Configuring the ISA Server policy for the organization

After setting up the server, the administrator considers the organization's business needs — who requires access to the Internet. These needs are mapped to an ISA Server policy, which the administrator configures either by scripting or by using ISA Management. For this example, assume that the corporation includes three departments: Sales, Research and Development, and Human Resources. The organization stipulates that Sales and Research and Development be allowed unlimited HTTP access, but only to a specific list of Web sites. The Human Resources department is allowed HTTP access after hours. In addition, all employees can access Windows media applications after hours, but at a lower bandwidth priority.

The administrator configures an array policy, creating a set of access policy rules that allow or limit access, in accordance with the scenario described above. The administrator follows the steps shown below to implement the policy.

Note  The relevant portion of the administrator's script is shown for each step. Each portion could be run as an independent script because it creates the root object by using the code:

Set objFPC = CreateObject("FPC.root")

Each script also includes definitions of enumerated values. Where appropriate, each script creates an object "objMyArray" that is equal to the array on which the script is run:

Set objMyArray = objFPC.Arrays.GetContainingArray

If the script were to be run as a single script, you would only have to create the root object once, define each enumerated value once, and create the array object once. The complete firewall policy script is shown at the end of this topic.

1. Set the enterprise policy default settings to Use array policy.

   Sub SetMyPolicy()
   'Create the root object
   Set objFPC = CreateObject("FPC.root")
   objFPC.Enterprise.SetPolicy fpcArrayPolicyUsed
   'save your changes
   objFPC.Enterprise.Save
   EndSub
   SetMyPolicy
   

2. Create a dial-up entry called Dial to My ISP, and make it the active entry.

   Sub NewDialUpEntry()
   Set objFPC = CreateObject("FPC.root")
   'Get the current array
   Set objMyArray = objFPC.Arrays.GetContainingArray
   'Add the dialup entry
   Set objDialUpEntry = objMyArray.PolicyElements.DialupEntries.Add("Dial to My ISP", "Dialup Network Connection")
   'Set the credentials for the dialup entry
   Set objCredentials = objDialUpEntry.Credentials
   objCredentials.UserName = "User Name"
   objCredentials.Password = "Password"
   'Set this entry as the active entry
   objFPC.Arrays.GetContainingArray.PolicyElements.DialupEntries.ActiveEntry = "Dial to My ISP"
   'Save the changes
   objMyArray.Save
   End Sub
   NewDialUpEntry
   

3. Create a routing rule with the following parameters:
   • Destination sets is All destinations.
   • Request action is Send directly to the Internet and Use this dial-up entry is set to Dial to My ISP.
   • Cache configuration is set to A valid version of the object.

   Sub RoutingRule()
   const fpcAllDestinations = 0
   const fpcPrimaryRouteDirect = 0
   const fpcServeFromCacheIfValidObjectExists = 0
   Set objFPC = CreateObject("FPC.Root")
   Set objMyArray = objFPC.Arrays.GetContainingArray
   'Get the routing rules collection
   Set objRoutingRules = objMyArray.NetworkConfiguration.RoutingRules
   'Add the new routing rule
   Set objRoutingRule = objRoutingRules.Add("New Rule")
   'Configure the new routing rule
   objRoutingRule.SetDestination (fpcAllDestinations)
   objRoutingRule.PrimaryRoute.RouteType = fpcPrimaryRouteDirect
   objRoutingRule.UseCacheCondition = fpcServeFromCacheIfValidObjectExists
   'Save the new rule
   objRoutingRule.Save 
   
   EndSub
   RoutingRule
   

4. Configure Firewall chaining as follows:
   • Use primary connection is selected.
   • Automatic dial out when requests arrive is selected and the dial-up entry is set to Dial to My ISP (set with active entry in step 2).

   Sub FWChaining()
   
   const fpcPrimaryConnection = 0
   Set objFPC = CreateObject("FPC.Root")
   Set objMyArray = objFPC.Arrays.GetContainingArray
   'Create and configure the firewall chaining object
   Set objFirewallChaining = objMyArray.NetworkConfiguration.FirewallChaining
   objFirewallChaining.ForwardType = fpcPrimaryConnection
   objFirewallChaining.ChainingAutoDialOut.EnableAutoDial = True
   'Save the change
   objFirewallChaining.Save
   
   End Sub
   FWChaining
   

5. Create three client address sets, one for each of the departments. Each set should include the users or IP addresses for the department. Example ranges are used here.

   Sub ClientSets()
   
   Set objFPC = CreateObject("FPC.Root")
   Set MyClientSets = objFPC.Arrays.GetContainingArray.PolicyElements.ClientAddressSets
   'Add the client address set for Sales 
   Set MyClientSet = MyClientSets.Add("Sales")
   'Add a range of IP addresses to the client address set
   Set MyClientSet = MyClientSet.Add("111.111.111.111", "111.111.111.115")
   'Add the client address set for Research and Development
   Set MyClientSet = MyClientSets.Add("Research and Development")
   'Add a range of IP addresses to the client address set
   Set MyClientSet = MyClientSet.Add("111.111.111.121", "111.111.111.125")
   'Add the client address set for HR
   Set MyClientSet = MyClientSets.Add("HR")
   'Add a range of IP addresses to the client address set
   Set MyClientSet = MyClientSet.Add("111.111.111.131", "111.111.111.135")
   
   MyClientSets.SaveEnd Sub
   ClientSets
   

6. Create a schedule called After Hours.

   Sub NewSchedule()
   Set objFPC  = CreateObject ("FPC.Root")
   ' get the schedule collection of the current array
   Set MySchedules = objFPC.Arrays.GetContainingArray.PolicyElements.Schedules
   ' Add new Schedule
   Set objNewSchedule = MySchedules.Add("After Hours")
   ' Set the Schedule times to all week, after normal work hours
   objNewSchedule.Set fpcALL_WEEK, fpcPM_5 - fpcAM_6
   ' save your changes
   MySchedules.Save
   
   End Sub
   NewSchedule
   

7. Create a bandwidth priority called Windows Media Bandwidth, with the outbound bandwidth and the inbound bandwidth set to 10.

   Sub BWPriority()
   
   Set objFPC  = CreateObject ("FPC.Root")
   'Get the bandwidth priority collection
   Set BandwidthPriorities = objFPC.Arrays.GetContainingArray.PolicyElements.BandwidthPriorities
   ' Add new bandwidth priority
   Set objNewBandwidthPriority = BandwidthPriorities.Add("Windows Media Bandwidth", 10, 10)
   'Save your changes
   BandwidthPriorities.Save
   
   End Sub
   BWPriority
   

8. Create a protocol rule with the following settings:
   • The action is Allow.
   • The specified protocol is HTTP.
   • The schedule is Always.
   • The client type is Specific computers, and the specific client address sets are Sales and Research and Development.

   Sub ProtocolRule1()
   
   Set objFPC  = CreateObject ("FPC.Root")
   const fpcActionAllow = 0
   const fpcAppliesToClientSets = 2
   const fpcSpecifiedProtocols = 1
   const fpcArrayScope = 0
   
   Set objMyArray = objFPC.Arrays.GetContainingArray
   'Get the protocol rules collection
   Set ProtocolRules = objMyArray.ArrayPolicy.ProtocolRules
   'Add a new protocol rule
   Set ProtocolRule = ProtocolRules.Add ("HTTP Rule 1")
   'Configure the rule
   ProtocolRule.Action = fpcActionAllow
   ProtocolRule.AppliesToMethod = fpcAppliesToClientSets
   ProtocolRule.Enabled = True
   ProtocolRule.ProtocolSelectionMethod = fpcSpecifiedProtocols
   ProtocolRule.SpecifiedProtocols.Add ("HTTP")
   ProtocolRule.SetAppliesAlways()
   Set MyClientSets = ProtocolRule.ClientAddressSetsUsed
   MyClientSets.Add "Sales", "", fpcArrayScope
   MyClientSets.Add "Research and Development", "", fpcArrayScope
   'Save the change
   ProtocolRule.Save
   
   End Sub
   ProtocolRule1
   

9. Create a protocol rule with the following settings:
   • The action is Allow.
   • The specified protocol is HTTP.
   • The schedule is After Hours.
   • The client type is Specific computers, and the specific client set is HR.

   Sub ProtocolRule2()
   
   Set objFPC  = CreateObject ("FPC.Root")
   const fpcActionAllow = 0
   const fpcAppliesToClientSets = 2
   const fpcSpecifiedProtocols = 1
   const fpcArrayScope = 0
   
   Set objMyArray = objFPC.Arrays.GetContainingArray
   'Get the protocol rules collection
   Set ProtocolRules = objMyArray.ArrayPolicy.ProtocolRules
   'Add a new protocol rule
   Set ProtocolRule = ProtocolRules.Add ("HTTP Rule 2")
   'Configure the rule
   ProtocolRule.Action = fpcActionAllow
   ProtocolRule.AppliesToMethod = fpcAppliesToClientSets
   ProtocolRule.Enabled = True
   ProtocolRule.ProtocolSelectionMethod = fpcSpecifiedProtocols
   ProtocolRule.SpecifiedProtocols.Add ("HTTP")
   ProtocolRule.SetSchedule( "After Hours")
   Set MyClientSets = ProtocolRule.ClientAddressSetsUsed
   MyClientSets.Add "HR", "", fpcArrayScope
   'Save the change
   ProtocolRule.Save
   
   End Sub
   ProtocolRule2
   

10. Create a protocol rule with the following settings:
    • The action is Allow.
    • The specified protocol is MMS - Windows Media Client.
    • The schedule is After Hours.
    • The client type is Any user, group, or client computer.

    Sub ProtocolRule3()
    
    Set objFPC  = CreateObject ("FPC.Root")
    const fpcActionAllow = 0
    const fpcAppliesToAll = 0
    const fpcSpecifiedProtocols = 1
    const fpcArrayScope = 0
    
    Set objMyArray = objFPC.Arrays.GetContainingArray
    'Get the protocol rules collection
    Set ProtocolRules = objMyArray.ArrayPolicy.ProtocolRules
    'Add a new protocol rule
    Set ProtocolRule = ProtocolRules.Add ("Windows Media Rule 2")
    'Configure the rule
    ProtocolRule.Action = fpcActionAllow
    ProtocolRule.AppliesToMethod = fpcAppliesToAll 
    ProtocolRule.Enabled = True
    ProtocolRule.ProtocolSelectionMethod = fpcSpecifiedProtocols
    'To specify the Windows Media protocol, you need the GUID of the Streaming Media Filter
    ProtocolRule.SpecifiedProtocols.Add "MMS - Windows Media","{473ED0E1-6371-4ED2-9F95-A676B66659A2}",fpcArrayScope
    ProtocolRule.SetSchedule( "After Hours")
    'Save the change
    ProtocolRule.Save
    
    End Sub
    ProtocolRule3
    

11. Create a site and content rule with the following settings:
    • Action is Allow.
    • Rule configuration is Custom.
    • The destination set is a Specified destination set and the specific set includes only the sites allowed by the corporate guidelines. In this example, the set is called "Approved Sites"
    • The schedule is Always.
    • The client type is Specific computers, and the specific client set is Sales and R&D.

    Sub DestinationSet()
    'First create the destination set if it doesn't exist already
    'This example includes a single site, so this rule could be very restrictive!
    set objFPC = CreateObject  ("FPC.Root")
    'Get the destination sets collection
    Set MyFPCDestinationSets = objFPC.Arrays.GetContainingArray.PolicyElements.DestinationSets
    'Add a new set to the collection
    Set MyFPCDestinationSet = MyFPCDestinationSets.Add("Approved Sites")
    'Add a new destination to the set
    Set MyFPCDestination = MyFPCDestinationSet.Add("www.sports.microsoft.com")
    MyFPCDestinationSets.Save
    ' save your changes
    MyFPCDestinationSets.Save
    
    End Sub
    DestinationSet
    
    Sub SiteAndContent()
    'Now create the site and content rule
    const fpcSpecifiedDestinationSet = 3
    const fpcRuleActionPermit = 0
    const fpcAppliesToClientSets = 2
    const fpcArrayScope = 0
    
    set objFPC = CreateObject  ("FPC.Root")
    Set objMyArray = objFPC.Arrays.GetContainingArray
    'Get the site and content rules collection
    Set MySiteAndContentRules = objFPC.Arrays.GetContainingArray.ArrayPolicy.SiteAndContentRules
    
    'Add new rule object
    Set NewSiteAndContentRule = MySiteAndContentRules.Add("Site Restriction Rule")
    'Configure the site and content rule
    NewSiteAndContentRule.Description = "Allow only corporate-approved sites"
    NewSiteAndContentRule.SetDestination fpcSpecifiedDestinationSet, "Approved Sites"
    NewSiteAndContentRule.SetAppliesAlways
    NewSiteAndContentRule.Action = fpcRuleActionPermit
    NewSiteAndContentRule.AppliesToMethod = fpcAppliesToClientSets
    
    Set MyClientSets = NewSiteAndContentRule.ClientAddressSetsUsed
    MyClientSets.Add "Sales", "", fpcArrayScope
    MyClientSets.Add "Research and Development", "", fpcArrayScope
    ' save your changes
    
    MySiteAndContentRules.Save
    
    End Sub
    SiteAndContent
    

12. Create a bandwidth rule with the following settings:
    • The selected protocol is MMS - Windows Media client.
    • The schedule is After Hours.
    • Applies to Any request.
    • The destination is All destinations.
    • The client type is Any user, group, or client computer.
    • The destination set is All destinations.
    • The content group is All content groups.
    • The bandwidth priority is set to a Custom class Windows Media Bandwidth.

    Sub BWRule()
    
    const fpcSpecifiedProtocols = 1
    const fpcAllDestinations = 0
    const fpcAppliesToAll = 0
    const fpcAppliesToAllContent = 0
    
    set objFPC = CreateObject  ("FPC.Root")
    Set objMyArray = objFPC.Arrays.GetContainingArray
    'Get the bandwidth rules collection
    Set BandwidthRules = objMyArray.BandwidthRules
    'Add a rule
    Set BandwidthRule = BandwidthRules.Add("Bandwidth Rule 1")
    'The following seven lines define the bandwidth rule
    BandwidthRule.ProtocolSelectionMethod = fpcSpecifiedProtocols
    BandwidthRule.SpecifiedProtocols.Add "MMS - Windows Media", "{473ED0E1-6371-4ED2-9F95-A676B66659A2}", fpcArrayScope
    BandwidthRule.SetSchedule ("After Hours")
    BandwidthRule.SetDestination (fpcAllDestinations)
    BandwidthRule.AppliesToMethod = fpcAppliesToAll
    BandwidthRule.AppliesToContentMethod = fpcAppliesToAllContent
    BandwidthRule.SetBandwidthPriority False, "Windows Media Bandwidth"
    'Save the rule
    BandwidthRule.Save
    
    End Sub
    BWRule