Remote Administration

Our final topic for this chapter is using a standard Web browser like Microsoft Internet Explorer for remote administration of IIS sites, servers, and services. Until now we've used only the IIS console for IIS administration. However, IIS requires a remote procedure call (RPC)-based connection and is thus intended primarily for administration on the internal network of a company. By using ISM (HTML), however, administrators can manage most (but not all) aspects of IIS from remote locations, even over a nonsecure connection on the Internet and through a proxy server or firewall (if configured properly). This section looks briefly at ISM (HTML) and how to use it.

Using a Web browser to administer IIS is considerably less secure than using either the IIS console or Terminal Services over an RPC-based connection, so it's best to disable the Web browser capability. If you want to perform remote administration over the Internet, consider establishing a VPN connection to your network and then using the IIS console or Terminal Services.

The Administration Web Site

ISM (HTML) is an optional component of IIS that is installed by default when you install Windows 2000 Server. (It's disabled by default when using the IIS Lockdown tool to secure IIS, as discussed in Chapter 28). Once this component is installed, a new Web site appears in the console tree of the IIS console window. This new Web site is called the Administration Web Site and is basically an ASP application that allows administrators to manage IIS using any Web browser that supports JavaScript.

Enabling Remote Administration

To be able to use ISM (HTML), administrators need only to be able to connect to the Administration Web Site. To make this possible, you need to perform this procedure first:

1. Open the Properties dialog box for the Administration Web Site in the IIS console.
2. In the Web Site tab, find the TCP port number assigned to this site and write it down. (A random port number between 2000 and 9999 is assigned to the site during installation of the component, and you need to know this number to be able to connect to the site using a Web browser.)
3. Click the Directory Security tab and open the IP Address And Domain Name Restrictions dialog box. By default, only the local host computer (127.0.0.1) is allowed access to the Administration Web Site; all other IP addresses are denied.
4. Add to the Granted list the IP address of any machines from which you want to be able to remotely administer the server. (Remote clients need to have static IP addresses.)
5. Apply the changes by closing the Properties dialog box for the Administration Web Site. You're ready to go.

You won't be able to remotely administer IIS using the Administration Web Site if you let the IIS Lockdown tool remove the Administration Web Site. Use the IIS console or Terminal Services instead of the Administration Web Site when security is important.

Testing Remote Administration

To test your configuration of the Administration Web Site, start Internet Explorer on the machine whose IP address you have granted access and open the URL http://Server_Name:Admin_Port, where Server_Name is the IP address or DNS name of the IIS server, and Admin_Port is the TCP port number you noted for remote administration.

A dialog box appears requesting your credentials (user name, password, and Windows 2000 domain), after which you are informed that you are using a nonsecure connection for performing remote administration. (You can configure SSL on the Administration Web Site just as on any other Web site if you prefer more security.)

At this point (if you've done everything correctly), ISM (HTML) should be functional and you should be connected to the Administration Web Site with your browser (Figure 29-29). You can perform most administration tasks using ISM (HTML), but not all. For example, you can't configure certificate mapping using ISM (HTML) because to do so requires coordination with other Windows 2000 services that aren't accessible from a Web browser.

Figure 29-29. The opening page of ISM (HTML) as seen in Internet Explorer 5.