Using Protocol Groups

  • Article

Access rules can be configured to apply to all IP traffic, only to certain protocols, or to all IP traffic except certain protocols. If you want several access rules to apply to the same set of protocols, you can maintain a protocol group in the form of a list of protocols (names of FPCProtocolDefinition objects) in a text file and then configure each rule to apply to the protocol group by setting the rule’s ProtocolSelectionMethod property to fpcSpecifiedProtocols, reading the names of the protocols from the file, and adding them to the collection of specified protocols to which the rule applies.

The Microsoft Visual Basic Scripting Edition (VBScript) code in AddProtocolsToRule.vbs (listed later in this Web page) configures the specified access rule to apply to the group of protocols listed in a text file specified by the user. This script must be run on an ISA Server computer with the Microsoft Firewall service installed, but it can be modified to run on a remote management computer.

Usage:CScript AddProtocolsToRule.vbs FileName RuleName

FileName specifies the name of the text file containing the protocol group.

RuleName specifies the name of the access rule to which the protocols will apply.

To configure an access rule to apply to a protocol group stored in a text file

  1. Retrieve the name of the text file containing the protocol group and the name of the access rule that is to apply to the protocols listed in the file from the command-line arguments.

  2. Create an instance of the FPC COM object, which is known as the root object and provides access to the other ISA Server administration COM objects.

  3. Declare an FPCArray object, an FPCPolicyRules collection, an FPCPolicyRule object, an FPCProtocolDefinitions collection, an FPCRefs collection, a FileSystem object, and a TextStream object.

  4. Get references to the array object, the policy rules collection, and the protocol definitions collection.

  5. Try to retrieve the specified rule from the policy rules collection.

  6. Verify that the specified rule is an access rule by checking that its Type property is set to fpcPolicyRuleAccess.

  7. Set the rule’s ProtocolSelectionMethod property to fpcSpecifiedProtocols, if this property is not set to this value.

  8. Retrieve the FPCRefs collection for storing references to the specified protocols from the SpecifiedProtocols property of the access rule and remove any references found in it.

  9. Create an instance of the FileSystem object, and get a reference to the TextStream object for reading the text file containing the protocol group.

  10. In a Do While loop, read each line of the text file into a string and then call the Add method of the FPCRefs collection retrieved from the SpecifiedProtocols property of the access rule to add a reference to the FPCProtocolDefinition object specified by the string to the collection.

  11. Call the Save method on the access rule to write the changes to persistent storage.

Script Listing: AddProtocolsToRule.vbs

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Copyright (c) Microsoft Corporation. All rights reserved.

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' This script configures the specified access rule to apply to the group of

' protocols listed in a text file specified by the user.

' This script has minimal error checking.

' Note that text file must contain a list of protocols with the name of each

' protcol on a separate line.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Option Explicit

'Define the constants needed

Const Error_FileNotFound = &H80070002

Const fpcPolicyRuleAccess = 0

Const fpcSpecifiedProtocols = 1

Const ForReading = 1

Const fpcInclude = 0

Main(WScript.Arguments)

Sub Main(args)

If(2 <> args.Count) Then

Usage()

End If

AddProtocolsToRule args(0), args(1)

End Sub

Sub AddProtocolsToRule(fileName, ruleName)

' Create the root object.

Dim root ' The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

'Declare the other objects needed.

Dim isaArray ' An FPCArray object

Dim rules ' An FPCPolicyRules collection

Dim rule ' An FPCPolicyRule object

Dim protocols ' An FPCProtocolDefinitions collection

Dim specifiedProtocols ' An FPCRefs collection

Dim fso ' A FileSystem object

Dim fileStream ' A TextStream object

Dim textRead ' A String

Dim i ' An Integer

' Get references to the array object, the policy rules collection,

' and the protocol definitions collection.

Set isaArray = root.GetContainingArray()

Set rules = isaArray.ArrayPolicy.PolicyRules

Set protocols = isaArray.RuleElements.ProtocolDefinitions

' Retrieve the specified policy rule.

On Error Resume Next

Set rule = rules(ruleName)

If err.Number = Error_FileNotFound Then

WScript.Echo "The access rule " & ruleName & " could not be found."

WScript.Quit

End If

Err.Clear

On Error GoTo 0

' Verify that the specified rule is an access rule.

If rule.Type <> fpcPolicyRuleAccess Then

WScript.Echo "The " & ruleName & " policy rule is not an access rule."

WScript.Quit

End If

WScript.Echo "Configuring the rule to apply to a group of protocols ..."

rule.AccessProperties.ProtocolSelectionMethod = fpcSpecifiedProtocols

' Retrieve the collection for storing references to the specified protocols

' and remove any references found in it.

Set specifiedProtocols = rule.AccessProperties.SpecifiedProtocols

If specifiedProtocols.Count > 0 Then

specifiedProtocols.RemoveAll

End If

Set fso = CreateObject("Scripting.FileSystemObject")

Set fileStream = fso.OpenTextFile(fileName, ForReading)

Do While fileStream.AtEndOfStream <> True

textRead = fileStream.ReadLine

If textRead <> "" Then

On Error Resume Next

protocols.Item textRead

If Err.Number = Error_FileNotFound Then

WScript.Echo "The " & textRead & " protocol is not" & _

" defined in ISA Server."

Err.Clear

Else

specifiedProtocols.Add textRead, fpcInclude

End If

End If

Loop

On Error GoTo 0

' Save the changes to the access rule.

rule.Save

WScript.Echo "Done!"

End Sub

Sub Usage()

WScript.Echo "Usage:" & VbCrLf _

& " " & WScript.ScriptName & " FileName RuleName" & VbCrLf _

& "" & VbCrLf _

& " FileName - Text file containing the list of protocols" & VbCrLf _

& " RuleName - Access rule to which the protocols are to apply"

WScript.Quit

End Sub