• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SNMP and WMI on Isa 2004 server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Management >> SNMP and WMI on Isa 2004 server Page: [1]
Login
Message << Older Topic   Newer Topic >>
SNMP and WMI on Isa 2004 server - 5.Apr.2006 5:29:56 PM   
jfeghaly

 

Posts: 10
Joined: 10.Jun.2002
From: Beirut
Status: offline
I am not able to send snmp or wmi requests to the is server 2004 proxy and firewall even when i precise to open all ports to the network management console to the the isa server 2004 local host. Can you please help me concerning this issue.
Post #: 1
RE: SNMP and WMI on Isa 2004 server - 21.Jun.2006 8:14:18 PM   
astayton

 

Posts: 1
Joined: 21.Jun.2006
Status: offline
I would love to take credit for this but I can't.

http://forums.isaserver.org/m_410001100/mpage_1/key_/tm.htm#2002017878


1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet 
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)

2. create two basic custom protocols for SMB and dcom,

cust_smb
445 tcp outbound
445 udp send
(no related application filters ticked!)

cust_dcom
135 tcp outbound
5000-5100 tcp outbound
(no related application filters ticked!)

4. create the rule, allow, source = trusted admin/monitor box(es), destination localhost, protocols: cust_smb, cust_dcom, all users

5. Edit the System policy
Untick the 'enable' for Microsoct Management Console, you don't need it now because we have created a better rule for our trusted box(es) ( note having this ticked will create a hidden rule that can break wmi scripts and alike).
Untick the 'force strict rpc compliance' option for Active Dicrectory

Click ok, apply new configuration, restart the isa server

now when the isa box has booted back up, from your monitoring box. you can use mmc consoles, vbscripts, wmi scripts to monitor/admin the isa 2004 server. fyi do a netstat -an and you wil se the listening dcom servers in your configured range.

This methods allows for the best of both worlds, secure admin/scripting of the the isa box and no less secure isa box because the rpc filter is still active and being used by isa server other default/custom access or publishing rules.

(in reply to jfeghaly)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Management >> SNMP and WMI on Isa 2004 server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts