Administering Forefront TMG 2010 Server Remotely Using RDP (Remote Desktop Protocol) from Internal and External Network / Locations
Remotely administering Forefront TMG 2010 is really confusing for Firewall admins used to and comfortable with third party firewalls. Forefront TMG does not have Web Interface to manage TMG Server and no command-line support, where these features are built-in on others third party firewalls. For security purpose, we will not perform Forefront TMG 2010 Server administration directly from the TMG Server computer console. TMG Server should be located in a physically secure room with locks and tracking devices. In this session, we will learn how to administer TMG Server remotely from client computers.
Microsoft has come up with two options for remotely administering Forefront TMG 2010 Server.
- Remote Desktop connection to administer the TMG Server
- Install the TMG Server Management Console on remote host and use it to manage the TMG Server.
In next version of Forefront TMG 2010 Server, Microsoft probably will add built-in Web Interface to manage next version of TMG Server, if the need is felt. But TMG 2010 does not have Web Interface for management.
Out of the two options, I recommend using RDP connection to administer the TMG Server. The advantage of using RDP to administer TMG Server is that we can manage virtually all the settings on the Server, not just Forefront TMG. By default, the Remote Desktop Protocol (RDP) uses only single TCP Port 3389, which we can change also. RDP traffic is encrypted.
On the other hand, administering Forefront TMG 2010 server using TMG Server Management Console, firstly we will need to install TMG Management console from the TMG Installation CD on remote host. MMC traffic is not encrypted – which needs to be taken into account. We must enable File and Printer Sharing on the Forefront TMG 2010 Server, which is not recommended when using TMG Server as Edge firewall or Front-End firewall. Apart from this, we have to allow multiple protocols from the Remote Management Computers to TMG Server. The Protocols allowed are MS Firewall Control, NetBIOS Datagram, NetBIOS Name Service, NetBIOS Session and RPC (all interfaces). In order to use this feature, we will have to allow multiple Protocols from Remote Management Computers to TMG (Seen as localhost in the example diagram). Administrators struggle choosing the better option from among two methods of managing TMG 2010 server. We are using TMG Server as a dedicated Edge firewall which is our replacement for the other third party firewall. Hopefully Microsoft will fix this issue on the next release of TMG Server.
RDP protocol uses only one port 3389 whereas Console Management makes use of multiple protocols. Therefore, in situations where security is sought for or needed, using RDP only is highly recommended to manage TMG.Using Remote Desktop for Remote Administration: 1. In the Forefront TMG Management Console, click Firewall Policy node. In the right pane, click the Tasks tab. In the Tasks pane, click Edit System Policy. 2. On the System Policy Editor page, click Terminal Server and then in From in the right pane, click Remote Management Computers and click the Edit Tab. 3. On the Remote Management Computers Properties dialog box, click Add , Computer. 4. On New Computer Rule Element dialog box, enter a name for the remote computer host name, IP Address, and a description, and click OK. 5. Click OK, OK, Apply, Apply and OK to save the changes. Now we will able to access TMG Server remotely using RDP connection from Remote Management Computers. This process works only for the Internal Network. Second Method RDP Connection from Internal Network with specific IP Address: 1. In the Forefront TMG Management Console, click Firewall Policy node. In the right pane, click the Tasks tab. In the Tasks pane, click Create Access Rule. 2. On the Welcome to the New Server Publishing Rule Wizard page, type RDP From TMG Admin (192.168.10.10) To TMG Server as the name of the rule, and then click Next. 3. On the Rule Action page, click Allow and then click Next. 4. On the Protocols page, add RDP(Terminal Services) Protocol and click Next. 5. On the Access Rule Sources page, Add TMG Admin(192.168.10.10) and click Next. 6. On the Access Rule Destinations page, Add Local Host and click Next. 7. On the User Sets page, click Next. 8. On the Completing the New Access Rule Wizard page, click Finish. 9. Click Apply twice and click OK. To manage the TMG Server remotely from the Internet, we have to use Publish Non-Web Server Protocols in Firewall Policy Tasks: 1. In the Forefront TMG Management Console, click Firewall Policy node. In the right pane, click the Tasks tab. In the Tasks pane, click Publish Non-Web Server Protocols. 2. On the Welcome to the New Server Publishing Rule Wizard page, type Publish RDP Access From External to TMG Server as the name of the rule, and then click Next. 3. On the Select Server page, type 192.168.10.1 in the Server IP Address box, which is the Internal IP Address of the TMG Server, and then click Next. 4. On the Protocol Page, click the down-arrow for the Selected Protocol list, and select RDP (Terminal Services) Server and click Next. We can also change Firewall Ports and Published Server Ports. For this we have to Click Ports. 5. On the Network Listener IP Addresses page, select External and click Next. Here, we are giving access RDP from the External network (Internet). 6. On the Completing the New Server Publishing Rule Wizard page, review the configuration and click Finish. 7. Click Apply, To save the changes and update the configuration. 8. Click Apply Configuration Changes Description. 9. Click OK Saving Configuration Changes. 10. Double-click Publish RDP Access From External to TMG Server rule, click on From Tab, remove Anywhere from the This rule applied to traffic from these sources and click Add, Expand Computer Sets Under Network entities, double-click on Remote Management Computers, click Close, click Apply and Click OK. 11. Click Apply twice and click OK Saving Configuration Changes. Now we will able to access TMG Server remotely using RDP connection, from Remote Management Computers on the Internet. Note: Remote Management Computers must be fully Compliant (in accordance with the Network and security protocols of Individual Organization) such as being Virus Free and or other malicious software. During RDP Connection to TMG Server, drive mapping should be disabled to protect TMG Server. Summary:
Although Microsoft provides two options for managing TMG 2010 server, we have looked into why it is secure to use the RDP option instead of the console management. We live in an era of computing where it is difficult to keep systems secure from intruders and hackers. Using Console Management option opens up multiple doors with multiple protocols in use for unauthorized users. Why use the Console option when the same management can be done using RDP with only single protocol in use? Maybe, Microsoft will come up with secure Web Management features, much better than the current two options in the next release.