Delegating and Customizing Administrative Access to the ISA Console


After a best practice model is developed for controlling access to an ISA server through role-based access control, those groups can then be created and delegated access to an ISA server.

Creating Active Directory Groups for Admin Access

If an Active Directory environment is utilized, creation of the Access Groups for delegation of ISA administration is straightforward. It is recommended to create the three groups to correspond with the three levels of ISA Administration. To create a group, do the following:

NOTE

The following procedure illustrates the creation of AD groups in a Windows Server 2003 environment. The procedure is slightly different on a Windows 2000 server.


1.

On an Active Directory domain controller, open Active Directory Users and Computers (ADUC) by clicking Start, All Programs, Administrative Tools, Active Directory Users and Computers.

2.

In ADUC, drill down through the console tree and locate the Organizational Unit where the group is to be created. Right-click that OU (the default is the Users container, if no other OU has been specified) and select New, Group.

3.

Enter a descriptive group name (with the same name entered into the preWindows 2000 field) and enter the group scope and type, similar to what is shown in Figure 16.1. For an access group, select Domain Local and Security and click Next.

Figure 16.1. Creating an AD group for ISA administration.


4.

Do not check to create an Exchange email address if prompted, and click Next.

5.

Click Finish to create the group.

6.

Add groups as necessary, using the concepts illustrated in the previous sections of this chapter as a guide.

Creating Local Server Users and Groups for Admin Access

On an ISA Server that is not a domain member, users and groups can be created to serve the same purpose. To create local user accounts on the ISA server, do the following:

1.

On the ISA Server, click on Start, All Programs, Administrative Tools, Computer Management.

2.

In the Computer Management console tree, click on Local Users and Groups and expand to the Users folder.

3.

Right-click the Users folder and select New User.

4.

Enter a username, full name, description, and password, as shown in Figure 16.2. Do not select to change password at next logon, and click Create to continue.

Figure 16.2. Creating a local user account for ISA administration.


5.

Enter any other users as necessary, using the same process.

After the user accounts have been created, groups can be created to control access to the ISA console. To create local groups on an ISA server, do the following:

1.

On the ISA Server, click on Start, All Programs, Administrative Tools, Computer Management.

2.

In the Computer Management console tree, click on Local Users and Groups and expand to the Groups folder.

3.

Right-click the Groups folder and select New Group.

4.

Enter a descriptive name for the Group and a description. Click Add to add the local user or users created in the earlier steps as shown in Figure 16.3.

Figure 16.3. Adding a local ISA Group for Administrative access.


5.

Add members and click Create when finished.

6.

Repeat as necessary to create additional local groups.

Delegating Admin Access to ISA Server

After the proper groups have been created, they can be granted to proper administrative rights in ISA Server. To start this process, perform the following steps:

1.

From the ISA Management Console, right-click the Server name in the console tree and choose Administration Delegation.

2.

Click Next at the wizard's welcome screen.

3.

At the Delegate Control screen, click the Add button.

4.

Use the Browse button to locate the group created earlier, such as COMPANYABC\AG-ISA-FullAdmins, select the role that matches the group, such as what is shown in Figure 16.4, and click OK.

Figure 16.4. Delegating administrative roles in ISA.


5.

Click Add again and follow the same process for any other groups that will be delegated access to the ISA Server. Eventually, after the proper groups have been added, the Delegate Control dialog box will look similar to Figure 16.5. Click Next to continue.

Figure 16.5. Reviewing newly added administrative delegation roles.


6.

Click Finish to end the wizard.

7.

Click Apply and then click OK to save the changes to ISA.

After these procedures are complete, granting administrative access to an ISA Server is as straightforward as adding the proper user account into the appropriate group.



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net