Using the Administration Tools Remotely

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Administrators may be required to create a new Web site based on Microsoft's SharePoint Team Services or Microsoft FrontPage 2002 Server Extensions, change permissions for an author, or perform other administrative tasks from a site remote to the server computer being administered. With SharePoint Team Services and FrontPage 2002 Server Extensions, remote administration can be accomplished by using the following:

Web page–based HTML Administration pages from a computer connected to the Internet.
Command-line Owsrmadm tool (which is based on the server extensions administration utility Owsadm) from a Microsoft Windows or Windows NT personal computer.

Because remote administration of SharePoint Team Services and FrontPage 2002 Server Extensions is inherently less secure than on-site administration, be sure to follow the security precautions discussed in this topic.

Remote Administration Architecture

The two methods of remote administration of SharePoint Team Services and FrontPage 2002 Server Extensions — HTML Administration pages and the Owsrmadm tool — have similar architectures. Both communicate with a program on the server computer — Fpadmdll.dll for Windows servers and Fpadmcgi.exe for UNIX servers. These programs, in turn, invoke fp5awel.dll to send commands to SharePoint Team Services and FrontPage 2002 Server Extensions.

Remote administration of SharePoint Team Services and FrontPage 2002 Server Extensions using the Owsrmadm utility must be initiated from a client personal computer running Windows or Windows NT. The client must have Microsoft Internet Explorer 2.0 or later and communicate to the server via HTTP using WinInet. Owsrmadm passes its command line to Fpadmdll.dll on an Internet Information Services (IIS) Web server, or to Fpadmcgi.exe on Apache.

On the Web server computer, Fpadmdll.dll or Fpadmcgi.exe acts as the form handler for any of the SharePoint Team Services and FrontPage 2002 Server Extensions HTML Administration pages.

Remote Administration Security

When you administer a server remotely, a wider community of users is given greater access to the Web server from the Internet, which can create a security risk. During remote administration of SharePoint Team Services and FrontPage 2002 Server Extensions, an unauthorized person could gain access to Web sites based upon SharePoint Team Services or FrontPage on your server and modify Web site settings — even delete Web sites. To prevent such tampering, the following precautions are recommended:

Use a secured connection (such as Secure Sockets Layer provides) for communication between the client and the server.

Since information and, in some cases, user names and passwords are communicated over the network during remote administration or authoring, a secured connection will prevent your data from being read by network traffic spies. To require SSL security for authoring and site administration tasks, you use the Require SSL for authoring and administration option on the Set Installation Defaults page of the Server Administration page, or set the RequireSSL property by using the setproperty operation from the command line. For more information about using the setproperty operation, see Setting Configuration Properties.
Grant access to Fpadmdll.dll or Fpadmcgi.exe by using the Web server's security system.

Requiring a user to log on with a secure administrator account on the Web server prevents unauthorized access. For the Windows platform, you must be authenticated as a Windows administrator to use the administration tools from the local computer.
Require the use of a nonstandard HTTP port for accessing Fpadmdll.dll or Fpadmcgi.exe.

This precaution will make it much more difficult for network spies to guess the URL of HTML Administration pages or the remote administration programs. When you installed SharePoint Team Services or FrontPage 2002 Server Extensions on the Microsoft Windows platform, a nonstandard administration port is created for you. On the UNIX platform, you must create the administration port by using the setadminport operation on the command line while running as the root account. Use this administration port to access Fpadmdll.dll and Fpadmcgi.exe.

Note You can use Owsadm.exe to change this administration port number. Do not use Internet Information Services to change the administration port, because that can break the shortcut to HTML Administration pages from the Start menu.
Use IP address mask restrictions to prevent unauthorized computers from accessing the secure administration port.

Typically, all IP addresses not associated with the owner of the server running SharePoint Team Services or FrontPage 2002 Server Extensions are denied access.

Using the Command-Line Tools Remotely

When you use Owsrmadm.exe, you form the command line in the same way that you would with the Owsadm utility, adding the Owsrmadm arguments as in the following Upgrade command:

Owsrmadm.exe –adminusername UserAccount –adminpassword ereiamjh
-targetserver https://sample.microsoft.com:1439/fpadmdll.dll
-o upgrade –p 8234 –m sample.microsoft.com

Note the use of a secured connection and a nonstandard port. The sample command line above is for the Windows 2000 Server or Windows NT 4.0 Server platforms. For the Windows 2000 Professional and Windows NT 4.0 Workstation platforms, the address for the target server would be https://sample.microsoft.com:1439/\_sharepoint/fpadmdll.dll. For the UNIX platform, the address for the target server would be https://sample.microsoft.com:1439/fpadmcgi.exe.

Along with supporting most of the same commands as Owsadm.exe, Owsrmadm.exe includes the following additional arguments that set up the connection to the remote server.

Argument	Description	Sample Values
-targetserver	The full URL of the server-side administration program Fpadmdll.dll on IIS servers and Fpadmcgi.exe on all other servers.	A URL string, such as: https://servername:port/ fpadmdll.dll For UNIX Web servers, the URL will be of the form: https://servername:port/ fpadmcgi.exe
-adminusername	The user name to authenticate for access to the administration program. This is not the same as the -username argument; it is the user name that is used to log on for access to Fpadmdll.dll or Fpadmcgi.exe.	A user name, such as: useraccount This can be left blank if you are using Windows NT Challenge/Response Authentication or if you want to be prompted for a password when using Basic or Digest Access authentication.
-adminpassword	The password used to authenticate access to the administration script. This is not the same as the -password argument; it is the password that is used to log on for access to Fpadmdll.dll or Fpadmcgi.exe.	A password, such as: 787abC This can be left blank if you are using Windows NT Challenge/Response Authentication.

-targetserver

The full URL of the server-side administration program Fpadmdll.dll on IIS servers and Fpadmcgi.exe on all other servers.

A URL string, such as:

https://servername:port/ fpadmdll.dll

For UNIX Web servers, the URL will be of the form:

https://servername:port/ fpadmcgi.exe

-adminusername

The user name to authenticate for access to the administration program. This is not the same as the -username argument; it is the user name that is used to log on for access to Fpadmdll.dll or Fpadmcgi.exe.

A user name, such as:

useraccount

This can be left blank if you are using Windows NT Challenge/Response Authentication or if you want to be prompted for a password when using Basic or Digest Access authentication.

-adminpassword

The password used to authenticate access to the administration script. This is not the same as the -password argument; it is the password that is used to log on for access to Fpadmdll.dll or Fpadmcgi.exe.

A password, such as:

787abC

This can be left blank if you are using Windows NT Challenge/Response Authentication.

When you install SharePoint Team Services or FrontPage 2002 Server Extensions on the Windows platform, an administration port is created to use for remote administration. On the UNIX platform, you must create the administration port by using the setadminport operation on the command line while running as the root account. To use the remote command-line tool, you run operations by using this port.

To connect to the administration port

On the Windows 2000 Server, Windows NT Server version 4.0, Windows XP, or Windows Server 2003 platforms, use the following syntax on the command line before adding any operation:
```
Owsrmadm.exe -adminusername <useraccount> 
```

–adminpassword <password> -targetserver <for example, https://sample.microsoft.com:1439/fpadmdll.dll>

On the Windows 2000 Professional and Windows NT 4.0 Workstation platforms, use the following syntax on the command line before adding any operation:
```
Owsrmadm.exe -adminusername <useraccount> 
```

–adminpassword <password> -targetserver <for example, https://sample.microsoft.com:1439/_sharepoint/fpadmdll.dll>

On the UNIX platform, use the following syntax on the command line before adding any operation:
```
Owsrmadm.exe -adminusername <useraccount> 
```

–adminpassword <password> -targetserver <for example, https://sample.microsoft.com:1439/fpadmcgi.exe>

Using HTML Administration Pages Remotely

When you install SharePoint Team Services or FrontPage 2002 Server Extensions, HTML Administration pages are installed to an administration port. You use these pages on the administration port to administer your server remotely. You can open HTML Administration pages from any client computer, provided you log in by using an account that has administrator access rights to the server.

To connect to the administration port by using the HTTPS protocol

In the Address box of your browser, use the HTTPS protocol and type the address to your server's administration pages, including the secure server port number.

For example, https://sample.microsoft.com:1439/fpadmdll.dll

After you connect to the remote HTML Administration pages, you can perform any of the administration tasks as if you were connected locally.

Changing the Administration Port

You can change the administration port for your server to a port that is easy to remember or that is a standard installation port number for your organization. To change the administration port, you use the setadminport operation. The setadminport operation takes the port parameter (specifying the new port number) and the servconf parameter (specifying a configuration file), the username parameter, and the password parameter on UNIX.

Changing the administration port can only be done from the command line. You must use the Owsadm.exe tool on the server computer itself to change the administration port. To change the administration port on the Windows platform, use the following syntax:

Owsadm.exe –o –setadminport –p <port>

Note that if you set up SSL on the administration port, the owsadm.exe -o setadminport command sets the non-SSL admin port but not the SSL admin port. However, the getadminport operation returns the port number of the SSL port, rather than the non-SSL port. If you want to change the port number for an SSL administration port, you must use Internet Services Manager to do so. Be aware, however, that the shortcut to the Microsoft SharePoint Administrator may not work after you change the SSL administration port.

To change the administration port on the UNIX platform, use the following syntax:

Owsadm.exe –o –setadminport –u <username> –p <password> 
–s <path to configuration file> –p <port>

For more information about using the command-line tools to administer SharePoint Team Services and FrontPage 2002 Server Extensions, see Command-line Administration.

For detailed information about each command-line operation and related parameters, see Command-line Operations and Command-line Parameters. For a list of all properties that you can set, see Command-line Properties.

For more information about HTML Administration pages, see HTML Administration.