Controlling Access by a Schedule and a User Set

This VBScript example creates the user set, URL set, and access rules needed to allow a specific group of workers in an organization restricted access to the Internet. The group is allowed to access only the sites listed in the URL set and only during the hours specified in the Work hours schedule supplied with Forefront TMG. All other workers using computers that belong to the Internal network are granted unlimited access to the Internet. The script includes three subroutines:

This example is included as the ControlAccessByScheduleAndUserSet.vbs script in the Samples\Admin folder of the Forefront TMG Software Development Kit (SDK).

The following procedure lists the steps used to create a user set, a URL set, and two access rules in the code example that follows.

To control access by a schedule and a user set

  1. Define values from the FpcPolicyRuleActions, FpcIncludeStatus, FpcProtocolSelectionType, and FpcAppliesToContentMethodType enumerations. For more information about using values defined in Forefront TMG enumerated types in scripts, see Using Enumerated Types in Scripts.
  2. Create an instance of the FPC COM object, which provides access to the other Forefront TMG administration COM objects.
  3. Declare an FPCArray object, an FPCPolicyRules collection, two FPCPolicyRule objects, an FPCUserSets collection, an FPCUserSet object, an FPCURLSets collection, and an FPCURLSet object.
  4. Get references to the existing FPCArray object, FPCPolicyRules collection, FPCUserSets collection, and FPCURLSets collection.
  5. Call the RemoveExistingItem subroutine to remove an access rule (an FPCPolicyRule object) named Allow All to Internet Rule if it already exists.
  6. Call the RemoveExistingItem subroutine to remove an access rule named Internal Network Internet Access Deny Rule if it already exists.
  7. Call the RemoveExistingItem subroutine to remove a user set named Staff if it already exists.
  8. Call the Add method of the user sets collection to create a new user set named Staff that will have restricted access to the Internet.
  9. Call the RemoveExistingItem subroutine to remove a URL set named Allowed Web Sites if it already exists.
  10. Call the Add method of the URL sets collection to create a new set of URLs named Allowed Web Sites that will be allowed for users belonging to the Staff users group.
  11. Call the AddAccessRule method of the policy rules collection to create a new access rule named Allow All to Internet Rule that will allow unrestricted access to the Internet to users in the organization.
  12. Configure the Allow All to Internet Rule access rule to apply to the HTTP, HTTPS, and FTP protocols, to the Internal network as the source, to the External network (the Internet) as the destination, to the predefined All Users user set, and to all content types.
  13. Call the AddAccessRule method of the policy rules collection to create a new access rule named Internal Network Internet Access Deny Rule that will deny access to the Internet from the Internal network, except for specific sites, by users belonging to the Staff user set.
  14. Configure the Internal Network Internet Access Deny Rule access rule to apply to the HTTP, HTTPS, and FTP protocols, to the Internal network as the source, to the External network as the destination, to the Allowed Web Sites URL set, to the Staff user set, to the Work hours schedule, and to all content types.
  15. Call the Save method on the policy rules collection to write the changes to the new cache rules to persistent storage.

The following code can be saved to a .vbs file and run from a command prompt on a computer running Forefront TMG with the Microsoft Firewall service installed.

Sub ControlAccessByScheduleAndUserSet()
	' Define users. Replace these fictitious user account names by real
	' user accounts in your organization.
	user1 = "Corporate\Mike"
	user2 = "Coporate\Stephanie"
	' Define enumeration values.
	Const fpcPolicyRuleActionAllow = 0
	Const fpcPolicyRuleActionDeny = 1
	Const fpcInclude = 0
	Const fpcExclude = 1
	Const fpcSpecifiedProtocols = 1
	Const fpcAppliesToAllContent = 0
	' Create the root object.
	Dim root  ' The FPCLib.FPC root object
	Set root = CreateObject("FPC.Root")
	'Declare the other objects needed.
	Dim isaArray	 ' An FPCArray object
	Dim policyrules  ' An FPCPolicyRules collection
	Dim denyrule	 ' An FPCPolicyRule object
	Dim allowrule	' An FPCPolicyRule object
	Dim usersets	 ' An FPCUserSets colection
	Dim userset	' An FPCUserSet object
	Dim urlsets	' An FPCURLSets colection
	Dim urlset	 ' An FPCURLSet object
	' Get references to the array object, the policy rules collection, 
	' the user sets collection, and the URL sets collection.
	Set isaArray = root.GetContainingArray()
	Set policyrules = isaArray.ArrayPolicy.PolicyRules
	Set usersets = isaArray.RuleElements.UserSets
	Set urlsets = isaArray.RuleElements.URLSets
	' If an access rule named "Allow All to Internet Rule" already exists,
	' remove it.
	RemoveExistingItem policyrules, "Allow All to Internet Rule"
	' If an access rule named "Internal Network Internet Access Deny Rule" already exists,
	' remove it.
	RemoveExistingItem policyrules, "Internal Network Internet Access Deny Rule"
	' If a user set named "Staff" already exists, remove it.
	RemoveExistingItem usersets, "Staff"
																																																																																																																																																																																																																																																																																																																																																					
	WScript.Echo "Creating a new user set, Staff, containing the users who are considered staff ..."
	On Error Resume Next
	Set userset = usersets.Add("Staff")
	userset.Accounts.Add user1
	CheckError
	userset.Accounts.Add user2
	CheckError
	usersets.Save
	CheckError
	' If a URL set named "Allowed Web Sites" already exists, remove it.
	Err.Clear
	RemoveExistingItem urlsets, "Allowed Web Sites"
	WScript.Echo "Creating a new URL set containing sites to be allowed ..."
	Set urlset = urlsets.Add("Allowed Web Sites")
	urlset.Add "http://www.northwindtraders.com"
	CheckError
	urlset.Add "http://www.widgets.com"
	CheckError
	urlsets.Save
	CheckError
	WScript.Echo "Creating an allow access rule ..."
	Set allowrule = policyrules.AddAccessRule("Allow All to Internet Rule")
	allowrule.Description = "Allows unrestricted Internet access to all users on break room computers"
	allowrule.Enabled = True
	allowrule.Action = fpcPolicyRuleActionAllow
	'Set the protocols to HTTP, HTTPS, and FTP.
	allowrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
	allowrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude  
	allowrule.AccessProperties.SpecifiedProtocols.Add "FTP", fpcInclude  
	allowrule.AccessProperties.ProtocolSelectionMethod = fpcSpecifiedProtocols
	' Add the Internal network to the objects referenced by the Networks property
	' of the FPCSelectionIPs object accessed through the SourceSelectionIPs property
	' of the access rule.
	allowrule.SourceSelectionIPs.Networks.Add "Internal", fpcInclude
	' Add the External network (the Internet) to the objects referenced by the Networks 
	' property of the FPCSelectionIPs object accessed through the DestinationSelectionIPs
	' property of the access rule.
	allowrule.AccessProperties.DestinationSelectionIPs.Networks.Add "External", fpcInclude
	' Add the All Users user set to the user sets to which the rule applies.
	allowrule.AccessProperties.UserSets.Add "All Users", fpcInclude
	' Configure the rule to apply to all content types. 
	allowrule.AccessProperties.AppliesToContentMethod = fpcAppliesToAllContent 'Default setting
	WScript.Echo "Creating a deny access rule ..."
	Set denyrule = policyrules.AddAccessRule("Internal Network Internet Access Deny Rule")
	denyrule.Description = "Denies access to the Internet from the Internal network, except for specific sites"
	denyrule.Enabled = True
	denyrule.Action = fpcPolicyRuleActionDeny

	'Set the protocols to HTTP, HTTPS, and FTP.
	denyrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
	denyrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude  
	denyrule.AccessProperties.SpecifiedProtocols.Add "FTP", fpcInclude  
	denyrule.AccessProperties.ProtocolSelectionMethod = fpcSpecifiedProtocols
	' Add the Internal network to the objects referenced by the Networks property
	' of the FPCSelectionIPs object accessed through the SourceSelectionIPs property
	' of the access rule.
	denyrule.SourceSelectionIPs.Networks.Add "Internal", fpcInclude
	' Add the External network (the Internet) to the objects referenced by the Networks 
	' property of the FPCSelectionIPs object accessed through the DestinationSelectionIPs
	' property of the access rule.
	denyrule.AccessProperties.DestinationSelectionIPs.Networks.Add "External", fpcInclude
	' Add the Allowed Web Sites URL set to the objects that are referenced by the URLSets 
	' property of the access rule and are excluded from the rule.
	denyrule.AccessProperties.URLSets.Add "Allowed Web Sites", fpcExclude
	' Add the Staff user set to the user sets to which the rule applies.
	denyrule.AccessProperties.UserSets.Add "Staff", fpcInclude
	' Set the Work hours schedule as the schedule applying to the rule.
	denyrule.SetSchedule "Work hours"
	' Configure the rule to apply to all content types.
	denyrule.AccessProperties.AppliesToContentMethod = fpcAppliesToAllContent
	'Save the changes to the new access rules.
	policyrules.Save
	CheckError
	WScript.Echo "Done!"
End Sub 
Sub CheckError()
	If Err.Number <> 0 Then
		WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
		Err.Clear
	End If
End Sub
Sub RemoveExistingItem(collection, name)
	Dim member	 ' Object in the collection
	Err.Clear
	On Error Resume Next
	Set member = collection.Item(name)
	If Err.Number = 0 Then
		WScript.Echo name & " exists. Removing it ..."
		collection.Remove name
		CheckError
		collection.Save
		CheckError
	End If
End Sub
ControlAccessByScheduleAndUserSet

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.