Remote WMI to the ISA server - 23.Feb.2005 1:31:00 PM
Guest
I had a problem, reaching ISA from my monitoring computer with Remote WMI, for mangagement purposes. I didn't see a solution anywhere, but finally I found one using trial and error.
1) de client pc may not exist in the group Remote management computers. because the existing filter uses strict RPC compliance. 2) Add a new group "RemoteEx Management Computers" 3) Add new user define protocol (name it "wmi-extra" or something like that) tcp outbound port 1026-1026
3)new access rule (named WMI) protocols 1) RPC all interface ( filtering : in configure rpc: clear the check box Enforce strict rpc compliance.. ) 2) Wmi-extra From "RemoteEx Management Computers" To "Local Host"
I'm not an article writer, maybe someone can publish this tip ? I'm sure some people are waiting for it.
heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above) Ports 5000-5100 (multi-string)
2. create two basic custom protocols for SMB and dcom,
cust_smb 445 tcp outbound 445 udp send (no related application filters ticked!)
cust_dcom 135 tcp outbound 5000-5100 tcp outbound (no related application filters ticked!)
4. create the rule, allow, source = trusted admin/monitor box(es), destination localhost, protocols: cust_smb, cust_dcom, all users
5. Edit the System policy Untick the 'enable' for Microsoct Management Console, you don't need it now because we have created a better rule for our trusted box(es) ( note having this ticked will create a hidden rule that can break wmi scripts and alike). Untick the 'force strict rpc compliance' option for Active Dicrectory
Click ok, apply new configuration, restart the isa server
now when the isa box has booted back up, from your monitoring box. you can use mmc consoles, vbscripts, wmi scripts to monitor/admin the isa 2004 server. fyi do a netstat -an and you wil se the listening dcom servers in your configured range.
This methods allows for the best of both worlds, secure admin/scripting of the the isa box and no less secure isa box because the rpc filter is still active and being used by isa server other default/custom access or publishing rules.
heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above) Ports 5000-5100 (multi-string) cheers j
Do not use that Registry entry on SBS2003 with ISA installed. Will cause ISA services to fail which in turn crashes most of SBS.