Remote Administration of ISA Server 2004 from a Roaming Virtual Private Network (VPN) Client
Microsoft Internet Security and Acceleration (ISA) Server 2004 enables you to administer ISA Server computers from other computers, including roaming VPN clients. From a VPN client computer you can perform all ISA Server administrative tasks remotely by running a Terminal Services client, such as a Remote Desktop Connection.
Note
You can also perform remote management using an MMC console, as described in the document Remote Administration of ISA Server 2004 (https://go.microsoft.com/fwlink/?LinkID=27856). However, when managing ISA Server from a VPN client, we recommend that you use Terminal Server rather than MMC. Some administrative actions in ISA Server require you to restart services. When you do so, Routing and Remote Access service is among the services that are stopped, thereby ending your remote MMC connection before the services can be started again. This is not an issue in Terminal Server remote management. For this reason, remote administration through MMC is not described in this document.
Scenarios
Solutions
Scenarios
You may want to administer ISA Server from home or when traveling, using a computer that connects to your Internal network as a VPN client. Remote administration enables you to administer ISA Server from the VPN client computer.
Note
For information about VPN clients in ISA Server 2004, see VPN Roaming Clients and Quarantine Control in ISA Server 2004 (https://go.microsoft.com/fwlink/?LinkID=20745).
Solution
The solution presented here describes the use of a terminal services client on a roaming VPN client to remotely manage an ISA Server computer.
Network Topology
The following sections describe the network topology for remote administration.
ISA Server
The placement of ISA Server relative to other networks affects the approach to remote administration only with regards to authentication of the remote client. The provision of credentials differs if the ISA Server computer is installed in a workgroup rather than on a domain whose domain controller recognizes user credentials.
Remote Administration Walk-through
This walk-through guides you through the steps necessary to remotely administer your ISA Server computer.
Remote Administration Walk-through Procedure 1: Export System Policy
Configuring remote administration requires that you make changes in the system policy of your ISA Server computer. We recommend that you export the system policy configuration to a file before you make any changes to the system policy, so that you can easily revert to the original policy if the need arises. Follow these steps to export the system policy.
- Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
- In the task pane, on the Tasks tab, click Export System Policy, to open the Export Configuration dialog box.
- Provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2June2004.
- Click Export.
- When the export operation is complete, click OK.
Remote Administration Walk-through Procedure 2: Configure Remote Administration on the ISA Server Computer
Remote administration is enabled by default when you install ISA Server, though it is only enabled for the Remote Management Computers computer set, which is empty by default. Follow this procedure to confirm that remote administration is enabled, and to configure what networks are allowed remote administration. This procedure also indicates how to disable remote administration.
Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
In the task pane, on the Tasks tab, click Edit System Policy, to open the System Policy Editor.
Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, select Enable to enable remote management using Terminal Server. (This is the default setting when you install ISA Server.)
On the From tab, in the This rule applies to traffic from these sources list, the Remote Management Computers computer set is listed by default. This indicates that computers in that computer set will be able to perform remote administration of the ISA Server computer through Terminal Server. Since your computer will be part of the VPN Clients network, you must add that network to the From tab. Click Add, and in the Add Network Entities dialog, expand Networks. Select the VPN Clients network, click Add, and then click Close. In the System Policy Editor, click OK.
In the Firewall Policy details pane, click Apply to apply this change.
Important
Remote administration sessions that are in progress when you clear a Remote Management Enable check box will continue to function until terminated from the remote connection as described in Remote Administration Walk-through Procedure 5: Disconnect from the ISA Server Computer in this document.
Remote Administration Walk-through Procedure 3: Configure the Remote Computer
Configure the VPN client computer to access the ISA Server computer through Terminal Server.
To remotely administer an ISA Server computer using Terminal Server, you must have a Terminal Services client on the remote computer. In Windows Server„¢ 2003 and Windows XP, you can use the Remote Desktop Connection as the Terminal Services client. Follow these steps to manually install a Terminal Services client on a computer running Windows 2000, Windows NT® 4.0, Windows 98, or Windows 95.
- On a computer running one of the Windows Server 2003 family operating systems, share the client setup folder.
- From the computer running Windows 2000, Windows NT 4.0, Windows 98, or Windows 95, connect to the local area network that contains the computer running one of the Windows Server 2003 family operating systems.
- Click Start, and then click Run.
- In Open, type the following:
\\computername\Tsclient\Win32\Setup.exe
Where computername is the network computer name of the computer running one of the Windows Server 2003 family operating systems. Click OK.
Follow the on-screen instructions.
Remote Administration Walk-through Procedure 4: Administer the ISA Server Computer from the Remote Computer
You can now administer the ISA Server computer from the remote computer through Terminal Services.
Follow these steps to administer an ISA Server computer from a remote computer through Terminal Services.
- On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
- In Remote Desktop Connection, in Computer, type the name of the ISA Server computer.
- When the connection is established, provide the user name and password. Note that the user must have the appropriate privileges to administer the ISA Server computer.
- You should now see the desktop of the ISA Server computer. Open ISA Server Management from the Start menu to begin administering ISA Server.
Remote Administration Walk-through Procedure 5: Disconnect from the ISA Server Computer
Follow these steps to disconnect an ISA Server computer from a remote computer that is connected using Terminal Services.
- On the remote computer, in the Remote Desktop Connection window, click Start, and then click Log Off.
- In the Log Off Windows dialog box, click Log Off.
Remote Administration Walk-through Procedure 6: Run Scripts from a Remote Computer
Scripting allows you to use the ISA Server administration objects to access and control policies and configurations for an enterprise or for any ISA Server array within an organization. ISA Server administration scripting has a number of benefits, such as saving time on tasks that are repetitive or need to be performed on a number of servers or arrays. For more information about ISA Server administration scripting, see the ISA Server Software Development Kit Help.
You can create ISA Server administration scripts that will run on remote computers. The script or program on a remote computer must connect to the remote ISA Server computer.
Creating the root object
Use the code shown below to create the root object for remote administration.
VBScript
Set objFPC = CreateObject ("FPC.Root")
JScript
objFPCRoot = new ActiveXObject ("FPC.Root");
Visual Basic
Dim objFPC As New FPCLib.FPC
or
Dim objFPC As New FPCLib.FPC
Set objFPC = CreateObject("FPC.Root")
Connecting to the ISA Server computer
To connect to the remote ISA Server computer, use the FPCArrays.Connect method. This method takes the following parameters:
- Server [in] BSTR that specifies the server to which to connect.
- UserName [in, optional] BSTR that specifies the user name. The default value is an empty BSTR.
- Domain [in, optional] BSTR that specifies the name of the user™s domain. The default value is an empty BSTR.
- Password [in, optional] BSTR that specifies the password. The default value is an empty BSTR.
Note
When the script or program has completed, the connection to the ISA Server computer is terminated.