15 September 2010

TMG Delegated Aministration

I have been running ISA deployments for years without ever needing to delegate administration to anyone.  I now have a requirement to allow this sort of thing and was very happy to find that it is very easy to deploy.

There are three roles to choose from:
Role Permissions
Forefront TMG Array Monitoring AuditorMonitor basic server and network activity across a Forefront TMG array. Cannot view the Forefront TMG configuration.
Forefront TMG Array AuditorPerform all monitoring tasks across a Forefront TMG array, including most log configuration and alert definition configuration, with the following exceptions:
  • Cannot configure a different user account when publishing reports.
  • Cannot customize report contents.
In addition, Forefront TMG array auditors can view the Forefront TMG configuration.
Forefront TMG Array AdministratorPerform any administrative task across a Forefront TMG array, including rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server

Te following matrix gives you a breakdown of the functions the various roles can perform:
 
Action Monitoring Auditor Auditor Administrator
View Dashboard, alerts, connectivity, sessions, servicesAllowedAllowedAllowed
Acknowledge and reset alertsAllowedAllowedAllowed
View log informationNot allowedAllowedAllowed
Create alert definitionsNot allowedNot allowedAllowed
Create reportsNot allowedAllowedAllowed
Stop and start sessions and servicesNot allowedAllowedAllowed
View firewall policyNot allowedAllowedAllowed
Configure firewall policyNot allowedNot allowedAllowed
Configure cacheNot allowedNot allowedAllowed
Configure a virtual private network (VPN)Not allowedNot allowedAllowed
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced serverNot allowedAllowedAllowed
View local configuration (in Active Directory Lightweight Directory Services on array member)Not allowedAllowedAllowed
Change local configuration (in Active Directory Lightweight Directory Services on array member)Not allowedNot allowedAllowed

Setting this up is pretty straight forward. 
  • Open the TMG management console
  • Right click your array and select properties
  • Select the Assign Roles tab.
  • Add your user and select the Role you want them to have.
So this is part one sorted.  Nice and neat, quick and easy. But how are your users going to gain access to your TMG array to administer it?

The two methods normally being used is to allow your administrators to RDP to the TMG server.  The other preferred method is to allow MMC access to the TMG server. One small catch to both these methods.  You need to configure the system policy to grant access to this.

  • Open the TMG management console
  • Click Firewall Policy
  • On the right hand side click Edit system policy
  • Under the remote management section you will see Microsoft Management Console and Terminal Server
  • To enable this access check Enable this configuration group.
  • In the From tab you need to specify your "trusted network or computers or computer group"
Typically an administrator might have access from his laptop to administer and application.  But with TMG you can only specify a network or a computer group.  These have to be tied to and IP.  If the client laptop is a DHCP client this is not going to work if the ip changes.

I suggest having a "Management server" that your administrators can connect to and that only that server has access to manage your TMG environment. This allows you to restrict access to a single IP that you can manage properly with AV etc.

When I build my multi array enterprise configuration I will update this article on how to best administer an enterprise deployment.
For more info you can always check out the MS articles http://technet.microsoft.com/en-us/library/dd441007.aspx

No comments:

Post a Comment