How To: Setup Replication for WebFilter ISA/TMG
Configure replication among multiple ISA/TMG servers
Setting up the Source ISA/TMG Server and WebFilter Machine
-
Launch the ISA/TMG Server console
-
Right click on the Firewall Policy and select Edit System Policy (For TMG, right click on Firewall Policy, select ‘All Tasks’ | ‘System Policy’| ‘Edit System Policy’.)
-
Click the Authentication Services folder
-
Un-Check the Enforce strict RPC compliance item
-
Click OK (There will be a delay of 5 -30 seconds before ISA/TMG becomes responsive)
-
Click the Apply button to apply the changes
Setting up ISA/TMG to Allow Connections on The Static Port and the RPC All Interfaces Port
-
Launch the Microsoft ISA/TMG Management Console
-
On the left hand pane select “Firewall Policy”, click on the “Tasks” tab in the right hand Pane
-
Click on “Create Access Rule”, type in a name for the access rule, and then click Next
-
Select “Allow” for the rule action and then click Next
-
In the protocols page, select the “drop down menu under this rule applies to” and select the Selected Protocols option
-
Click the Add button to add a protocol and then select New -> Protocol
-
Type in a name for the protocol, then click the Next button
-
Click the New button, then select TCP for the protocol type and select Outbound for the direction
-
Enter the static port number that you want to use for replication
-
Click Ok, and then click Next
-
Select No to using secondary connections > Next > Finish
-
Now you should be returned to the Add protocols window
-
Click on the “+” next to the User Defined folder, select the protocol that you just created and click Add
-
Click the “+” next to the All Protocols folder, select RPC (all interfaces) and click Add
-
Click Close – > Next
-
In the Access Rules Source screen (From Source), click the Add button
-
Click the “+” next to the networks folder and select Local Host -> Add -> Close -> Next
-
In the Access Rules Destination screen (Applies to), click the Add button
-
Click the “+” next to the networks folder and select Internal
-
Click Add ->Close -> Next
-
In the User sets screen, click the Next button
-
Click Finish
-
Right click the newly created access policy, then click ‘Configure RPC protocol’
-
Uncheck the box labeled ‘Enforce strict RPC compliance’
-
Click Apply for the changes you made in ISA/TMG for the rule to take effect
Entering a Domain Administrator Account into the FStorageSrv Service
-
Click Start – > Control Panel -> Administrative Tools -> Services
-
Locate the FStorageSrv Service, right click on it and select Properties
-
Click the Log On tab, and click the This Account button
-
Enter a Domain Administrator account with access privileges for the machine you will be replicating to
-
Click Apply -> OK
-
Restart the service to apply the changes
-
Repeat Step 3 From Above and Enter the Same Domain Admin Account into the FStorageSrv Service on the Destination Server
We are now finished with the replication server. All of the following instructions will take place on the destination server (the ISA/TMG server you will be replicating to).
Setting up a Static Port for Replication on the Destination Server
-
Click Start -> Run and type dcomcnfg
-
Click OK
-
Click the “+” sign next to component services -> Computers -> My Computer
-
Select My Computer and double click on the DCOM Config folder
-
Right click on the FStorageSrv item -> Properties
-
Click on the Endpoints tab -> Add -> Connection Oriented TCP/IP
-
Select the Use Static Endpoint Button and enter the port number you selected for replication (You previously set this port in step 2)
-
Click OK -> Apply -> OK
-
Close the Component Services Console
-
Repeat Step 1 From Above to Remove Strict RPC Compliance From the Destination ISA/TMG Server
Setting up ISA/TMG to Allow Connections on The Static Port and the RPC. All Interfaces Port on the Destination Server.
-
Launch the Microsoft ISA/TMG Management Console
-
On the left hand pane select “Firewall Policy”, then click on the “Tasks” tab in the right hand Pane
-
Click on “Create Access Rule”, type in a name for the access rule, and then click Next
-
Select “Allow” for the rule action and then click Next
-
In the protocols page, select the “drop down menu under this rule applies to” and select the Selected Protocols option
-
Click the Add button to add a protocol and then select New -> Protocol
-
Type in a name for the protocol, then click the Next button
-
Click the New button, then select TCP for the protocol type and select Outbound for the direction
-
Enter the static port number that you want to use for replication (use the same port that you set previously on the Replication server)
-
Click Ok, and then click Next
-
Select No to using secondary connections -> Next -> Finish
-
Now you should be returned to the Add protocols window
-
Click on the “+” next to the User Defined folder, select the protocol that you just created and click Add
-
Click the “+” next to the All Protocols folder, select RPC (all interfaces) and click Add
-
Click Close -> Next
-
In the Access Rules Source screen (From Source), click the Add button
-
Click the “+” next to the networks folder and select Internal -> Add -> Close -> Next
-
In the Access Rules Destination screen (Applies to), click the Add button
-
Click the “+” next to the networks folder and select Local Host
-
Click Add ->Close -> Next
-
In the User sets screen, click the Next button
-
Click Finish
-
Right click the newly created access policy, then click ‘Configure RPC protocol’
-
Uncheck the box labeled ‘Enforce strict RPC compliance’
-
Click Apply for the changes you made in ISA for the rule to take effect
Note: For TMG Servers, a local ‘Windows Firewall’ inbound rule allowing the custom RPC port from the replication server must be configured as well. To do this:
-
Click Start – > Control Panel -> Administrative Tools -> Windows Firewall with Advanced Security
-
Navigate to the ‘Inbound Rules’ section and create a new rule which allows the desired TCP port from the replication server