Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

From the console of the ISA Server, those who have been delegated privileges to administer an ISA box can after the administrative delegation wizard has been run. In many cases, however, remote access to ISA is necessary. Because ISA is a firewall, this presents particular challenges. ISA is configured to drop anything that hasn't been specifically set up for access.

Setting up access to ISA remotely is subsequently a two-step process. In the first step, either remote access via Remote Desktop Protocol (RDP) must be enabled, or the ISA Management Console must be installed on the remote host. The second step involves configuring the ISA rules to specifically allow remote administration from remote hosts.

Installing the ISA Server Management Console

If remote administration using the thin clientbased Remote Desktop Protocol (RDP) is not available, administration of ISA Server 2004 can be accomplished via installation of the ISA Management Console itself. The Console is essentially a Microsoft Management Console (MMC) snap-in, which can be physically installed on any one of the following operating systems:

  • Windows Server 2003, Standard or Enterprise

  • Windows XP Workstation

  • Windows 2000 Workstation, Server, or Advanced Server

CAUTION

It is not always best practice to install remote ISA Administration Consoles for two reasons. First off, the console software needs to be kept at the same service pack level as the ISA server itself. Secondly, MMC access to the ISA Server needs to be granted, which can be more impactful than standard RDP. For these reasons, it is preferable to set up access through RDP when possible.

On a remote host, the full ISA Management console can be installed via the following procedure:

1.

Insert the ISA Server 2004 Media into the drive (or run autorun.exe from a network location where the ISA files are located).

2.

Click on the link for Install ISA Server 2004.

3.

Click Next to continue.

4.

Select I Accept and click Next to continue.

5.

Enter a username, organization name, and the product serial number and click Next to continue.

NOTE

If Windows XP Professional is being used, there may be an additional prompt that says the version of ISA cannot be installed on this version of Windows. Because only the Admin Console is being installed, this dialog box can be ignored and Next can be clicked. If using a supported OS, a prompt is offered to perform either a custom or a standard setup, choose the Custom setup, and click Next.

6.

From the Custom Setup dialog box, select to install only the ISA Server Management component, as shown in Figure 16.6. Make sure the other components are not selected by clicking them and selecting This Feature Will Not Be Available. Click Next to continue.

Figure 16.6. Installing the ISA Server Management console.

7.

Click Install to begin the installation process.

8.

Click Finish to end the process.

After installation, the ISA Server Console should be brought to the same service pack level as the ISA Server itself.

After it is installed, the ISA Server System Policy must be modified to allow the MMC Console access from the particular workstation. To do this, perform the following steps:

1.

From the physical ISA Server Console, expand the Console tree to show SERVERNAME, Firewall Policy.

2.

Under the Tasks tab in the Tasks pane, click on Edit System Policy.

3.

Scroll down to Remote Management, Microsoft Management Console and click on the text.

4.

Ensure that the box for Enable is checked and select the From tab.

5.

Double-click on Remote Management Computers in the dialog box shown in Figure 16.7.

Figure 16.7. Allowing ISA Server management from a remote machine.

6.

Click Add, Computer.

7.

Enter a name for the remote console machine, an IP address, and a description, as shown in Figure 16.8, and click OK.

Figure 16.8. Creating a Computer object from which to allow remote access.

8.

Click OK, OK, Apply, and OK to save the changes.

The final step is to configure the remote console to connect to a specific ISA Server. To do this, perform the following steps on the remote console machine.

1.

Open the newly installed ISA Management Console (Start, All Programs, ISA Server Management).

2.

From the console tree, right-click on Microsoft Internet Security and Acceleration Server 2004 and click Connect To.

3.

In the Connect To dialog box, shown in Figure 16.9, select to connect to Another Computer, enter the computer name, and select either to use the local credentials or another set of credentials. Click OK.

Figure 16.9. Configuring the remote console to connect to an ISA Server.

4.

Navigate and administer the ISA Server as needed.

Configuring an ISA Server for Remote Desktop Protocol Access

The preferred ISA Administration route is through the use of the Remote Desktop Protocol (RDP), which provides for thin-client access to the desktop of an ISA Server. By default, this type of administration is installed on any Windows Server 2003 system, but it needs to be enabled to function properly. RDP allows for up to two thin-client sessions and one console session to operate simultaneously, which enables multiple administrators to access and administer ISA simultaneously.

To enable RDP functionality on an ISA Server, perform the following tasks:

1.

On the ISA Server, click Start, Control Panel, System.

2.

Select the Remote tab.

3.

Check the box for Enable Remote Desktop on this computer, as shown in Figure 16.10.

Figure 16.10. Enabling RDP on an ISA Server.

4.

Click OK when warned about local accounts not having passwords.

5.

Click OK to save the changes.

After it is enabled, RDP also has to be allowed via System Policy rules, in a similar fashion to the MMC Console System Policy rules. To set this up, do the following:

CAUTION

It is not common to allow RDP directly to the ISA Server from an untrusted network such as the Internet. This opens ISA to attacks and password cracking attempts.

1.

From the physical ISA Server Console, expand the Console tree to show SERVERNAME, Firewall Policy.

2.

Under the Tasks Tab in the Tasks pane, click on Edit System Policy.

3.

Scroll down to Remote Management, Terminal Server and click on the text.

4.

Make sure the Enable box is selected, as shown in Figure 16.11, and click the From tab.

Figure 16.11. Enabling RDP access to an ISA Server.

5.

Under the From tab, double-click on the Remote Management Computers.

6.

If already added in the previous steps on allowing MMC access, the remote console will already be in this list. If not, it can be added by clicking Add, Computer and adding the name and IP address of the remote computer. Click OK, OK, Apply, and OK to save the changes.

    Категории