next.
  4. On the License Agreement screen, read the license agreement. If you agree, select I accept the terms in the license agreement and click Next.
  5. On the Customer Information page, provide the User Name, Organization and Serial Number information, and then click Next.
  6. If you are installing the MMC client on a computer running an operating system other than Windows Server 2003 or Windows 2000 Server, the Installation Requirement Summary page will be provided by the installation program. This page will indicate that you cannot install the ISA Server firewall components. You will be able to install the MMC client. Click Next.
  7. If you are installing the MMC client on a computer running either Windows Server 2003 or Windows 2000 Server, on the Setup Type page, select Custom.
  8. On the Custom Setup page, only ISA Server Management should be selected. To clear other items, click the hard-drive icon next to each item, and then select This feature will not be available. After you have configured the features, click Next.
  9. Click Install.

Remote Administration Walk-through Procedure 4: Create an Access Rule

This procedure applies only to the administration of ISA Server computers from an ISA Server computer. If you are administering ISA Server from a non-ISA Server computer MMC, or using a Terminal Services client, skip this procedure.

You have to create an access rule that allows communication between the local ISA Server computer and the other ISA Server computers. The additional ISA Server computers must be in a network that is connected to the local ISA Server computer. Perform this procedure on the ISA Server computer from which the remote administration will take place.

Follow these steps to create an access rule.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.

  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.

  3. On the Welcome page, enter the name for the access rule, such as Allow administration of additional ISA Server computers, and then click Next.

  4. On the Rule Action page, select Allow, and then click Next.

  5. On the Protocols page, select Selected protocols and click Add. In the Add Protocols dialog box, expand All protocols and select MS Firewall Control. Click Add, and then click Close to close the Add Protocols dialog box. On the Protocols page, click Next.

  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select Local Host, click Add, and then click Close. On the Access Rules Sources page, click Next.

  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the network that contains the ISA Server computer that you want to manage, click Add, and then click Close. On the Access Rule Destinations page, click Next.

  8. On the User Sets page, if your rule applies to all users, you can leave the user set All users in place and proceed to the next page of the wizard. If the rule applies to specific users, select All users and click Remove. Then, click Add to open the Add Users dialog box, and add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.

  9. Review the information on the wizard summary page, and then click Finish.

  10. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Remember that access rules are ordered, so if there is a rule that denies this access earlier in the order, this rule will not have the desired effect.

    Note

    Repeat this procedure to create access rules for communication between the local ISA Server computer and ISA Server computers on other networks.

Remote Administration Walk-through Procedure 5: Administer the ISA Server Computer from the Remote Computer

You can administer the ISA Server computer from the remote computer through Terminal Services or MMC.

Administering the ISA Server computer with Terminal Services

Follow these steps to administer an ISA Server computer from a remote computer through Terminal Services.

  1. On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
  2. In Remote Desktop Connection, in Computer, type the name of the ISA Server computer.
  3. When the connection is established, provide the user name and password. Note that the user must have the appropriate privileges to administer the ISA Server computer.
  4. You should now see the desktop of the ISA Server computer. Open ISA Server Management from the Start menu to begin administering ISA Server.

Administering the ISA Server computer with MMC

Follow these steps to administer an ISA Server computer from a remote computer through MMC.

  1. On the remote computer, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In ISA Server Management, click the uppermost node, Microsoft Internet Security and Acceleration Server 2004. In the task pane, on the Tasks tab, click Connect to Local or Remote ISA Server.

  3. In the Connect To dialog box, verify that Another computer (remote management) is selected. Type the name of the ISA Server computer, or click Browse to browse to the computer.

  4. If the ISA Server computer that you are connecting to is in the same domain as your computer, so that the domain controller will recognize your credentials, and if you are an administrator on the ISA Server computer, select Connect using the credentials of the logged on user. If the ISA Server computer is in a different domain or in a workgroup, your credentials will not be recognized. In this case, select Connect using other user credentials, and provide the user name, password, and domain of a user that is an administrator on the ISA Server computer.

  5. You can now perform administrative tasks on the remote ISA Server computer.

    Note

    Repeat this procedure to connect to and administer additional ISA Server computers.

Remote Administration Walk-through Procedure 6: Disconnect from the ISA Server Computer

Follow these procedures to disconnect the remote computer from the ISA Server computer.

Disconnecting from the ISA Server computer when using Terminal Services

Follow these steps to disconnect an ISA Server computer from a remote computer that is connected using Terminal Services.

  1. On the remote computer, in the Remote Desktop Connection window, click Start, and then click Log Off.
  2. In the Log Off Windows dialog box, click Log Off.

Disconnecting from the ISA Server Computer when using MMC

  1. On the remote computer, in the ISA Server Management console tree, click the name of the ISA Server computer from which you want to disconnect.
  2. In the task pane, on the Tasks tab, click Disconnect Selected Server from Management Console. In the confirmation dialog box, click Yes to confirm that you want to disconnect.

Remote Administration Walk-through Procedure 7: Run Scripts from a Remote Computer

Scripting allows you to use the ISA Server administration objects to access and control policies and configurations for an enterprise or for any ISA Server array within an organization. ISA Server administration scripting has a number of benefits, such as saving time on tasks that are repetitive or need to be performed on a number of servers or arrays. For more information about ISA Server administration scripting, see the ISA Server Software Development Kit Help.

You can create ISA Server administration scripts that will run on remote computers. The script or program on a remote computer must connect to the remote ISA Server computer.

Creating the root object

Use the code shown below to create the root object for remote administration.

VBScript

Set objFPC = CreateObject ("FPC.Root")

JScript

objFPCRoot = new ActiveXObject ("FPC.Root");

Visual Basic

Dim objFPC As New FPCLib.FPC

or

Dim objFPC As New FPCLib.FPC

Set objFPC = CreateObject("FPC.Root")

Connecting to the ISA Server computer

To connect to the remote ISA Server computer, use the FPCArrays.Connect method. This method takes the following parameters:

  • Server [in] BSTR that specifies the server to which to connect.
  • UserName [in, optional] BSTR that specifies the user name. The default value is an empty BSTR.
  • Domain [in, optional] BSTR that specifies the name of the user™s domain. The default value is an empty BSTR.
  • Password [in, optional] BSTR that specifies the password. The default value is an empty BSTR.

Note

When the script or program has completed, the connection to the ISA Server computer is terminated.

Appendix A: Adding Computers to the Remote Management Computers Computer Set

Follow this procedure to add computers to the Remote Management Computers computer set.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
  2. In the task pane, on the Toolbox tab, click the Network Objects header and expand Computer Sets.
  3. Double-click Remote Management Computers to open the Remote Management Computers Properties dialog box.
  4. Click Add and select whether you want to add a Computer, Address Range, or Subnet. Provide the required IP address information, and click OK. Click OK to close the Remote Management Computers Properties dialog box.
  5. Click Apply in the details pane to apply changes.

Appendix B: Network Object Rule Elements

An ISA Server rule element is an object that you use to refine ISA Server policy. For example, a subnet rule element represents a subnet within a network. You can create a policy that applies only to a subnet, or one that applies to a whole network exclusive of the subnet. The network object rule elements allow you to create sets of computers to which a policy will apply, or which will be excluded from a policy. You can use network objects to limit the computers that will have remote access to the ISA Server computer.

The network object rule elements provide a variety of ways to represent computers. The following are rule elements that you are likely to use in setting system policy for remote administration of ISA Server:

  • Network. A network rule element represents a network, which is all of the computers connected (directly or through one or more routers) to a single ISA Server computer network adapter.
  • Network set. A network set rule element represents a grouping of one or more networks. You can use this rule element to apply rules to more than one network.
  • Computer. A computer rule element represents a single computer, identified by its IP address.
  • Computer set. A computer set rule element is a set of computers, address ranges, and subnets.
  • Address range. An address range rule element is a set of computers represented by a continuous range of IP addresses.
  • Subnet. A subnet rule element represents a network subnet, specified by a network address and a mask.