FPCPolicyRule Object
The FPCPolicyRule object represents an access rule, a server publishing rule, a Web publishing rule, or a system policy rule.
An access rule defines the action that will be taken when specific users attempt to access specific sites or content by using Forefront TMG. Forefront TMG access rules allow you to define exactly which sites and content can be accessed by clients behind the Forefront TMG computer and which protocols can be used by the clients to gain access. You can specify when an access rule is in effect by applying a schedule to it.
Server publishing processes incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests are forwarded downstream to an internal server, located behind the Forefront TMG computer. Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the Forefront TMG computer.
Server publishing rules can be used when there is a network address translation (NAT) relationship defined by a network rule (FPCNetworkRule) between the network on which the clients sending requests to the published server are located (the source network) and the network on which the published server is located (the destination network). A server publishing rule uses secure network address translation (SecureNAT), which allows requests that are sent to an IP address that is valid on the source network to reach an IP address on a protected network behind the Forefront TMG computer. The server publishing rule maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG computer that listens for requests from the clients to a port number and an IP address on the published server. Requests that are sent to the IP address of the Forefront TMG computer and meet the conditions specified by the rule are then redirected to the IP address of the published server. However, only requests that are identified as part of the designated protocol are processed by the server publishing rule and redirected to the published server. Note that the published server must be configured to use the Forefront TMG computer as its default gateway.
If the network rule between the client network and the network where the server is located defines a routing relationship, server publishing rules can be used, but the clients must send requests directly to the IP address of the published server. With a routing relationship, an access rule can also allow the clients to send requests directly to the IP address of a server located on a network behind the Forefront TMG computer.
The definitions of the protocol (or protocols) associated with a server publishing rule or an access rule specify the application filters that are invoked for deeper inspection when the rule allows traffic. In general, application filters can process traffic allowed by a server publishing rule or an access rule, but some application filters process traffic allowed by these types of rules differently. Note that server publishing rules must use protocols defined with inbound primary connections, while access rules usually use protocols defined with outbound primary connections.
A Web publishing rule maps public DNS names and IP addresses to the name or IP address of a Web server located behind the Forefront TMG computer and maps external paths that can be used by users in incoming requests to internal paths of directories on the published Web server. A Web publishing rule also determines how Forefront TMG should handle incoming requests for HTTP objects on the internal Web server and how Forefront TMG should respond on behalf of the internal Web server. Requests are forwarded downstream to the internal Web server. If possible, the requests are serviced from the Forefront TMG cache.
A Web publishing rule defines the response to attempts by outside users to access an internal site. Possible responses include:
- Denying the request.
- Delegating the request to a different internal server.
A system policy rule is a predefined rule that allows specific types of requests from the Local Host network (the Forefront TMG computer) to reach specified destinations, or allows specific types of requests from specified sources to reach the Local Host network. For more information about system policy rules, see System Policy Rules.
In an enterprise policy (an FPCPolicy object), the FPCPolicyRule object can represent only an access rule or a placeholder that specifies the ordinal position (Order) of the set of array policy rules within the set of enterprise policy rules when the enterprise policy is applied to an array. Server publishing rules and Web publishing rules cannot be created on the enterprise level. For more information about enterprise policies, see Enterprise Policies.
When an enterprise with central array management is deployed, the following restrictions apply to an array policy (an FPCArrayPolicy object).
- Access rules that allow traffic may not be created if the enterprise administrator sets the EnableAllowRules property of the FPCPolicyAssignment object for the array to False.
- Access rules that deny traffic may not be created if the enterprise administrator sets the EnableDenyRules property of the FPCPolicyAssignment object for the array to False.
- Server publishing rules and Web publishing rules may not be created if the enterprise administrator sets the EnablePublishingRules property of the FPCPolicyAssignment object for the array to False.
Note A computer running Forefront TMG Medium Business Edition cannot be joined to a centrally managed array.
The FPCPolicyRule object is an element of an FPCPolicyRules collection. A new FPCPolicyRule object representing an access rule can be created by calling the AddAccessRule method of this collection, a new object representing a server publishing rule can be created by calling the AddServerPublishingRule or AddServerPublishingRuleWithScopedProtocol method, and a new object representing a Web publishing rule can be created by calling the AddWebPublishingRule method.
Click here to see the
Forefront TMG object hierarchy.
Inheritance
This object inherits from the FPCPersist object, which contains methods and properties related to the persistent storage of an object's data. They include methods for exporting the object's data to and importing it from an XML document.
Methods
The FPCPolicyRule object defines the following methods.
| Method | Description |
|---|---|
|
Finds matched elements. |
|
|
Sets the rule to apply at all times regardless of the ScheduleUsed property. |
|
|
Sets the lower and upper limits of the range of source port numbers to which the rule applies. |
|
|
Sets the policy group for the rule. |
|
|
Sets the schedule for the rule. |
|
|
Sets the scope and name of the schedule to be used by the rule. |
Properties
The FPCPolicyRule object defines the following properties.
| Property | Description |
|---|---|
|
Gets an FPCAccessProperties object that specifies a set of properties of the policy rule when the rule is configured as an access rule. |
|
|
Gets or sets a value from the FpcPolicyRuleActions enumerated type that specifies whether the rule allows or denies requests. |
|
|
Gets a Boolean value that indicates whether the rule applies at all times. |
|
|
Gets or sets the description of the rule. |
|
|
Gets or sets a Boolean value that indicates whether the rule is enabled. |
|
|
Gets or sets a Boolean value that indicates whether the rule is enabled for logging. |
|
|
Gets or sets a value from the FpcPolicyRuleGroups enumerated type that specifies the group to which the policy rule belongs. |
|
|
Gets a Boolean value that indicates whether the rule is preinstalled, and cannot be deleted or have its position changed in the rule order. |
|
|
Gets the upper limit of the range of source port numbers to which the rule applies. |
|
|
Gets the lower limit of the range of source port numbers to which the rule applies. |
|
|
Gets an FPCMalwareInspectionProperties object that contains the malware inspection settings for the rule. |
|
|
Gets or sets the name of the rule. |
|
|
Gets the rule's position in the list of policy rules, which corresponds to their order of application. |
|
|
Gets an FPCRef object that references the FPCPolicyGroup object representing the policy group to which the rule belongs. |
|
|
Gets an FPCRef object that references the FPCSchedule object used to define the actual times when the rule applies. |
|
|
Gets an FPCServerPublishingProperties object that specifies a set of properties of the policy rule when the rule is configured as a server publishing rule. |
|
|
Gets an FPCSelectionIPs object that specifies the complete set of source IP addresses to which the rule applies. |
|
|
Gets a Boolean value that indicates whether the rule is a system policy rule. |
|
|
Gets a value from the FpcSystemPolicyConfigGroupEnum enumerated type that identifies the system policy configuration group to which the rule belongs. |
|
|
Gets a value from the FpcPolicyRuleTypes enumerated type that indicates whether the policy rule is an access rule, a server publishing rule, or a Web publishing rule. |
|
|
Gets a Boolean value that indicates whether the rule is a system policy rule that was added by a vendor or a third-party filter. |
|
|
Gets an FPCWebPublishingProperties object that specifies a set of properties of the policy rule when the rule is configured as a Web publishing rule. |
Methods Inherited from FPCPersist
| Name | Description |
|---|---|
| CancelWaitForChanges | Cancels the registration established by the WaitForChanges method (for use in C and C++ programming only). |
| CanImport | Returns a Boolean value that indicates whether the object's properties can be imported from the specified XML document. |
| Export | Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML document. |
| ExportToFile | Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML file. |
| GetServiceRestartMask | Retrieves a 32-bit bitmask of the FpcServices enumerated type that specifies which services need to be restarted for currently unsaved changes to take effect. |
| Import | Recursively copies the values of all the properties of the object and of its subobjects from the specified XML document to persistent storage. |
| ImportFromFile | Recursively copies the values of all the properties of the object and of its subobjects from the specified XML file to persistent storage. |
| LoadDocProperties | Provides the XML document's properties so that you can know what information can be imported from the document. |
| Refresh | Recursively reads the values of all the properties of the object and of its subobjects from persistent storage, overwriting any changes that have not been saved. |
| Save | Recursively writes the current values of all the properties of the object and its subobjects to persistent storage. |
| WaitForChanges | Registers to wait for an event indicating that the contents of the object have changed (for use in C and C++ programming only). |
Properties Inherited from FPCPersist
| Name | Description |
|---|---|
| PersistentName | Gets the persistent name of the object. The persistent name of an object is a name that is unique for the object at the respective level of the COM object hierarchy. |
| VendorParameterSets | Gets an FPCVendorParametersSets collection that can hold sets of custom data for extending the object. |
Interfaces for C++ Programming
This object implements the IFPCPolicyRule, IFPCEEPolicyRule, IFPCPolicyRule2, and IFPCPolicyRule3 interfaces.
Requirements
| Client | Requires Windows Vista or Windows XP. |
|---|---|
| Server | Requires Windows Server 2008. |
| Version | Requires Forefront Threat Management Gateway (TMG). |
| IDL |
Declared in Msfpccom.idl. |
See Also
Send comments about this topic to Microsoft
Build date: 11/30/2009