• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Remote WMI to the ISA server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Remote WMI to the ISA server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Remote WMI to the ISA server - 23.Feb.2005 1:31:00 PM   
Guest
I had a problem, reaching ISA from my monitoring computer with Remote WMI, for mangagement purposes.
I didn't see a solution anywhere, but finally I found one using trial and error.

1) de client pc may not exist in the group Remote management computers. because the existing filter uses strict RPC compliance.
2) Add a new group "RemoteEx Management Computers"
3) Add new user define protocol (name it "wmi-extra" or something like that)
tcp outbound port 1026-1026

3)new access rule (named WMI)
protocols
1) RPC all interface ( filtering : in configure rpc: clear the check box Enforce strict rpc compliance.. )
2) Wmi-extra
From "RemoteEx Management Computers"
To "Local Host"



I'm not an article writer, maybe someone can publish this tip ? I'm sure some people are waiting for it.



regards,
L Vandenbroucke
  Post #: 1
RE: Remote WMI to the ISA server - 28.Feb.2005 1:02:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Luc,

Great tip! I'll include it in the next ISAserver.org newsletter and give you credit.

Thanks!
Tom

[ February 28, 2005, 01:03 PM: Message edited by: tshinder ]

(in reply to Guest)
Post #: 2
RE: Remote WMI to the ISA server - 1.Apr.2005 4:30:00 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Very good tip, although you need tcp 1354 outbound there too.

S

(in reply to Guest)
Post #: 3
RE: Remote WMI to the ISA server - 5.Apr.2006 10:10:58 PM   
greygoose

 

Posts: 9
Joined: 4.Jan.2006
Status: offline
This does not work.  I have tried all of the WMI access methods mentioned on these forums and none of them work.

(in reply to SteveMoffat)
Post #: 4
RE: Remote WMI to the ISA server - 29.May2006 7:19:22 AM   
j

 

Posts: 15
Joined: 19.Nov.2005
Status: offline
Hi,

heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.

1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet 
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)

2. create two basic custom protocols for SMB and dcom,

cust_smb
445 tcp outbound
445 udp send
(no related application filters ticked!)

cust_dcom
135 tcp outbound
5000-5100 tcp outbound
(no related application filters ticked!)

4. create the rule, allow, source = trusted admin/monitor box(es), destination localhost, protocols: cust_smb, cust_dcom, all users

5. Edit the System policy
Untick the 'enable' for Microsoct Management Console, you don't need it now because we have created a better rule for our trusted box(es) ( note having this ticked will create a hidden rule that can break wmi scripts and alike).
Untick the 'force strict rpc compliance' option for Active Dicrectory

Click ok, apply new configuration, restart the isa server

now when the isa box has booted back up, from your monitoring box. you can use mmc consoles, vbscripts, wmi scripts to monitor/admin the isa 2004 server. fyi do a netstat -an and you wil se the listening dcom servers in your configured range.

This methods allows for the best of both worlds, secure admin/scripting of the the isa box and no less secure isa box because the rpc filter is still active and being used by isa server other default/custom access or publishing rules.

cheers j

< Message edited by j -- 29.May2006 7:25:39 AM >

(in reply to greygoose)
Post #: 5
RE: Remote WMI to the ISA server - 9.Nov.2010 5:12:46 AM   
jvt

 

Posts: 5
Joined: 22.Apr.2009
From: Denmark
Status: offline
Works perfectly on an ISA 2007 aswell. Thanks for the guide J

(in reply to j)
Post #: 6
RE: Remote WMI to the ISA server - 19.Jan.2012 1:19:16 PM   
SmallBiz

 

Posts: 2
Joined: 19.Jan.2012
Status: offline
quote:

ORIGINAL: j

Hi,

heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.

1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet 
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)
cheers j


Do not use that Registry entry on SBS2003 with ISA installed. Will cause ISA services to fail which in turn crashes most of SBS.

(in reply to j)
Post #: 7
RE: Remote WMI to the ISA server - 12.Mar.2013 4:53:17 AM   
michael george

 

Posts: 3
Joined: 11.Mar.2013
Status: offline
Thanks for sharing very nice information..






UK business Database

(in reply to SmallBiz)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Remote WMI to the ISA server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts