Remote Administration of ISA Server 2004 from a Roaming Virtual Private Network (VPN) Client

  • Article

Microsoft Internet Security and Acceleration (ISA) Server 2004 enables you to administer ISA Server computers from other computers, including roaming VPN clients. From a VPN client computer you can perform all ISA Server administrative tasks remotely by running a Terminal Services client, such as a Remote Desktop Connection.

Note

You can also perform remote management using an MMC console, as described in the document Remote Administration of ISA Server 2004 (https://go.microsoft.com/fwlink/?LinkID=27856). However, when managing ISA Server from a VPN client, we recommend that you use Terminal Server rather than MMC. Some administrative actions in ISA Server require you to restart services. When you do so, Routing and Remote Access service is among the services that are stopped, thereby ending your remote MMC connection before the services can be started again. This is not an issue in Terminal Server remote management. For this reason, remote administration through MMC is not described in this document.
Scenarios
Solutions

Scenarios

You may want to administer ISA Server from home or when traveling, using a computer that connects to your Internal network as a VPN client. Remote administration enables you to administer ISA Server from the VPN client computer.

Note

For information about VPN clients in ISA Server 2004, see VPN Roaming Clients and Quarantine Control in ISA Server 2004 (https://go.microsoft.com/fwlink/?LinkID=20745).

Solution

The solution presented here describes the use of a terminal services client on a roaming VPN client to remotely manage an ISA Server computer.

Network Topology

The following sections describe the network topology for remote administration.

ISA Server

The placement of ISA Server relative to other networks affects the approach to remote administration only with regards to authentication of the remote client. The provision of credentials differs if the ISA Server computer is installed in a workgroup rather than on a domain whose domain controller recognizes user credentials.

Remote Administration Walk-through

This walk-through guides you through the steps necessary to remotely administer your ISA Server computer.

Remote Administration Walk-through Procedure 1: Export System Policy

Configuring remote administration requires that you make changes in the system policy of your ISA Server computer. We recommend that you export the system policy configuration to a file before you make any changes to the system policy, so that you can easily revert to the original policy if the need arises. Follow these steps to export the system policy.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
  2. In the task pane, on the Tasks tab, click Export System Policy, to open the Export Configuration dialog box.
  3. Provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportSystemPolicy2June2004.
  4. Click Export.
  5. When the export operation is complete, click OK.

Remote Administration Walk-through Procedure 2: Configure Remote Administration on the ISA Server Computer

Remote administration is enabled by default when you install ISA Server, though it is only enabled for the Remote Management Computers computer set, which is empty by default. Follow this procedure to confirm that remote administration is enabled, and to configure what networks are allowed remote administration. This procedure also indicates how to disable remote administration.

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.

  2. In the task pane, on the Tasks tab, click Edit System Policy, to open the System Policy Editor.

  3. Under Configuration Groups, in Remote Management, select Terminal Server. On the General tab, select Enable to enable remote management using Terminal Server. (This is the default setting when you install ISA Server.)

  4. On the From tab, in the This rule applies to traffic from these sources list, the Remote Management Computers computer set is listed by default. This indicates that computers in that computer set will be able to perform remote administration of the ISA Server computer through Terminal Server. Since your computer will be part of the VPN Clients network, you must add that network to the From tab. Click Add, and in the Add Network Entities dialog, expand Networks. Select the VPN Clients network, click Add, and then click Close. In the System Policy Editor, click OK.

  5. In the Firewall Policy details pane, click Apply to apply this change.

    Important

    Remote administration sessions that are in progress when you clear a Remote Management Enable check box will continue to function until terminated from the remote connection as described in Remote Administration Walk-through Procedure 5: Disconnect from the ISA Server Computer in this document.

Remote Administration Walk-through Procedure 3: Configure the Remote Computer

Configure the VPN client computer to access the ISA Server computer through Terminal Server.

To remotely administer an ISA Server computer using Terminal Server, you must have a Terminal Services client on the remote computer. In Windows Server„¢ 2003 and Windows XP, you can use the Remote Desktop Connection as the Terminal Services client. Follow these steps to manually install a Terminal Services client on a computer running Windows 2000, Windows NT® 4.0, Windows 98, or Windows 95.

  1. On a computer running one of the Windows Server 2003 family operating systems, share the client setup folder.
  2. From the computer running Windows 2000, Windows NT 4.0, Windows 98, or Windows 95, connect to the local area network that contains the computer running one of the Windows Server 2003 family operating systems.
  3. Click Start, and then click Run.
  4. In Open, type the following:
  5.    \\computername\Tsclient\Win32\Setup.exe
    Where computername is the network computer name of the computer running one of the Windows Server 2003 family operating systems. Click OK.
    Follow the on-screen instructions.

Remote Administration Walk-through Procedure 4: Administer the ISA Server Computer from the Remote Computer

You can now administer the ISA Server computer from the remote computer through Terminal Services.

Follow these steps to administer an ISA Server computer from a remote computer through Terminal Services.

  1. On the remote computer, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
  2. In Remote Desktop Connection, in Computer, type the name of the ISA Server computer.
  3. When the connection is established, provide the user name and password. Note that the user must have the appropriate privileges to administer the ISA Server computer.
  4. You should now see the desktop of the ISA Server computer. Open ISA Server Management from the Start menu to begin administering ISA Server.

Remote Administration Walk-through Procedure 5: Disconnect from the ISA Server Computer

Follow these steps to disconnect an ISA Server computer from a remote computer that is connected using Terminal Services.

  1. On the remote computer, in the Remote Desktop Connection window, click Start, and then click Log Off.
  2. In the Log Off Windows dialog box, click Log Off.

Remote Administration Walk-through Procedure 6: Run Scripts from a Remote Computer

Scripting allows you to use the ISA Server administration objects to access and control policies and configurations for an enterprise or for any ISA Server array within an organization. ISA Server administration scripting has a number of benefits, such as saving time on tasks that are repetitive or need to be performed on a number of servers or arrays. For more information about ISA Server administration scripting, see the ISA Server Software Development Kit Help.

You can create ISA Server administration scripts that will run on remote computers. The script or program on a remote computer must connect to the remote ISA Server computer.

Creating the root object

Use the code shown below to create the root object for remote administration.

VBScript

Set objFPC = CreateObject ("FPC.Root")

JScript

objFPCRoot = new ActiveXObject ("FPC.Root");

Visual Basic

Dim objFPC As New FPCLib.FPC

or

Dim objFPC As New FPCLib.FPC

Set objFPC = CreateObject("FPC.Root")

Connecting to the ISA Server computer

To connect to the remote ISA Server computer, use the FPCArrays.Connect method. This method takes the following parameters:

  • Server [in] BSTR that specifies the server to which to connect.
  • UserName [in, optional] BSTR that specifies the user name. The default value is an empty BSTR.
  • Domain [in, optional] BSTR that specifies the name of the user™s domain. The default value is an empty BSTR.
  • Password [in, optional] BSTR that specifies the password. The default value is an empty BSTR.

Note

When the script or program has completed, the connection to the ISA Server computer is terminated.