Using Remote Control Applications to Support ISA Server Troubleshooting: RapidAssist Comes to the Rescue

I spend a lot of time helping people figure out what’s wrong with their ISA Server setups. Many of the problems I encounter are very easy to solve. There’s a checkbox on the OWA Web Publishing rule that wasn’t selected, or perhaps an Incoming Web Requests listener wasn’t set up correctly. Over the last several years I’ve been able to discern typical patterns and create a quick assessment and solution to many ISA Server 2000 problems.

Sometimes the problems aren’t so easy to solve. For example, the person has a complex or unusual setup requiring multiple DMZs and remote access configurations. There are also situations where everything seems to have been configured perfectly, but this still fail to work correctly. The ISA Server 2000 firewall continues to not work correctly In spite of multiple email exchanges or phone calls.

These scenarios indicate a need to get deeper into the ISA Server 2000 firewall configuration. There are several ways to do this:

The best method is to go to the customer site. There you can interact with the firewall and networking team and get their insights into the problem before even sitting in front of the firewall. Often the problem isn’t with the ISA Server firewall configuration. More often it’s related to the current network infrastructure. For example, the front end firewall isn’t configured correctly, or the VLAN configuration on one of the switches is messed up. The on-site visit is often the quickest and most reliable way to get to the heart of the problem.

Jim Harrison’s isainfo script (which you can obtain at www.isatools.org) provides you with a comprehensive text printout of just about every piece of information regarding the ISA Server firewall configuration you can imagine. In addition, this script provides information on how the Windows operating system is configured.

The isainfo script print out includes all the information you need to solve ISA firewall or Windows specific issues. The problem with the isainfo script printout is that is a text only document. It’s very easy to get lost in the voluminous information it provides. Most of us (including myself) are not accustomed to working with ISA and Windows in this fashion. The end result is that it can take a lot of time to filter out unimportant information and hone in on the information you need to get to solve what might be a simple problem.

Most of us are accustomed to working with ISA Server firewalls and Windows using the graphical interface. We see it everyday, make changes to the ISA firewall and Windows components using this interface everyday, and have developed a mental picture of what a proper configuration should look like. The graphical interface makes it easy to quickly and easily determine the current configuration and assess how it deviates from a correct configuration.

This is where remote control applications find their best use. Remote control applications allow you to view the actual desktop and management consoles on the ISA Server firewall machine. There are a number of remote control options out there:

Remote control applications such as pcAnywhere, RAdmin and VNC require that you install their software on the ISA firewall. I am always very hesitant to install applications on the ISA firewall because you never know if there are compatibility issues with those applications and if those applications install components that could be leveraged by an attacker.

Terminal services (remote desktop/RDP) is available on all ISA firewalls. RDP is quite secure when you enforce 128-bit encryption. The problem with Terminal services is that there are some well-known exploits that can be run against an RDP server and that the person at the ISA Server firewall console cannot see what you’re doing. The latter problem is often a major concern. Firewall administrators want total control over the configuration and understand what the problems are and how to fix them. When you use a remote desktop session to configure the firewall for the firewall administrator, he does not know exactly what you’ve done because he cannot see the actions you’ve performed.

A problem all of these remote control applications share is that special provisions need to be made on the ISA firewall and any front end firewalls to allow the special inbound and outbound protocols required for access.

For example, pcAnywhere requires that you allow multiple inbound and outbound primary connections. This requires multiple Protocol Definitions to be created before you can create a Server Publishing Rule to allow access. In addition, it may require that you create multiple packet filters on the ISA Server firewall. You may also need to create multiple packet filters on any traditional packet filtering firewall located in front of the ISA Server firewall. In many cases someone else manages the front end firewall and you’ll need to cajole the front-end firewall administrator to create the appropriate packet filters. This is often easier said than done.

The ideal remote control solution would be one that did not require client software installation and did not require any special protocols to be configured on the ISA Server firewall or a front end firewall. Almost all firewalls allow outbound access to HTTP and HTTPS (SSL), so if the remote control application would work using either of these protocols, it would not require any special firewall configuration. In addition, the ideal remote control solution would allow you remote access to the ISA Server firewall console and at the same time allow the firewall administrator at the remote site to see what you are doing.

The remote control solution I use meets all of these requirements. RapidAssist from nTeras allows remote control of the ISA Server firewall via HTTP or SSL, allows the firewall administrator to view what you’re doing, and does not require software installation on this machine controlled from a remote location.

RapidAssist includes client and server components. The server piece can be installed on almost any version of Windows. The client piece is installed automatically when the person receiving help clicks on a link you provide for him. A browser add-in in automatically installed when the remote user clicks the link. Then the client connects to the RapidAssist server at your site or one hosted by nTeras. The connection is made via HTTP or SSL. An SSL connection is negotiated first, and if a secure SSL connection cannot be established (because the remote user’s firewall doesn’t allow outbound SSL), then an HTTP connection is established.

The remote user controls the level of access. Only after you are given explicit permission to control the remote computer by the user will you have the ability to control the system. If the remote user does not want to give you control, you can still see the remote system and guide the remote user to perform steps you tell him to perform either via a chat interface, or via an out-of- band telephone conversation.

I personally believe that you should never use the browser on the firewall and that you should never browse any Web site from the ISA Server firewall. For this reason, I prefer to have the remote user who is receiving assistance to go to another machine on his network and establish a Terminal Services connection to the internal interface of the ISA Server firewall. After he establishes the Terminal Services connection to the ISA Server firewall, then he clicks the help link I provide and the RapidAssist session begins. When the remote user grants me control, I can then troubleshoot and manage the ISA Server firewall through the Terminal Services session.

If you’re looking for a remote control solution that allows you full control of a client or server desktop, then you should look into RapidAssist. It’s very competitively priced, and you’ll find it very easy to install and use. If you’re thinking of getting into the remote support business, then this is the ideal solution! Let me know what you think of it, and if you want to try it out, let me know. I’ll set up a RapidAssist session with you and troubleshoot your ISA Server firewall at the same time.

If you’re interested in a RapidAssist Session with me, write to [email protected] and we’ll set something up.