Remote WMI to the ISA server (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks



Message


Guest -> Remote WMI to the ISA server (23.Feb.2005 1:31:00 PM)

I had a problem, reaching ISA from my monitoring computer with Remote WMI, for mangagement purposes.
I didn't see a solution anywhere, but finally I found one using trial and error.

1) de client pc may not exist in the group Remote management computers. because the existing filter uses strict RPC compliance.
2) Add a new group "RemoteEx Management Computers"
3) Add new user define protocol (name it "wmi-extra" or something like that)
tcp outbound port 1026-1026

3)new access rule (named WMI)
protocols
1) RPC all interface ( filtering : in configure rpc: clear the check box Enforce strict rpc compliance.. )
2) Wmi-extra
From "RemoteEx Management Computers"
To "Local Host"



I'm not an article writer, maybe someone can publish this tip ? I'm sure some people are waiting for it.



regards,
L Vandenbroucke




tshinder -> RE: Remote WMI to the ISA server (28.Feb.2005 1:02:00 PM)

Hi Luc,

Great tip! I'll include it in the next ISAserver.org newsletter and give you credit.

Thanks!
Tom

[ February 28, 2005, 01:03 PM: Message edited by: tshinder ]




SteveMoffat -> RE: Remote WMI to the ISA server (1.Apr.2005 4:30:00 AM)

Very good tip, although you need tcp 1354 outbound there too.

S




greygoose -> RE: Remote WMI to the ISA server (5.Apr.2006 10:10:58 PM)

This does not work.  I have tried all of the WMI access methods mentioned on these forums and none of them work.




j -> RE: Remote WMI to the ISA server (29.May2006 7:19:22 AM)

Hi,

heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.

1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet 
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)

2. create two basic custom protocols for SMB and dcom,

cust_smb
445 tcp outbound
445 udp send
(no related application filters ticked!)

cust_dcom
135 tcp outbound
5000-5100 tcp outbound
(no related application filters ticked!)

4. create the rule, allow, source = trusted admin/monitor box(es), destination localhost, protocols: cust_smb, cust_dcom, all users

5. Edit the System policy
Untick the 'enable' for Microsoct Management Console, you don't need it now because we have created a better rule for our trusted box(es) ( note having this ticked will create a hidden rule that can break wmi scripts and alike).
Untick the 'force strict rpc compliance' option for Active Dicrectory

Click ok, apply new configuration, restart the isa server

now when the isa box has booted back up, from your monitoring box. you can use mmc consoles, vbscripts, wmi scripts to monitor/admin the isa 2004 server. fyi do a netstat -an and you wil se the listening dcom servers in your configured range.

This methods allows for the best of both worlds, secure admin/scripting of the the isa box and no less secure isa box because the rpc filter is still active and being used by isa server other default/custom access or publishing rules.

cheers j




jvt -> RE: Remote WMI to the ISA server (9.Nov.2010 5:12:46 AM)

Works perfectly on an ISA 2007 aswell. Thanks for the guide J




SmallBiz -> RE: Remote WMI to the ISA server (19.Jan.2012 1:19:16 PM)

quote:

ORIGINAL: j

Hi,

heres how i do it, but you must trust the souce, ie. the monitoring box(es). this method your scripts will work and not time-out and use can use mmc properly aswell, while the rpc/dcom publising on isa 2004 is awesome for rpc stuff like outlook, its not so fun for remote scripting/required mmc usage from trusted internal hosts to the isa box itself.

1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet 
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)
cheers j


Do not use that Registry entry on SBS2003 with ISA installed. Will cause ISA services to fail which in turn crashes most of SBS.




michael george -> RE: Remote WMI to the ISA server (12.Mar.2013 4:53:17 AM)

Thanks for sharing very nice information..






UK business Database




Page: [1]