ISA Firewall Quick Tip : Administrating ISA Server 2006 Remotely Using MMC and Remote Desktop Connection

ISA Firewall Quick Tip : Administrating ISA Server 2006 Remotely Using MMC and Remote Desktop Connection



January 10, 2008
Last Updated : January 10, 2008

Most of the time, servers are located inside a dedicated room, and we as an ISA Administrators are not available in that room all the time. What if ISA Server was located in another floor, or it is in a different building ? how about if we were in another country ! We can control ISA Server remotely through different ways. In this article, I will demonstrate to you how to enable remote administration of ISA Server, what rules to enable, and how to control it from a remote machine.


ISA Server 2006 comes with a predefined rules called System Policy. Click here to read more about System Policy.
In this
article we will be configuring some rules of the System Policy to enable Remote administration for ISA Server 2006.

  1. Open ISA Server Management Console, Click on Start > All Programs > Microsoft ISA Server > ISA Server Management

  2. Click on the Firewall Policy node, as you can see, this is a fresh install of ISA Server 2006,and it still has its default Deny rule, and as I said previously we are going to work with the System Policy ,and not going to create any new rule to allow remote administration

  3. From the right side panel, under the Tasks tab, click on Edit System Policy


  4. The System Policy Editor will open, for the purpose of this article we will work with the Remote Management configuration group. Clicking on any System Policy configuration group from the left panel ( will be marked with a red arrow ), will open its configuration page on the right side.

    To connect to ISA Server remotely, the System Policy offers you three options :

    Microsoft Management : using the MMC
    Terminal Server : using Remote Desktop Connection
    Web Management : I will not be discussing Web Management, as I do not have any Web Application that can remotely manage ISA Server, later on if my hands fall on any application that does this, I will be demonstrating it

  • Microsoft Management allows you to connect to ISA Server using the Microsoft Management Console, which you can install it on a remote machine, and from it you can connect to your ISA Server.

  1. By default Microsoft Management is Enabled, but you will need to specify from which machines you are going to connect to your ISA Server, this can be configure by clicking on the From Tab, by default the Remote Management Computers is included under the From source, and by default , the Remote Management Computers is empty and you will need to populate it.

  2. Click on the Remote Management Computers and then click on the Edit Button, the Remote Management Computers Properties page will open, here you can add a single Computer, an address range, or a complete subnet to the remote management computers, in this article, I am the only administrator of ISA Server, and I will only install the MMC on my Vista Laptop, so I will add a Computer, click the Add button , then click on Computer

  3. Browse to the remote computer by clicking on the Browse button, or start filling its name, IP address and a brief description if you want, once its set, click on the OK Button

    The Computer will be listed as shown below, Click on the OK button

  4. Click the Apply button so the changes take effect

    We are ready now to install the MMC on my Vista Laptop to connect to ISA Server, lets do that.

  • Installing MMC on Windows Vista

  1. Run ISA Server Setup, click on Install ISA Server 2006

  2. You will get the Welcome to the Installation Wizard for Microsoft ISA Server 2006  page, click on Next

  3. Accept the Terms and click Next

  4. Enter the required information and click on Next

  5. From the Setup Type page, Choose Typical, click Next

    If you decided to choose Custom, you will notice that only ISA Server Management will be installed as this is a Client Operating System

  6. In the Ready to Install the Program page, click on the Install button

  7. Installation will be completed, enable the checkbox beside the Invoke ISA Server Management when the wizard closes, so that ISA Server MMC would be opened once I click the Finish button.

  8. ISA Server MMC will be opened

    as u can see, on the right side panel, under the Tasks Tab, there is an option to Connect to a Local or Remote ISA Server

  9. Click on it, the Connect To page will open, fill in the ISA Server machine name you wan to connect , or click on the Browse button to select it from your Network. I am using my laptop , and my laptop is not part of the domain that ISA Server is joined to, so I will need to select the 2nd option where it says: Connect using other user credentials, if my laptop was joined to the domain and I am logging to it with a domain user account, I would have left the first option where it says : Connect using the credentials of the logged-on user ,once all info is filed, click on OK

    You will the be connected to ISA Server, and you can start working with it as if you were setting in front of it.

  10. To Disconnect from ISA Server Management, from the right panel under the Tasks tab, click on the Disconnect From ISA Server Management

    With this, we have concluded the part concerning the Management Console and now will start will the Terminal Server policy.

  • Terminal Server is also by default enabled, what you have to do is to fill the Remote management Computers under the From Tab, which we already have done it with the Microsoft Management rule.

  1. To Edit the System Policy ( if you have it closed by now ), Click on the Firewall Policy node From the right side panel, under the Tasks tab, click on Edit System Policy

    If you chose the Remote Management Computer and clicked on the Edit button, you would see the name of the machine I added previously when I was configuring the Microsoft Management rule.

    With this we are done configuring the System Policy. Two remaining configuration should be set to enable RDP to ISA Server, and they are as follow:

  2. On ISA itself, go to the Terminal Services Configuration and make sure that the RDP-TCP connection is only bound to the ISA Internal interface (Properties -> Network Adapter).

    To do this, click on Start > Administrative Tools > Terminal Services Configuration,
    from the left panel click the Connection node > then on the right page, right click the RDP-TCP  then click on properties  > click on the Network Adapters Tab and then from the drop down list , choose the Internal NIC

  3. Enable Remote Desktop, this is done by right clicking on My Computer > Properties > click on the Remote tab > then make sure the checkbox beside Enable Remote Desktop on this computer is enabled.

Establishing RDP Connection from Windows Vista

  1. Now from my Vista machine, lets open Remote Desktop Connection to connect to ISA Server. Click on Start > All Programs > Accessories > Remote Desktop Connection

  2. Enter the computer name and click on Connect, you will be asked for the credentials to connect to the remote ISA Server

  • Before I conclude , I want to show the details of both rules for Allowing Remote Management through MMC and Terminal Server. From the left side panel, click on Firewall Policy, then below the menu bar, click on the Show/Hide System Policy Rules button shown below in the red rectangle

    All the System Policy rules will be displayed in details.

    As you can see, the two System Policy rules that we worked with are rules number 2 & 3.

  • To summarize what we have done , check the following table :

    Rule Name Status Configuration Needed on ISA Server Configuration Needed on Client Machine

    Allow Remote Management from selected computers
    using MMC

    Enabled by default

    Populate Source (From) . By default Remote Management Computers is listed but empty

    Install ISA Server Management Console

    Allow Remote management from selected computers using Terminal Server

    Enabled by default

    1- Populate Source (From) . By default Remote Management Computers is listed but empty

    2- Make sure RDP-TCP connection in Terminal Service Configuration is only bound to ISA Internal Interface

    3- Make sure Remote Desktop is enabled in System Properties

    Remote Desktop Connection
Administrating ISA Server remotely is possible, and you do not need to create any extra rule to allow connection through MMC or RDC, ISA Server 2006 comes with a predefined set of rules called System Policy. System Policy offers you multiple ways to connect to ISA Server remotely. In this article, I showed you in details what are the configuration needed to be set on the ISA Server, and what you need to do on the client machine as well to establish the remote connection.