Microsoft System Center Essentials on ISA 2004/2006
Step 1: Configure System Center Essentials 2007 settings for manual installation of agents Step 2: Manually install System Center Essentials 2007 agents on the computer that is running ISA Server Step 3: In ISA Server, create a new access rule for the Microsoft System Center Essentials 2007 agent
INTRODUCTION
This article describes how to install a Microsoft System Center Essentials 2007 agent on a computer that is running Microsoft Internet Server Acceleration (ISA) Server 2006 or Microsoft Internet Security and Acceleration (ISA) Server 2004. MORE INFORMATION To minimize an ISA Firewall configuration that is required to support a System Center Essentials 2007 agent, you must manually install System Center Essentials 2007 agents. Then, you must create access rules for the System Center Essentials 2007 agents in the ISA Server.
Step 1: Configure System Center Essentials 2007 settings for manual installation of agents
1. Start the Systems Center Essentials 2007 console.
2. In the navigation pane, click Administration.
3. Expand Administration, and then click Settings.
4. Expand Type: Server, right-click Security, and then click Properties.
5. In the Global Management Server Settings - Security dialog box, click the General tab, click Review new manual agent installations in pending management view, and then click OK.
Note After you install System Center Essentials 2007 agents and configure access rules in ISA Server, you must approve the agent for installation in the Administration console's Pending Actions view.
Step 2: Manually install System Center Essentials 2007 agents on the computer that is running ISA Server
1. On the computer that is running ISA Server, run the SetupSCE.exe file from the System Center Essentials 2007 Setup media.
2. Click Agent to install an agent.
3. In the Agent Setup Wizard, click to select the Specify Management Group Information check box.
4. On the Management Group Configuration page, type Management Server netbios name_MG in the Management Group Name box.
5. In Management Server netbios name box, type the fully qualified domain name (FQDN) of the Essentials 2007 Management Server.
Note In this step, Management Server netbios name is a placeholder. Use the appropriate value. 6. Click Local System. Or, type a domain user account for the agent action account. 7. Follow the instructions on the screen to complete the Setup Wizard. 8. If you are using local policy to configure managed computers, follow these steps: a. Create a new directory under the System Center Essentials 2007 agent installation directory. b. Copy the WSUSCodeSigningCert.cer file and the WSUSSSLCert.cer file from the ProgramFiles\System Center Essentials 2007\Certificates folder on the Essentials 2007 Management Server to the new directory that you created in step a. c. Run SCECertPolicyConfigUtil.exe. Use the same settings that you used in the Feature Configuration Wizard on the Essentials 2007 Management Server. The syntax and options that you use to run the utility are as follows: SCECertPolicyConfigUtil.exe /PolicyType local /ManagementGroup [Essentials Management Server netbios name]_MG /SCEServer [SCEServer.FQDN] /AEMFileShare \\[Essentials Management Server FQDN]\[AEMPATH] /AEMPort [port] /ConfigureRemoteControl [true/false] /ConfigureAEM [true/false] Notes • You must run the utility from the System Center Essentials 2007 directory. • Replace the placeholders in the brackets with appropriate values.
Step 3: In ISA Server, create a new access rule for the Microsoft System Center Essentials 2007 agent
1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the navigation pane, expand ServerName.
Notes • In this step, ServerName is a placeholder for the name of the computer that is running ISA Server. • If you are running ISA Server 2004 Enterprise Edition, expand Arrays in the navigation pane, and then expand ServerName. 3. Click Firewall Policy. 4. Click the Tasks tab in the task pane, and then click Create New Access Rule. 5. On the Welcome to the New Access Rule Wizard page, type Essentials Agent in the Access Rule name box, and then click Next. 6. On the Rule Action page, click Allow, and then click Next. 7. On the Protocols page, click Selected protocols in the This rule applies to list, and then click Add. 8. In the Add Protocols dialog box, click New, and then click Protocol. 9. In the New Protocol Definition Wizard, type TCP 5723 (HealthService) in the Protocol definition name box, and then click Next. 10. On the Primary Connection Information page, click New. 11. In the New/Edit Protocol Connection dialog box, type 5723 in the From and To boxes, click OK, and then click Next. 12. On the Secondary Connections page, click Next, and then click Finish. 13. In the Add Protocols dialog box, click New, and then click Protocol. 14. In the New Protocol Definition Wizard, type TCP 8530 (UpdateServices) in the Protocol definition name box, and then click Next. 15. On the Primary Connection Information page, click New. 16. In the New/Edit Protocol Connection dialog box, type 8530 in the From and To boxes, click OK, and then click Next. 17. On the Secondary Connections page, click Next, and then click Finish. 18. In the Add Protocols dialog box, click New, and then click Protocol. 19. In the New Protocol Definition Wizard, type TCP 8531 (UpdateServices) in the Protocol definition name box, and then click Next. 20. On the Primary Connection Information page, click New. 21. In the New/Edit Protocol Connection dialog box, type 8531 in the From and To boxes, click OK, and then click Next. 22. On the Secondary Connections page, click Next, and then click Finish. 23. In the Add Protocols dialog box, click New, and then click Protocol. 24. In the New Protocol Definition Wizard, type TCP 51906 (AEM) in the Protocol definition name box, and then click Next.
Note By default, Agentless Error Monitoring (AEM) uses TCP port 51906 in System Center Essentials 2007. If you have changed this default port, you must use the changed port number in this protocol definition.
25. On the Primary Connection Information page, click New. 26. In the New/Edit Protocol Connection dialog box, type 51906 in the From and To boxes, click OK, and then click Next. 27. On the Secondary Connections page, click Next and then click Finish. 28. In the Add Protocols dialog box, double-click User-Defined, click TCP 5723 (HealthService), and then click Add. 29. In the Add Protocols dialog box, click TCP 8530 (UpdateServices), and then click Add. 30. In the Add Protocols dialog box, click TCP 8531 (UpdateServices), and then click Add. 31. In the Add Protocols dialog box, click TCP 51906 (AEM), and then click Add. 32. Click Close to close the Add Protocols dialog box. 33. On the Protocols page of the New Access Rule Wizard, click Next. 34. In the Access Rule Sources dialog box, click Add. 35. In the Add Network Entities dialog box, double-click Networks, click Local Host, click Add, click Close, and then click Next. 36. On the Access Rule Destinations page, click Add. 37. In the Add Network Entities dialog box, double-click Networks, click Internal, click Add, click Close, and then click Next. 38. In the User Sets dialog box, click Next. 39. On the Completing the New Access Rule Wizard page, click Finish. 40. Click Apply to save changes and update the configuration, and then click OK.