Running a script to manage IPv6 in Forefront TMG

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

Forefront Threat Management Gateway (TMG) system policy rules contain a set of predefined access rules that control access between the local host network (the Forefront TMG server) and other networks. Forefront TMG does not automatically grant access for certain protocols contained in rules using domain name sets. By running the ConfigureLocalhostToIPv6Policy script, you can make changes to policy rules to enable these protocols, or to restrict access from the local host for security reasons. This topic describes how to make the required changes to Forefront TMG rules that allow or deny outbound IPv6 traffic to your corpnet.

By default, Forefront TMG allows access to all corpnet-bound IPv6 traffic, with the exception of the following protocols contained in rules using domain name sets:

Protocol Port

HTTP

80

HTTPS

443

Microsoft Operations Manager Agent

1270

System Center Operation Manager 2007 Agent

5723

System Center Operation Manager Agent Installation

5724

MS Firewall Control

3847

MS Firewall Storage

2171, 2174

Forefront Protection Manager WS

1961

Using the ConfigureLocalhostToIPv6Policy script, you can make changes to:

  • Enable all IPv6 traffic from local host to the corpnet.

  • Enable or disable specific protocols and their destinations.

The following procedure describes how use the ConfigureLocalhostToIPv6Policy script to make changes to Forefront TMG policy rules.

To use the ConfigureLocalhostToIPv6Policy script

  1. On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.

  2. From the command prompt, run the ConfigureLocalhostToIPv6Policy script with the required usage.

    Note

    The script is located in the \Program Files\Microsoft Forefront Unified Access Gateway\utils\TMGIPv6Policy folder.

    1. Type ConfigureLocalhostToIPv6Policy.vbs AllowAllLocalhostToIPv6 to allow all IPv6 traffic from the local host to the corpnet. This script usage:

      1. Enables the DirectAccess mode: Allow IPv6 traffic from Local Host rule by adding the Anywhere IPv6 range to the destination range.

      2. Adds the Anywhere IPv6 destination range to the IPv6 Computer Set for rules using domain name sets.

    2. Type ConfigureLocalhostToIPv6Policy.vbs DisableAllLocalhostToIPv6 to disable IPv6 traffic from the local host to the corpnet. This script usage:

      1. Disables the DirectAccess mode: Allow IPv6 traffic from Local Host system rule.

      2. Clears the computer set used as the destination in rules using domain name sets.

      3. Deletes all user rules created by the script.

    3. Type ConfigureLocalhostToIPv6Policy.vbs add <"protocol"> <from IP> <to IP> to add a protocol applied to a specific IPv6 range.

      Note

      When specifying the protocol, you must use the full Forefront TMG protocol name.

      This script usage:

      1. Disables the DirectAccess mode: Allow IPv6 traffic from Local Host system rule by clearing the destination range.

      2. Creates a new system rule DirectAccess mode: Allow IPv6traffic from Forefront TMG to IPv6 networks for the outbound IPv6 infrastructure protocols, if the rule does not already exist.

      3. Creates an empty computer set to be used by rules using domain name sets.

      Note

      • If a protocol is defined in rules using domain name sets, the script adds a destination range to the computer sets used by all rules using domain name sets.

      • If the protocol is not defined in the rules using domain name sets, the script creates a user rule with the protocol and destination range. The rule’s name is in the format:"DirectAccess mode: Allow IPv6 traffic from Forefront TMG IPv6 range <From IP>-<To IP> for protocol <ProtocolName> <Current time>”.

        For example, if the script is run as: ConfigureLocalhostToIPv6Policy.vbs add smtp :: ffff.ffff.ffff.ffff::ffff, the rule name that is created is; DirectAccess mode: Allow IPv6 traffic from Forefront TMG IPv6 range :: ffff.ffff.ffff.ffff::ffff for protocol smtp.

    4. Type ConfigureLocalhostToIPv6Policy.vbs delete <"protocol"> <from IP> <to IP> to delete a protocol applied to a specific IPv6 range. This script usage:

      1. Disables the DirectAccess mode: Allow IPv6 traffic from Local Host system rule by clearing the destination range.

      2. Creates a new system rule DirectAccess mode: Allow IPv6traffic from Forefront TMG to IPv6 networks for the outbound IPv6 infrastructure protocols, if the rule does not already exist.

      3. Creates a computer set to be used by rules using domain name sets, if one does not already exist.

        Note

        • If a protocol is defined in the rules using domain name set, the script removes all exact ranges from the computer set used by rules using domain name sets.

        • If the protocol is not defined in the rules using domain name, the script deletes all user rules with the protocol and exact destination range.