To create an alert event
| Microsoft Internet Security and Acceleration Server 2000 |
To inform the system administrator that it found a message containing a string it was seeking, the filter must use an event-raising mechanism. This requires the filter to define an event and make the event available to the administrator through the filter registration process. This event should not be confused with a firewall event. For information on alerts, see Adding a Custom Event and Alert.
The filter must define an alert event, which it will signal whenever a string is found.
Definition of the event should take place during registration of the filter with the Firewall service because you want the administrator to be able to define alerts using this event. When the filter is unregistered, it should remove this event definition. However, the alert for the event should be removed first, or the event removal will fail. If the event is not removed, then when the filter is re-registered, you will receive an error for attempting to create a file that already exists.
To create an alert event
#define FILTER_EVENT_NAME_STRING "SMTP Filter Event" #define FILTER_EVENT_DESCRIPTION_STRING "SMTP Filter Event"
Add the code shown in bold to the function RegisterFWXFilter in SMTPFLTR.cpp:
MSFPCCOM::IFPCFilterProtocolPtr comptrIFPCFilterProtocol; MSFPCCOM::IFPCPtr comptrIFPC; MSFPCCOM::IFPCEventDefinitionPtr comptrIFPCEventDefinition; //Create an instance of ISA admin object comptrIFPC.CreateInstance(MSFPCCOM::CLSID_FPC); CComPtr<IFWXFilterAdmin> pIFWXFilterAdmin; hr = CoCreateInstance (CLSID_FWXFilterAdmin, NULL, CLSCTX_SERVER, IID_IFWXFilterAdmin, (LPVOID *) &pIFWXFilterAdmin); if (FAILED(hr)) return hr; //Create an instance of the ISA admin object. The Scope parameter is used to select the right object: //For enterprise scope, use CLSID_FPCDS; otherwise use CLSID_FPC. hr = comptrIFPC.CreateInstance((Scope == fwx_EnterpriseScope) ? MSFPCCOM::CLSID_FPCDS : MSFPCCOM::CLSID_FPC); if (FAILED(hr)) return hr;
The following code shown in bold should be added to the registration code in the try-catch block:
try
{
//Create a new event for this filter. The reason this
//code is inside a try-catch block is that if this event
//already exists, an exception will be raised
comptrIFPCEventDefinition =
comptrIFPC->Arrays->GetContainingArray()->PolicyElements->EventDefinitions->Add(FILTER_EVENT_DESCRIPTION_STRING,_bstr_t(FILTER_GUID_STRING),NULL);
comptrIFPCEventDefinition->Description = FILTER_EVENT_DESCRIPTION_STRING;
comptrIFPCEventDefinition->Name = FILTER_EVENT_NAME_STRING;
comptrIFPCEventDefinition->Save();
}
catch(_com_error& err)
{
//If the event already exists, it is not considered an error
if(err.Error() != HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS))
return err.Error();
}
The following should be added to the unregistration code of the RegisterFWXFilter function:
//Remove the event comptrIFPC->Arrays->GetContainingArray()->PolicyElements->EventDefinitions->Remove(FILTER_GUID_STRING); //Save the change comptrIFPC->Arrays->GetContainingArray()->PolicyElements->EventDefinitions->Save();
See the ISA product documentation for help in creating a new alert.
To raise an event the filter must use the alert service API.
#import "alertsrv.tlb" rename_namespace("ALERTSRVLib") named_guids
ALERTSRVLib::IFpcAlertNotificationPtr m_comptrIFPCAlertNotification;
hr=m_comptrIFPCAlertNotification.CreateInstance(ALERTSRVLib::CLSID_FpcAlertNotification);
Now the filter can call the IFPCAlertNotification::SignalEvent method of this object to signal when the event occurs.