How to use the push installation method to install a MOM 2005 agent on an ISA Server 2004 computer

This article describes how to use the push installation method to install the Microsoft Operations Manager (MOM) 2005 agent on a Microsoft Internet Security and Acceleration (ISA) Server 2004 computer. To do this, you must configure ISA Server system policy.

How to use a push installation to install the MOM agent on an ISA Server computer

Note You must be running ISA Server 2004 Service Pack 1 (SP1) or ISA Server 2004 Service Pack 2 (SP2). Windows Server 2003 SP1 introduces some changes to the RPC protocol that the ISA Server RPC filters do not detect if ISA Server 2004 Service Pack 1 or a later version is not installed.

Step 1: Enable the MOM management protocol in ISA Server system policy

1. Click Start, point to All Programs, click Microsoft ISA Server, and then click ISA Server Management.
2. In the navigation pane, right-click Firewall Policy, and then click Edit System Policy in System Policy Tasks.
3. Click Microsoft Operations Manager, click the Enable check box, and then click OK.

Step 2: Disable strict RPC compliance in ISA Server system policy

1. Right-click Firewall Policy, and then click Edit System Policy.
2. Under Authentication Services, click Active Directory, click to clear the Enforce strict RPC compliance check box, and then click OK.

The MOM management server tries to contact the ISA Server computer during network discovery if the Contact each computer option is selected. After the MOM agent is installed, the MOM management server contacts the ISA Server computer if it does not receive a heartbeat from the MOM agent that is running on the ISA Server computer.

Step 3: Enable Internet Control Message Protocol (ICMP) traffic from the MOM 2005 management server to the ISA Server computer's internal network interface

1. In the task pane, click Create New Access Rule under Firewall Policy Tasks.
2. On the Welcome to the New Access Rule Wizard page, type a descriptive name for the new rule. For example, type Allow Ping to ISA Server Internal NIC, and then click Next.
3. On the Rule Action page, click Allow, and then click Next.
4. On the Protocols page, select Selected Protocols under This rule applies to.
5. In the Add Protocols dialog box, click Add.
6. Expand Common Protocols, click Ping, click Add, click Close, and then click Next.
7. On the Access Rule Sources page, click Add.
8. On the Add Network Entities page, expand Networks, and then click Internal, or expand Computers.
9. Click to select the MOM management server. If the MOM management server is not listed as a policy element under Computers, click New, click Computer, and then add the IP address of the MOM management server. If there is more than one MOM management server in the Management group, you can add each server individually as separate policy elements. Or, you can create a single policy element by clicking New, clicking Computer Set, and then adding the IP addresses of all the MOM management servers to this set.
10. On the Access Rule Destination page, click Add, expand Networks, click Local Host, click Add, click Close, and then click Next.
11. On the User Sets page, accept the default setting of All Users, and then click Next.
12. Click Finish.
13. In the Firewall Policy window, click Apply to enable the new rule.

Step 4: Create an access rule for RPC traffic between the MOM management server and the ISA Server computer

1. In the task pane, click Create New Access Rule under Firewall Policy Tasks.
2. Type Allow RPC to ISA Server from MOM, and then click Next.
3. On the Rule Action page, select Allow, and then click Next.
4. On the Protocols page, click Selected Protocols under This rule applies to.
5. In the Add Protocols dialog box, click Add, expand Server protocols, click RPC Server, click Add, click Close, and then click Next.
6. On the Access Rule Sources page, click Add.
7. On the Add Network Entities page, expand Networks, click either Internal or expand Computers, and then click the MOM Management server. If the MOM Management server is not listed as a policy element under Computers, click New, click Computer, and then add the IP address of the MOM management server. If there is more than one MOM Management server in the Management group, you can add each of them individually as separate policy elements, or you can create a single policy element when you click New, and then click Computer Set, and then add the IP addresses of all the MOM Management servers to this set.
8. On the Access Rule Destination page, click Add, expand Networks, select Local Host, click Add, click Close, and then click Next.
9. On the User Sets page, accept the default setting of All Users, and then click Next.
10. Click Finish.
11. In the Firewall Policy window, click Apply to enable the new rule, select the new rule, and then click Edit Selected Rule in the task pane.
12. Click the Protocols tab, click Filtering, and then click Configure RPC Protocol.
13. Click to clear the Enforce Strict RPC compliance check box, and then click OK two times.
14. In the Firewall Policy window, click Apply to apply the changes.

Step 5: Turn on Path Maximum Transmission Unit (PMTU) discovery

If mutual authentication is enabled, you must turn on PMTU discovery on the ISA Server computer and on the MOM management server. For more information about turning on PMTU discovery, click the following article number to view the article in the Microsoft Knowledge Base:
Note When the ISA 2004 computer has other server roles, management packs that monitor these roles may contain rules that require the management server or other MOM agents to communicate with ISA Server on additional ports. Failed attempts to monitor services or roles on the ISA Server computer by the MOM management server or by the MOM agent are displayed in the MOM Operator Console and in ISA Server Monitoring.