Administrating ISA Server 2006 Remotely Using MMC and Remote Desktop Connection

[LEFT][CODE]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection.aspx[/CODE]

[B]Configuration[/B]
[SIZE=2]ISA Server 2006 comes with a predefined rules called System Policy. Click [URL="http://www.isaserver.org/tutorials/Editing-ISA-2004-system-policy-Part1.html"] [B]here[/B][/URL] to read more about System Policy.
In this [/SIZE][SIZE=2] article we will be configuring some rules of the System Policy to enable Remote administration for ISA Server 2006.[/SIZE]

[LIST=1][*]Open[SIZE=2] [/SIZE][B] [SIZE=2]ISA Server Management[/SIZE][/B][SIZE=2] Console, Click on [B]Start[/B] > [B]All Programs[/B] > [B]Microsoft ISA Server[/B] > [/SIZE][B][SIZE=2]ISA Server Management[/SIZE]
[/B][SIZE=2]
[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/ISA_Page_15_Open_ISA.jpg[/IMG][/SIZE][*]Click on the [B]Firewall Policy[/B] node, as you can see, this is a fresh install of ISA Server 2006,and it still has its [B]default Deny rule[/B], and as I said previously we are going to work with the System Policy ,and not going to create any new rule to allow remote administration
[B][SIZE=2]
[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2.gif[/IMG][/SIZE][/B][*][SIZE=2]From the right side panel, under the [B]Tasks[/B] tab, click on [B]Edit System Policy

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2006.JPG[/IMG] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2006_2.JPG[/IMG][/B][/SIZE][*][SIZE=2]The [B]System Policy Editor[/B] will open, for the purpose of this article we will work with the [B]Remote Management[/B] configuration group. Clicking on any System Policy configuration group from the left panel ( will be marked with a [B]red arrow[/B] ), will open its configuration page on the right side.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2006_system_policy.JPG[/IMG]

To connect to ISA Server remotely, the System Policy offers you three options :

[B]Microsoft Management : [/B]using the MMC
[B]Terminal Server : [/B]using Remote Desktop Connection
[B]Web Management : [/B]I will not be discussing Web Management, as I do not have any Web Application that can remotely manage ISA Server, later on if my hands fall on any application that does this, I will be demonstrating it[/SIZE][/LIST]

[LIST][*][B][SIZE=2]Microsoft Management[/SIZE][/B][SIZE=2] allows you to connect to ISA Server using the Microsoft Management Console, which you can install it on a remote machine, and from it you can connect to your ISA Server.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2006_management.JPG[/IMG]
[/SIZE][/LIST]

[LIST=1][*][SIZE=2]By default Microsoft Management is [B]Enabled[/B], but you will need to specify from which machines you are going to connect to your ISA Server, this can be configure by clicking on the [B]From[/B] Tab, by default the [B]Remote Management Computers [/B]is included under the From source, and by default , the Remote Management Computers is empty and you will need to populate it.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_management_computers.JPG[/IMG][/SIZE][*][SIZE=2]Click on the [B]Remote Management Computers[/B] and then click on the [B]Edit[/B] Button, the [B]Remote Management Computers Properties[/B] page will open, here you can add a single Computer, an address range, or a complete subnet to the remote management computers, in this article, I am the only administrator of ISA Server, and I will only install the MMC on my Vista Laptop, so I will add a Computer, click the [B]Add[/B] button , then click on [B]Computer

[/B] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/remote_management_computers_add.JPG[/IMG][/SIZE][*][SIZE=2]Browse to the remote computer by clicking on the [B]Browse[/B] button, or start filling its name, IP address and a brief description if you want, once its set, click on the [B]OK[/B] Button

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/remote_management_computers_add_laptop.JPG[/IMG]

The Computer will be listed as shown below, Click on the [B]OK[/B] button

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/remote_management_computers_added.JPG[/IMG][/SIZE][*][SIZE=2]Click the [B]Apply[/B] button so the changes take effect

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/Apply_button.JPG[/IMG]

We are ready now to install the MMC on my Vista Laptop to connect to ISA Server, lets do that.[/SIZE][/LIST]

[LIST][*] [B]Installing MMC on Windows Vista[/B][/LIST]

[LIST=1][*][SIZE=2]Run ISA[/SIZE][SIZE=2] Server Setup, click on [B]Install ISA Server 2006

[/B][/SIZE] [SIZE=2] [IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/Launch_ISA_2006.jpg[/IMG][/SIZE][*]You will get the [B]Welcome to the Installation Wizard for Microsoft ISA Server 2006[/B] page, click on [B]Next[/B][*][SIZE=2]Accept the [B]Terms[/B] and click [B]Next[/B]

[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/ISA_Page_3_Accept_Terms.jpg[/IMG][/SIZE][*][SIZE=2]Enter the required information and click on [B]Next[/B]

[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/ISA_Page_4_Enter_Key.jpg[/IMG][/SIZE][*][SIZE=2]From the [B]Setup Type[/B] page, Choose [B]Typical[/B], click [B]Next[/B]

[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/ISA_Page_5_Choose_Installation_Type.jpg[/IMG]

If you decided to choose [B]Custom[/B], you will notice that only [B]ISA Server Management[/B] will be installed as this is a Client Operating System

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/Custom_Installation.jpg[/IMG][/SIZE][*][SIZE=2]In the [B]Ready to Install the Program[/B] page, click on the [B]Install[/B] button

[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/Ready_To_Install.JPG[/IMG][/SIZE][*][SIZE=2]Installation will be completed, enable the checkbox beside the [B]Invoke ISA Server Management when the wizard closes[/B], so that ISA Server MMC would be opened once I click the [B]Finish[/B] button.

[IMG]http://www.elmajdal.net/ISAServer/Installing_ISA_Server_2006_Remotely/ISA_Page_12_Page_Blinks_Disconnect_Then_Connect_Again_Finish.jpg[/IMG][/SIZE][*]I[SIZE=2]SA Server MMC will be opened

[/SIZE][SIZE=2] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/mmc_4.gif[/IMG]
[/SIZE][SIZE=2]
[/SIZE][SIZE=2] [SIZE=2][SIZE=2]as u can see, on the right side panel, under the [B]Tasks[/B] Tab, there is an option to [B]Connect to a Local or Remote ISA Server[/B]

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/mmc_4_1.jpg[/IMG][/SIZE][/SIZE][/SIZE][*][SIZE=2]Click on it, the [B]Connect To[/B] page will open, fill in the ISA Server machine name you wan to connect , or click on the [B]Browse[/B] button to select it from your Network. I am using my laptop , and my laptop is not part of the domain that ISA Server is joined to, so I will need to select the 2nd option where it says: [B]Connect using other user credentials[/B], if my laptop was joined to the domain and I am logging to it with a domain user account, I would have left the first option where it says : [B]Connect using the credentials of the logged-on user[/B] ,once all info is filed, click on [B]OK

[/B] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/mmc_5.jpg[/IMG]

You will the be connected to ISA Server, and you can start working with it as if you were setting in front of it.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/mmc_7_2.gif[/IMG][/SIZE] [*][SIZE=2]To Disconnect from ISA Server Management, from the right panel under the Tasks tab, click on the [B]Disconnect From ISA Server Management[/B]

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Install_MMC_on_Vista/mmc_8.jpg[/IMG]

With this, we have concluded the part concerning the Management Console and now will start will the Terminal Server policy.[/SIZE][/LIST]

[LIST][*] [B][SIZE=2]Terminal Server [/SIZE] [/B] [SIZE=2]is also by default enabled, what you have to do is to fill the Remote management Computers under the From Tab, which we already have done it with the Microsoft Management rule.[/SIZE][/LIST]

[LIST=1][*][SIZE=2]To Edit the System Policy ( if you have it closed by now ), Click on the [B]Firewall Policy[/B] node From the right side panel, under the [B]Tasks[/B] tab, click on [B]Edit System Policy

[/B] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_administration_isa_2006_terminal_server.JPG[/IMG]

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_management_termincal_server_from_tab.JPG[/IMG]

If you chose the [B]Remote Management Computer[/B] and clicked on the [B]Edit[/B] button, you would see the name of the machine I added previously when I was configuring the Microsoft Management rule.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Remote_management_termincal_server_from_tab_2.JPG[/IMG]

With this we are done configuring the System Policy. Two remaining configuration should be set to enable RDP to ISA Server, and they are as follow:[/SIZE][*][SIZE=2]On ISA itself, go to the [B]Terminal Services Configuration[/B] and make sure that the RDP-TCP connection is only bound to the ISA Internal interface (Properties -> Network Adapter).

To do this, click on [B]Start[/B] > [B]Administrative Tools[/B] > [B] Terminal Services Configuration, [/B][/SIZE] [SIZE=2]from the left panel click the [B]Connection[/B] node > then on the right page, right click the [B]RDP-TCP[/B] then click on [B] properties[/B] > click on the [B] Network Adapters[/B] Tab and then from the drop down list , choose the Internal NIC[/SIZE][*][SIZE=2]Enable Remote Desktop, this is done by right clicking on [B]My Computer[/B] > [B]Properties[/B] > click on the [B]Remote[/B] tab > then make sure the checkbox beside [B]Enable Remote Desktop on this computer[/B] is enabled.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/System_Properties_Enable_RDC.jpg[/IMG][/SIZE][/LIST]
[B]Establishing RDP Connection from Windows Vista[/B]

[LIST=1][*][SIZE=2]Now from my Vista machine, lets open Remote Desktop Connection to connect to ISA Server. Click on [B]Start[/B] > [B]All Programs [/B]> [B] Accessories[/B] > [B]Remote Desktop Connection

[/B] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/MSTC.gif[/IMG][/SIZE][*] [SIZE=2]Enter the computer name and click on [B]Connect[/B], you will be asked for the credentials to connect to the remote ISA Server

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/mstsc_1.jpg[/IMG]

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/mstsc_2.JPG[/IMG][/SIZE][/LIST]

[LIST][*][SIZE=2]Before I conclude , I want to show the details of both rules for Allowing Remote Management through MMC and Terminal Server. From the left side panel, click on Firewall Policy, then below the menu bar, click on the [B]Show/Hide System Policy Rules[/B] button shown below in the red rectangle

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Show_hide_system_policy.JPG[/IMG]

All the System Policy rules will be displayed in details.

[IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/All_System_policy_rules_2.gif[/IMG]

As you can see, the two System Policy rules that we worked with are rules number 2 & 3.

[/SIZE] [SIZE=2] [IMG]http://www.elmajdal.net/ISAServer/Administrating_ISA_Server_2006_Remotely_Using_MMC_and_Remote_Desktop_Connection/Allow_mmc_rdc_rule_details.gif[/IMG][/SIZE][*] To summarize what we have done , check the following table :

[B]Rule Name[/B] [B]Status[/B] [B]Configuration Needed on ISA Server[/B] [B]Configuration Needed on Client Machine[/B] [B]
Allow Remote Management from selected computers
using MMC[/B] [B] [SIZE=2]
Enabled by default[/SIZE][/B] [B] [SIZE=2]
Populate Source (From) . By default Remote Management Computers is listed but empty
[/SIZE] [/B] [B] [SIZE=2]
Install ISA Server Management Console[/SIZE][/B] [B]
Allow Remote management from selected computers using Terminal Server[/B] [B] [SIZE=2]
Enabled by default[/SIZE][/B] [B] [SIZE=2]
1- Populate Source (From) . By default Remote Management Computers is listed but empty

2- Make sure RDP-TCP connection in Terminal Service Configuration is only bound to ISA Internal Interface

3- Make sure Remote Desktop is enabled in System Properties[/SIZE][/B] [B] [SIZE=2]
Remote Desktop Connection[/SIZE][/B][/LIST]
[FONT=Arial] [B]Summary[/B]

Administrating ISA Server remotely is possible, and you do not need to create any extra rule to allow connection through MMC or RDC, ISA Server 2006 comes with a predefined set of rules called System Policy. System Policy offers you multiple ways to connect to ISA Server remotely. In this article, I showed you in details what are the configuration needed to be set on the ISA Server, and what you need to do on the client machine as well to establish the remote connection.[/FONT]



[/LEFT]