کد:
Option Explicit
'Define the constants needed
const Error_FileNotFound = &H80070002
const Error_WebListenerNotFound = &HC0040357
const Error_IncorrrectCertificatePassword = -2147024810
const Error_InvalidIpAddress = -2147024809
const Error_CAPICOMnotInstalled = 429
const Error_PropertyDoesNotExist = 438
const fpcAllow = 0
const fpcWebServerThruHTTP = 0
const fpcWebServerThruSSL = 1
const fpcPolicyRuleWebPublishing = 2
const fpcSystemPolicyConfigGroup_CRL = 23
const GUIDforHTTPOnlyCookie = "{29022EBA-B030-4839-9CA6-DD8875BC7B47}"
const GUIDforWebRule = "{5e302ed5-f5d5-4fad-9b8a-01c72e1569f3}"
'These strings are English local only. Please localize them appropriately in case of non-English languages.
const FBAWITHRADIUSOTP = "FBA WITH RADIUS OTP"
const ALLUSERS = "ALL USERS"
const ALLAUTHENTICATEDUSERS = "ALL AUTHENTICATED USERS"
const EXTERNAL = "EXTERNAL"
'Command line arguments
Dim ruleName : ruleName = NULL
Dim serverName : serverName = NULL
Dim publicName : publicName = NULL
Dim certName : certName = NULL
Dim certPassword : certPassword = ""
Dim wlName : wlName = NULL
Dim BridgingType : BridgingType = NULL
Dim weblistenerauthentication : weblistenerauthentication = NULL
Dim userset : userset = NULL
Dim Certificate : Certificate = NULL
Dim RadiusServerName : RadiusServerName = NULL
Dim ipaddress : ipaddress = NULL
Dim root : root = NULL 'A FPCLib.FPC root object
Dim oArray : oArray = NULL 'A FPCArray object
'We Start here
Main
Sub Main()
'First make sure the script is executed by CScript.exe.
If InStr(1, UCase(Wscript.FullName), "CSCRIPT.EXE", 1) = 0 Then
Wscript.Echo "This script can only be executed by CScript.exe."
Exit Sub
End If
If not(Init)then
WScript.Echo "This script should only be run on an ISA server."
WScript.Echo
DisplayUsage
Exit Sub
End If
If (ParseCommandLine) then
WScript.Echo "Saving data..."
oArray.Save false,false
End if
End Sub 'Main
'This function contains the main logic for the script. It decides what is to be done - create a rule , create a
'web listener or vaildate a rule. Thereafter is calls the appropriate functions to accomplish the task.
Function ParseCommandLine
ParseCommandLine = false
'If the number of arguments passed from commmand line are zero then display help
if (Wscript.Arguments.Count = 0) then
DisplayUsage
exit Function
end if
'Parse command line.
Select Case UCase(Wscript.Arguments(0))
case "-CREATEWEBPUBLISHINGRULE"
'Parse command line arguments for web listener
if not(ParseCommandLineForWebPublishingRule) then exit Function
'Creating web publishing rule
if not(AddWebPubRule) then exit Function
'Adding custom Vendor Parameter Name Value pairs to the created rule which are required for RPC over HTTP traffic
if not(CustomizeWebRulewithVPS(ruleName)) then exit Function
'Checking the created web publishing rule for common misconfigurations
if not(CheckWebPublishingRule ) then exit Function
ParseCommandLine = true
Case "-CREATEWEBLISTENER"
'Parse command line arguments for web listener
if not(ParseCommandLineForWebListener) then exit Function
'Creating web listener
if not(CreateWebListener) then exit Function
'Set HTTPOnly Cookie value to false incase listener uses RADIUS OTP
if not(CustomizeWebListenerWithVPS(wlName)) then exit Function
ParseCommandLine = true
Case "-VALIDATERULE"
'Parse command line arguments for validating rule
if not(ParseCommandLineForValidateRule) then exit Function
'Validate the web publishing rule
if not(CheckWebPublishingRule) then exit Function
Case Else
WScript.Echo "Please specify one of the following switches: CREATEWEBPUBLISHINGRULE, CREATEWEBLISTENER, or VALIDATERULE"
WScript.Echo
DisplayUsage
End Select
End Function ' ParseCommandLine
'This function creates the root object and gets reference to the array object for the ISA server
Function Init
Init = false
On Error Resume Next
'Create the root obect.
Set root = CreateObject("FPC.Root")
If err.number <> 0 Then
WScript.Echo Err.Description
WScript.Echo Err.number
exit Function
End If
'Get reference to the array object
Set oArray = root.GetContainingArray
If err.number <> 0 Then
WScript.Echo Err.Description
WScript.Echo Err.number
exit Function
End If
On Error Goto 0
Init = true
End Function 'Init
'This function creates a web publishing rule
Function AddWebPubRule()
AddWebPubRule = false
Dim rules ' An FPCPolicyRules collection
Dim rule ' An FPCPolicyRule object
Dim publicNames ' An FPCPublicNames collection
Dim path ' An FPCPathMapping Object
Dim retval ' A bool variable
Set rules = oArray.ArrayPolicy.PolicyRules
On Error Resume Next
Set rule = rules.Item(ruleName)
If err.number <> 0 Then
If err.Number <> Error_FileNotFound Then
WScript.Echo "An error has occurred while creating the web publishing rule."
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
Else
WScript.Echo "Creating the web publishing rule ..."
On Error Goto 0
Set rule = rules.AddWebPublishingRule(ruleName)
End If
Else
On Error Goto 0
retval = MsgBox ("The web publishing rule """ & ruleName & """ already exists. Do you want to recreate it?",VBYesNo)
If retval = vbYes Then
rules.Remove(ruleName)
WScript.Echo "Deleted web publishing rule """ & ruleName & """"
Set rule = rules.AddWebPublishingRule(ruleName)
Else
WScript.Echo "New rule """ & ruleName & """ has not been created."
exit Function
End If
End If
'Set general properties
rule.Description="Publishes TSG"
rule.Enabled = true
'Rule action 0 means Allow connections that match this rule
rule.Action = fpcAllow
rule.WebPublishingProperties.TranslateLinks = false
'Set rule properties.
rule.WebPublishingProperties.WebSite = serverName
Set publicNames = rule.WebPublishingProperties.PublicNames
publicNames.Add(publicName)
'Set the web listener for the web publishing rule.
Err.Clear
On Error Resume Next
rule.WebPublishingProperties.SetWebListener(wlName)
If err.Number = Error_WebListenerNotFound Then
WScript.Echo "The web listener """ & wlName & """ does not exist."
WScript.Echo "Please create the associated web listener before creating the web publishing rule."
WScript.Echo "Ending the script ..."
exit Function
ElseIf err.Number <> 0 Then
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
End If
On Error Goto 0
'We need to check whether the web listener authentication is set to HTML form based using
'RADIUS OTP as validation method. If yes, it sets the value of HTTPOnlyCookie attribute in web listener to false
If NOT(CustomizeWebListenerWithVPS(wlName)) Then
exit Function
End If
'In case the web listener uses SSL CLient Certificate authentication the system policy rule
' "Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"
If NOT(EnableCRLDownloads) Then exit Function
If (BridgingType = 1) Then
'For HTTPS-HTTPS briging
rule.WebPublishingProperties.PublishedServerType = fpcWebServerThruSSL
rule.WebPublishingProperties.SSLRedirectPort = 443
Else
'For HTTPS-HTTP briging
rule.WebPublishingProperties.PublishedServerType = fpcWebServerThruHTTP
rule.WebPublishingProperties.HTTPRedirectPort = 80
End If
'Authentication delegation property is only present in ISA Server 2006 and above
'we set the authentication delegation type to 0 ( No delegation but client may authenticate directly)
Err.Clear
On Error Resume Next
rule.WebPublishingProperties.CredentialsDelegationType = 0
If (err.Number <> 0) AND (err.Number <> Error_PropertyDoesNotExist) Then
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
End If
On Error Goto 0
'Associating the appropriate user set with the web publishing rule
'Clearing any user sets already present
If Not(rule.WebPublishingProperties.UserSets.Count = 0) then
rule.WebPublishingProperties.UserSets.RemoveAll()
End If
Select Case userset
Case 0
rule.WebPublishingProperties.UserSets.Add ALLUSERS, 0
Case 1
rule.WebPublishingProperties.UserSets.Add ALLAUTHENTICATEDUSERS, 0
End Select
WScript.Echo "Web publishing rule """ & ruleName & """ has been created."
'Printing the settings of the rule created
PrintWebRuleSettings
AddWebPubRule = true
End Function 'AddWebPubRule
'This function creates a web listener
Function CreateWebListener()
CreateWebListener =false
'Setting constants
const fpcAllIPAddresses =0
const fpcSpecifiedIPAddresses = 2
'Declare the other objects needed.
Dim weblisteners ' An FPCWebListeners collection
Dim newlistener ' An FPCWebListener object
Dim SSLCertificates 'An FPCCertificates collection
Dim server ' An FPCServer object
Dim SSLCertificate ' An FPCCertificate object
Dim retval ' A bool variable
Dim newWebListenerCreated ' A bool variable
Dim AuthenticationSchemes 'An FPCRefs object
Dim AuthenticationScheme 'An FPCRef object
Dim CertHash 'Stores the hash value of the certificate
Dim IsCertInStore 'Bool variable
'Get references to the array object,and the policy rules collection,
Set weblisteners = oArray.RuleElements.WebListeners
On Error Resume Next
Set newlistener = weblisteners.Item(wlName)
'If the web listener does not exist, create it
If err.number <> 0 Then
If err.Number <> Error_FileNotFound Then
WScript.Echo "An error has occurred while creating the web listener."
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
Else
WScript.Echo "Creating the web listener ..."
On Error GoTo 0
Set newlistener = weblisteners.Add(wlName)
newWebListenerCreated = "true"
End If
Else
On Error Goto 0
retval = MsgBox ("The """ & wlName & """ web listener already exists. Do you want to delete it and create a new one?",VBYesNo)
If retval = vbYes Then
'A web listener cannot be deleted if is already being used in some rule.
'Make sure that the web listener is not being used in some web rule before deleting it
If NOT(CheckIfWebListenerIsBeingUsed) Then
exit Function
End If
'Deleting the existing web listener
weblisteners.Remove(newlistener.Name)
WScript.Echo "Deleted web listener """ & wlName & """"
Set newlistener = weblisteners.Add(wlName)
newWebListenerCreated = "true"
Else
WScript.Echo "A new web listener has not been created."
exit Function
End If
End If
If newWebListenerCreated = "true" Then
'Load the certificate file
If not(LoadCertificate) then exit Function
'Set the ip's for web listener to listen on
If isNull(ipaddress) Then
'Set the web listener to listen on all ip's in external network
newlistener.IPsOnNetworks.Add EXTERNAL,fpcAllIPAddresses,""
Else
'Set the web listener to specified ip in external network
newlistener.IPsOnNetworks.Add EXTERNAL,fpcSpecifiedIPAddresses,ipaddress
End if
'Set the web listener to listen for SSL requests on port 443
'Setting TCP port to 0 implies that the web listener will not handle incoming HTTP requests
newlistener.Properties.TCPPort=0
newlistener.Properties.SSLPort=443
'Associating SSL cert with the web listener
Set server = root.GetContainingServer()
Set SSLCertificates = server.SSLServerCertificates
'Get the hash value of the certificate given as input
CertHash = Certificate.Thumbprint
'Check if the certificate given as input is present in the store
For Each SSLCertificate In SSLCertificates
If CertHash = ByteArrayToHexString(SSLCertificate.Hash) Then
IsCertInStore = "true"
newlistener.Properties.AppliedSSLCertificates.Add SSLCertificate.Hash,""
End If
Next
If IsEmpty(IsCertInStore) Then
WScript.Echo "The certificate """ & certName & """ is not available for use by the web listener."
WScript.Echo "Make sure the certificate has been added to the ""Personal"" store store of the computer, has an associated private key and is meant for server authentication."
exit Function
End If
'Set the web listener authentication mode to "No authentication"
'Default for BasicAuthentication, DigestAuthentication, Integrated Windows Authentication is false
newlistener.Properties.BasicAuthentication = false
newlistener.Properties.DigestAuthentication = false
newlistener.Properties.IntegratedWindowsAuthentication = false
newlistener.Properties.AlwaysAuthenticate =false
'Set SSLCertificateAuthentication (authentication method available only if SSL listening is enabled) to false
'Default is also false
newlistener.Properties.SSLCertificateAuthentication = false
'Get the authentication schemes object which contains the pre-existing schemes like Radius,Radius with OTP etc. which are used with this web listener
Set AuthenticationSchemes = newlistener.Properties.AuthenticationSchemes
'Set authenitcation scheme on web listener as given in input
Select Case weblistenerauthentication
Case 1
On Error Resume Next
' Authentication scheme "FBA with RADIUS OTP" is not aviable in ISA server 2004
Set AuthenticationScheme = AuthenticationSchemes.Add(FBAWITHRADIUSOTP,0)
If Err.Number <> 0 Then
WScript.Echo "The RADIUS OTP property is not available on ISA server 2004"
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
End If
On Error Goto 0
' Adding the radius client in the ISA server
If NOT(AddRadiusServer) Then
exit Function
End If
Case 2
newlistener.Properties.SSLCertificateAuthentication = true
End Select
'Saving web listener collection
WScript.Echo "The web listener """ & wlName & """ has been created."
'Print the settings of the web listener created
PrintWebListenerSettings
End If
CreateWebListener = true
End Function ' CreateWebListener
'This function checks if the web listener is associated with some web rule.
'If it is,it specifies the web rule name and aborts the script.
Function CheckIfWebListenerIsBeingUsed()
CheckIfWebListenerIsBeingUsed =false
'Declare the other objects needed.
Dim rules ' An FPCPolicyRules collection
Dim rule ' An FPCPolicyRule object
Dim publicNames ' An FPCPublicNames collection
Dim webListernerUsed 'A variable to store web listener names
Set rules = oArray.ArrayPolicy.PolicyRules
For Each rule In rules
'Get the web listener name associated with the web rule
If fpcPolicyRuleWebPublishing = rule.Type Then
Set webListernerUsed = rule.WebPublishingProperties.WebListenerUsed
If LCase(webListernerUsed.Name) = LCase(wlName) Then
WScript.Echo "The web listener """ & wlName & """ is associated with the web publishing rule """ & rule.Name & """." & VbCrLf _
& "Please delete the rule """ & rule.Name & """ and re-run the script to create the web listener."
exit Function
End If
End If
Next
CheckIfWebListenerIsBeingUsed = true
End Function 'CheckIfWebListenerIsBeingUsed
'This function adds the radius server in the ISA server which the web listener will use for authentication when
'it authenticatses using FBA with Radius OTP
Function AddRadiusServer()
AddRadiusServer = false
Dim RadiusServers 'An FPCRadiusServers object
Dim RadiusServer 'An FPCRadiusServer object
Dim retval 'A bool variable
'Get the list of Radius servers already configured on the ISA server
Set RadiusServers = oArray.RuleElements.RadiusServers
On Error Resume Next
'Check if the specified Radius server is already present
Set RadiusServer = RadiusServers.Item(RadiusServerName)
If Err.number <> 0 Then
If Err.number <> Error_FileNotFound Then
WScript.Echo "* An error has occurred while adding radius server"
WScript.Echo Err.Description
WScript.Echo Err.number
WSript.Echo "* Ending the script ..."
exit Function
Else
WScript.Echo "Adding the Radius server """ & RadiusServerName & """ to the Radius Servers list."
On Error Goto 0
Set RadiusServer = RadiusServers.Add(RadiusServerName)
End If
Else
On Error Goto 0
retval = MsgBox ("The Radius server """ & RadiusServerName & """ already exists in the RADIUS Servers list. Do you want to delete the existing RADIUS server and then re-add it?",VBYesNo)
If retval = vbYes Then
'Deleting the existing radius server
RadiusServers.Remove(RadiusServerName)
WScript.Echo "Radius server """ & RadiusServerName & """ has been deleted from the RADIUS servers list."
'Adding the radius server
Set RadiusServer = RadiusServers.Add(RadiusServerName)
Else
WScript.Echo "The existing Radius Server """ & RadiusServerName & """ will be used for authentication"
End If
End If
AddRadiusServer = true
End Function 'AddRadiusServer
'This function loads the .cer or .pfx certificate. It uses CAPICOM.dll which needs to be installed
Function LoadCertificate()
LoadCertificate = false
Err.Clear
On Error Resume Next
Set Certificate = CreateObject("CAPICOM.Certificate")
If Err.number <> 0 then
If Err.number = Error_CAPICOMnotInstalled then
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Make sure CAPICOM is installed. You can install it from http://msdn.microsoft.com/en-us/library/ms759176(VS.85).aspx"
Else
WScript.Echo Err.Description
WScript.Echo Err.number
End If
WScript.Echo "Ending the script..."
exit Function
End If
On Error Goto 0
'Checking if certificate type is .pfx or .cer
If (Right(certName,3) = "pfx" Or (Mid( certName,Len(certName)-3,3) = "pfx") And Right(certName,1)="""") then
'If certificate is .pfx type , get password from user
certPassword = GetCertPassword()
End If
Err.Clear
On Error Resume Next
Certificate.Load certName, certPassword
If Err.number <> 0 then
If Err.Number = Error_IncorrrectCertificatePassword Then
WScript.Echo "The password specified for the certificate file is incorrect."
WScript.Echo "Please specify the correct password and then re-run the script."
exit Function
End If
WScript.Echo "An error occurred while loading the certificate."
WScript.Echo Err.Description
WScript.Echo Err.number
exit Function
End If
On Error Goto 0
LoadCertificate = true
End Function 'LoadCertificate
'This function checks if the certificate file exists
Function CheckIfCertificateExists()
CheckIfCertificateExists = false
Dim CertificateFile : CertificateFile = null
Err.Clear
On Error Resume Next
Set CertificateFile = CreateObject("CAPICOM.Certificate")
If Err.number <> 0 then
If Err.number = Error_CAPICOMnotInstalled then
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Please ensure that the CAPICOM is installed. You can install it from http://msdn.microsoft.com/en-us/library/ms759176(VS.85).aspx"
Else
WScript.Echo Err.Description
WScript.Echo Err.number
End If
WScript.Echo "Ending the script..."
exit Function
End If
Err.Clear
CertificateFile.Load certName, ""
If Err.number <> 0 then
If err.Number = Error_FileNotFound Then
WScript.Echo "The system cannot find the file " & certName
WScript.Echo "Please specify the correct certificate path and then re-run the script."
exit Function
End If
End If
On Error Goto 0
CheckIfCertificateExists = true
End Function
'This function gets the password needed for .pfx certificate file from user
Function GetCertPassword()
Dim objPassword
Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Please enter the certificate password:"
Wscript.Echo
GetCertPassword = objPassword.GetPassword()
End Function 'GetCertPassword
'This function parses the input paramters if a web publishing rule is being created
Function ParseCommandLineForWebPublishingRule
ParseCommandLineForWebPublishingRule = false
Dim filename: filename = null
If WScript.Arguments.Named.Exists("?") Then
DisplayUsage
exit Function
End If
If Not(WScript.Arguments.Named.Exists("File")) Then
'Read command line parameters
If WScript.Arguments.Named.Exists("WRNAME") Then
ruleName= WScript.Arguments.Named.Item("WRNAME")
ruleName= IfEmptyStringAssignNull(ruleName)
End if
If WScript.Arguments.Named.Exists("SERVERNAME") Then
serverName= WScript.Arguments.Named.Item("SERVERNAME")
serverName= IfEmptyStringAssignNull(serverName)
End if
If WScript.Arguments.Named.Exists("PUBLICNAME") Then
publicName= WScript.Arguments.Named.Item("PUBLICNAME")
publicName= IfEmptyStringAssignNull(publicName)
End if
If WScript.Arguments.Named.Exists("WLNAME") Then
wlName = WScript.Arguments.Named.Item("WLNAME")
wlName= IfEmptyStringAssignNull(wlName)
End if
If WScript.Arguments.Named.Exists("BRIDGINGTYPE") Then
BridgingType= WScript.Arguments.Named.Item("BRIDGINGTYPE")
BridgingType= IfEmptyStringAssignNull(BridgingType)
End if
If WScript.Arguments.Named.Exists("USERSET") Then
userset= WScript.Arguments.Named.Item("USERSET")
userset= IfEmptyStringAssignNull(userset)
End if
Else
filename = WScript.Arguments.Named.Item("File")
filename= IfEmptyStringAssignNull(filename)
If IsNull(filename) Then
WScript.Echo "Please enter a file name and then re-run the script."
WScript.Echo "Ending the script ..."
exit Function
End if
If InvalidFile(filename) Then
exit Function
end if
ruleName = ReadKeyValueFromFile ("WRNAME",filename)
serverName = ReadKeyValueFromFile ("SERVERNAME",filename)
publicName = ReadKeyValueFromFile ("PUBLICNAME",filename)
wlName = ReadKeyValueFromFile ("WLNAME",filename)
BridgingType = ReadKeyValueFromFile ("BRIDGINGTYPE",filename)
userset = ReadKeyValueFromFile ("USERSET",filename)
End If
'Check the passed parameters
'Check if all mandatory parameters have been specified
If (IsNull(ruleName) OR IsNull(serverName) OR IsNull(publicName) OR IsNull(wlName) OR IsNull(BridgingType) or isnull(userset)) Then
WScript.Echo "The following mandatory parameter values are missing: "
If IsNull(ruleName) Then WScript.Echo "WRNAME"
If IsNull(serverName) Then WScript.Echo "SERVERNAME"
If IsNull(publicName) Then WScript.Echo "PUBLICNAME"
If IsNull(wlName) Then WScript.Echo "WLNAME"
If IsNull(BridgingType) Then WScript.Echo "BRIDGINGTYPE"
If Isnull(userset) Then WScript.Echo "USERSET"
WScript.Echo
DisplayUsage
exit Function
End If
'Check the parameter passed for bridging type
If IsNumeric(BridgingType) = FALSE Then
DisplayUsage
exit Function
Else
If (BridgingType <> 0 And BridgingType <> 1) Then
WScript.Echo "Please enter a valid option for bridging type (0 or 1):"
WScript.Echo
DisplayUsage
exit Function
End If
End If
'Check the parameter passed for user set
If IsNumeric(userset) = FALSE Then
DisplayUsage
exit Function
Else
If Not(userset=0 Or userset=1) then
WScript.Echo "Please enter a valid option for user sets (0 or 1):"
WScript.Echo
DisplayUsage
exit Function
End If
End If
ParseCommandLineForWebPublishingRule = true
End Function ' ParseCommandLineForWebPublishingRule
'This function parses the input paramters if a web listener is being created
Function ParseCommandLineForWebListener
ParseCommandLineForWebListener = false
Dim filename: filename = null
If WScript.Arguments.Named.Exists("?") Then
DisplayUsage
exit Function
End If
If Not(WScript.Arguments.Named.Exists("File")) Then
'Read command line parameters
If WScript.Arguments.Named.Exists("CERTPATH") Then
certName= WScript.Arguments.Named.Item("CERTPATH")
certName= IfEmptyStringAssignNull(certName)
End if
If WScript.Arguments.Named.Exists("WLNAME") Then
wlName= WScript.Arguments.Named.Item("WLNAME")
wlName= IfEmptyStringAssignNull(wlName)
End if
If WScript.Arguments.Named.Exists("LISTENERAUTHENTICATION") Then
weblistenerauthentication= WScript.Arguments.Named.Item("LISTENERAUTHENTICATION")
weblistenerauthentication= IfEmptyStringAssignNull(weblistenerauthentication)
End if
If WScript.Arguments.Named.Exists("RADIUSSERVER") Then
RadiusServerName= WScript.Arguments.Named.Item("RADIUSSERVER")
RadiusServerName= IfEmptyStringAssignNull(RadiusServerName)
End if
If WScript.Arguments.Named.Exists("IPADDRESS") Then
ipaddress= WScript.Arguments.Named.Item("IPADDRESS")
ipaddress= IfEmptyStringAssignNull(ipaddress)
End if
Else
filename = WScript.Arguments.Named.Item("File")
filename= IfEmptyStringAssignNull(filename)
if IsNull(filename) then
WScript.Echo "Please enter a file name and then re-run the script."
WScript.Echo "Ending the script ..."
exit Function
end if
if InvalidFile(filename) then
exit Function
end if
certName = ReadKeyValueFromFile ("CERTPATH",filename)
wlName = ReadKeyValueFromFile ("WLNAME",filename)
weblistenerauthentication = ReadKeyValueFromFile ("LISTENERAUTHENTICATION",filename)
RadiusServerName = ReadKeyValueFromFile ("RADIUSSERVER",filename)
ipaddress = ReadKeyValueFromFile ("IPADDRESS",filename)
End If
'Check passed parameters
'Checking if all mandatory parameters have been given
If (IsNull(certName) OR IsNull(wlName) OR IsNull(weblistenerauthentication)) Then
WScript.Echo "The following mandatory parameter values are missing: "
If IsNull(wlName) Then WScript.Echo "WLNAME"
If IsNull(certName) Then WScript.Echo "CERTPATH"
If IsNull(weblistenerauthentication) Then WScript.Echo "LISTENERAUTHENTICATION"
WScript.Echo
DisplayUsage
exit Function
End If
'Check certificate
If NOT(Right(certName,3) = "pfx" Or (Mid(certName,Len(certName)-3,3) = "pfx" And Right(certName,1)="""") Or Right(certName,3) = "cer" Or (Mid(certName,Len(certName)-3,3) = "cer" And Right(certName,1)="""")) Then
WScript.Echo "Please enter a valid certificate file. It should have either a .cer or a .pfx extension."
WScript.Echo
DisplayUsage
exit Function
End If
'Remove the quotations from the certificate path if they exist
If Left(certName,1) = """" And Right(certName,1)="""" Then
CertName = Mid(certName,2,Len(CertName)-2)
End If
'Check if certificate file exists
If Not(CheckIfCertificateExists) Then
WScript.Echo
DisplayUsage
exit Function
End If
'Check listener authentication value
If Not(weblistenerauthentication=0 Or weblistenerauthentication=1 Or weblistenerauthentication=2) then
WScript.Echo "Please enter a valid option for the web listener authentication scheme ( 0, 1, or 2):"
WScript.Echo
DisplayUsage
exit Function
End If
'Check that web listener authentication has not been specified on ISA server 2004
If (weblistenerauthentication = 1) and (Left(GetISAProductVersion,1)="4") Then
WScript.Echo "The authentication scheme RADIUS OTP is not available on ISA server 2004 versions. Please install ISA server 2006 with supportability update or later to use RADIUS OTP in ISA RD Gateway scenarios."
exit Function
End If
'Check that radius client has been specified if RADIUS OTP is being used
If (weblistenerauthentication = 1) and (IsNull(RadiusServerName)) then
WScript.Echo "HTML form-based authentication(RADIUS OTP) needs a RADIUS server."
WScript.Echo "Please specify a RADIUS server."
WScript.Echo
DisplayUsage
exit Function
End If
'Check that the ip address specified is a valid one
If not(IsNull(ipaddress)) then
If NOT(CheckifValidIP) Then
exit Function
End If
End if
ParseCommandLineForWebListener = true
End Function ' ParseCommandLineForWebListener'
Function IfEmptyStringAssignNull(variable)
if variable = "" then
IfEmptyStringAssignNull = null
else
IfEmptyStringAssignNull = variable
end if
End Function 'IfEmptyStringAssignNull
'This function parses the input paramters if a rule validation is being done
Function ParseCommandLineForValidateRule
ParseCommandLineForValidateRule = false
If WScript.Arguments.Named.Exists("?") Then
DisplayUsage
exit Function
End If
If WScript.Arguments.Named.Exists("WRNAME") Then
ruleName= WScript.Arguments.Named.Item("WRNAME")
End if
If IsNull(ruleName ) Then
WScript.Echo "Not all parameters have been specified."
WScript.Echo
DisplayUsage
exit Function
End If
ParseCommandLineForValidateRule = true
End Function ' ParseCommandLine
'This function reads a key value from the configuration file
Function ReadKeyValueFromFile (key,filename)
Dim filesystemobject
Dim strLine
Dim fileobject
Dim pos
ReadKeyValueFromFile = null
Set filesystemobject = CreateObject( "Scripting.FileSystemObject" )
Set fileobject = filesystemobject.OpenTextFile(filename, 1, False )
Do While fileobject.AtEndOfStream = False
strLine = Trim(fileobject.ReadLine)
pos=InStr(strLine,":")
If not(pos=0) Then
If UCase(Mid(strLine,1,pos-1)) = UCase(key) Then
ReadKeyValueFromFile = Trim (Right(strLine,Len(strLine) - pos))
exit do
End if
End if
Loop
fileobject.Close
If ReadKeyValueFromFile = "" Then
ReadKeyValueFromFile = null
end if
End function 'ReadKeyValueFromFile
'This function checks if the configuration file exists
Function InvalidFile(filename)
InvalidFile = true
Dim filesystemobject
Set filesystemobject = CreateObject( "Scripting.FileSystemObject" )
If NOT(filesystemobject.FileExists( filename )) Then
WScript.Echo "Please specify a valid configuration file."
WScript.Echo "Ending the script ..."
exit Function
End If
InvalidFile = false
End function 'InvalidFile
'This function checks that the ip supplied by the user is valid i.e. it is an ip associated with one of the nic's
'and in the "External" network of the ISA computer
Function CheckifValidIP()
CheckifValidIP = false
' Web listener should listen on an ip which is in the adress range set of one of the nic's
'and belonging to the "External" network of ISA computer
Dim server 'An FPCServer object
Dim adapters 'An FPCAdapters object
Dim adapter 'An FPCAdapter object
Dim retval 'A bool variable
Dim internalnetwork 'An FPCNetwork object
Dim boolval 'A bool variable
Set server = root.GetContainingServer()
Set adapters = server.adapters
'Here we check if the ip address actually belongs to one of the nic's on the machine
For Each adapter in adapters
Err.Clear
On Error Resume Next
boolval = adapter.IsIpInAddressSet(ipaddress)
If Err.Number = Error_InvalidIpAddress Then
WScript.Echo "Please specify a valid IPv4 address and then re-run the script."
exit Function
End If
If Err.number <> 0 Then
WScript.Echo Err.Description
WScript.Echo Err.number
exit Function
End If
On Error goto 0
If boolval then
retval = true
end if
Next
If not(retval) Then
WScript.Echo "The IP address """ & ipaddress & """ does not belong to any enabled network adapter of the computer."
Wscript.Echo "Please specify an IP address which is in the address range of the enabled network adapters of the computer and then re-run the script."
exit Function
End if
'Check if the ip address belongs to the external network.
'This is being done by checking if it is in the Internal network.
Set internalnetwork = oArray.NetworkConfiguration.Networks.Item("Internal")
'We do not check if it is in external network because there is no iprange set property associated with "External" network
'This is a inverted test.
If internalnetwork.IPRangeSet.IsIpInSet(ipaddress) Then
retval = MsgBox ("The IP address is not in the external network range of ISA server. Do you still want to continue?",VBYesNo)
If retval = 7 Then
Wscript.Echo "Ending the script ... "
exit Function
End If
End if
CheckifValidIP = true
End Function 'CheckifValidIP
'This function enables a system policy rule to be used with "SSL Client Certificate authentication" on web listener
Function EnableCRLDownloads
EnableCRLDownloads = false
Dim WebListener 'An FPCWebListener object
Dim configGroup 'An FPCSystemPolicyConfigGroup object
'Get the object containing the web listener
Set WebListener = oArray.RuleElements.WebListeners(wlName)
'Check if the listener authentication scheme is SSL Client Certificate authentication
If WebListener.Properties.SSLCertificateAuthentication = true Then
Set configGroup = oArray.SystemPolicy.CreateConfigurationGroupInstance(fpcSystemPolicyConfigGroup_CRL)
configGroup.Enabled = True
configGroup.Save
WScript.Echo "Enabling the system policy rule ""Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"" is needed for authentication method ""SSL Client Certificate"" of the web listener."
End if
EnableCRLDownloads = true
End Function 'EnableCRLDownloads
'This function checks that is the user set in web publishing rule is "All Authenticated Users"
'then the associated web listener authentication should not be "No Authentication".
'This is one of the common misconfigurations done on ISA server which leads to a continuous
'credentials prompt for user
Function CheckWebPublishingRule
CheckWebPublishingRule = false
Dim WebListener
Dim IsAlwaysAuthenticate : IsAlwaysAuthenticate = false 'A bool variable
Dim IsBasicAuthentication : IsBasicAuthentication = false 'A bool variable
Dim IsDigestAuthentication : IsDigestAuthentication =false 'A bool variable
Dim IsIntegratedWindowsAuthentication : IsIntegratedWindowsAuthentication =false 'A bool variable
Dim IsSSLCertificateAuthentication : IsSSLCertificateAuthentication = false 'A bool variable
Dim IsAuthenticationFBAWithRadiusOTP : IsAuthenticationFBAWithRadiusOTP = false 'A bool variable
Dim AuthenticationSchemes
Dim AuthenticationScheme
Dim AuthenticationSchemeCount : AuthenticationSchemeCount = false 'A bool variable
Dim IsUserSetAllUsers : IsUserSetAllUsers = false 'A bool variable
Dim IsUserSetAllAuthenticatedUsers : IsUserSetAllAuthenticatedUsers = false 'A bool variable
Dim CredentialsDelegationType : CredentialsDelegationType = 0
Dim userSets
Dim userSet
Dim rules
Dim rule
Dim PathAll : PathAll = null
Dim PathRPC : PathRPC = null
Dim PathRPCwithCert : PathRPCwithCert = null
Dim PathTs : PathTs = null
Dim PathRdWeb : PathRdWeb = null
Dim path
Dim pathmappings
Dim WebListenerVps
Dim CookieAuthVps
Dim configGroup
Set rules = oArray.ArrayPolicy.PolicyRules
Err.Clear
On Error Resume Next
Set rule = rules.Item(ruleName)
If err.number <> 0 Then
If err.Number = Error_FileNotFound Then
WScript.Echo "The web publishing rule """ & ruleName & """ does not exist."
WScript.Echo "Please enter a valid web publishing rule name and re-run script."
exit Function
Else
WScript.Echo "An error occurred while reading the web publishing rule """ & ruleName
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script..."
exit Function
End If
End If
If fpcPolicyRuleWebPublishing <> rule.Type Then
Wscript.Echo "The rule """ & ruleName & """ is not a web publishing rule."
WScript.Echo "Please enter a valid web publishing rule name and re-run script."
exit Function
End If
Err.Clear
Set WebListener = oArray.RuleElements.WebListeners(rule.WebPublishingProperties.WebListenerUsed.Name)
If err.Number <> 0 Then
WScript.Echo "An error occurred while reading the web listener."
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script..."
exit Function
End If
On Error goto 0
If WebListener.Properties.TCPPort <> 0 and WebListener.Properties.SSLPort <> 0 Then
WScript.Echo "*WARNING* The web listener has been configured to listen for both HTTP and SSL requests. It is recommended that it only listens for SSL requests on port 443."
WScript.Echo
Else
If WebListener.Properties.SSLPort <> 443 and WebListener.Properties.SSLPort <> 0 Then
WScript.Echo "*WARNING* The web listener SSL port is " & WebListener.Properties.SSLPort & ". Please configure the web listener to listen for SSL requests on port 443."
WScript.Echo
Else
If WebListener.Properties.TCPPort <> 0 Then
WScript.Echo "*WARNING* The web listener is only listening for HTTP requests. Please disable HTTP listening and enable SSL client connections on port 443."
WScript.Echo
End if
End if
End if
'Check for authentication delegation on web publishing rule
Err.Clear
On Error Resume Next
CredentialsDelegationType = rule.WebPublishingProperties.CredentialsDelegationType
If (err.Number <> 0) AND (err.Number <> Error_PropertyDoesNotExist) Then
WScript.Echo Err.Description
WScript.Echo Err.number
WScript.Echo "Ending the script ..."
exit Function
ElseIf CredentialsDelegationType <> 0 then
WScript.Echo "*WARNING* Authentication delegation on the web publishing rule is not set to ""No delegation but client may authenticate directly"". It is recommended that you use ""No delegation but client may authenticate directly"" as the authentication delegation method for all RD Gateway ISA scenarios."
WScript.Echo
End If
'Check for user sets on web publishing rule
Set UserSets = rule.WebPublishingProperties.UserSets
For Each userSet in UserSets
If UCase(userSet.Name) = ALLUSERS Then
IsUserSetAllUsers = true
End If
If UCase(userSet.Name) = ALLAUTHENTICATEDUSERS Then
IsUserSetAllAuthenticatedUsers = true
End If
Next
'Check if authentication scheme on Web listener is always authenticate client
If WebListener.Properties.AlwaysAuthenticate = true then
IsAlwaysAuthenticate = true
End if
'Check if authentication scheme on Web listener is set to basic authentication
If WebListener.Properties.BasicAuthentication = true then
IsBasicAuthentication = true
End if
'Check if authentication scheme on Web listener is set to digest authentication
If WebListener.Properties.DigestAuthentication = true then
IsDigestAuthentication = true
End if
'Check if authentication scheme on Web listener is set to integrated windows authentication
If WebListener.Properties.IntegratedWindowsAuthentication = true then
IsIntegratedWindowsAuthentication = true
End if
'Check if authentication scheme on Web listener is SSL CLient Certificate Authentication
If WebListener.Properties.SSLCertificateAuthentication = true then
IsSSLCertificateAuthentication =true
End if
'If SSL Certification is used then system policy rule "Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)" should be enabled
If IsSSLCertificateAuthentication then
Set configGroup = oArray.SystemPolicy.CreateConfigurationGroupInstance(fpcSystemPolicyConfigGroup_CRL)
If configGroup.Enabled = False then
WScript.Echo "*WARNING* SSL certificate authentication on the web listener requires the system policy rule ""Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"" to be enabled. It is currently disabled."
WScript.Echo
End if
WScript.Echo "*WARNING* SSL certificate authentication on the web listener can only be used when the ISA server is joined to a domain. Please make sure that it is joined to a domain."
WScript.Echo
End if
'Check if any authentication scheme is set on the web listener
Set AuthenticationSchemes = WebListener.Properties.AuthenticationSchemes
For each AuthenticationScheme in AuthenticationSchemes
AuthenticationSchemeCount = true
If UCase(AuthenticationScheme.Name) = FBAWITHRADIUSOTP then
IsAuthenticationFBAWithRadiusOTP = true
End If
Next
'Check that "All Authenticated Users" should not be configured without an authentication scheme on web listener
If IsUserSetAllAuthenticatedUsers Then
If not (IsAlwaysAuthenticate or IsBasicAuthentication or IsDigestAuthentication or IsIntegratedWindowsAuthentication or IsSSLCertificateAuthentication or AuthenticationSchemeCount) then
WScript.Echo "*WARNING* No authentication scheme has been specified on the web listener but the user set on the web publishing rule contains ""All Authenticated Users"". Please set it to one of the supported types for RD Gateway scenarios - ""SSL Client Certificate"" or ""FBA with RADIUS OTP""."
WScript.Echo
Else
If not(IsAuthenticationFBAWithRadiusOTP or IsSSLCertificateAuthentication) Then
WScript.Echo "*WARNING* An authentication scheme not supported for RD Gateway scenarios has been specified on the web listener. Please set it to one of the supported types: ""SSL Client Certificate"" or ""FBA with RADIUS OTP""."
WScript.Echo
End If
End If
End If
If IsUserSetAllUsers and not(IsUserSetAllAuthenticatedUsers) Then
If (IsAuthenticationFBAWithRadiusOTP or IsSSLCertificateAuthentication) Then
WScript.Echo "*WARNING* A supported authenticaion scheme has been set on the web listener but the web publishing rule contains ""All Users"" in its User Set. This is a security risk as even unauthenticated users can access RD Gateway."
WScript.Echo
Else
If (IsAlwaysAuthenticate or IsBasicAuthentication or IsDigestAuthentication or IsIntegratedWindowsAuthentication or IsSSLCertificateAuthentication or AuthenticationSchemeCount) then
WScript.Echo "*WARNING* The web publishing rule contains ""All users"" in its User Set but the web listener has an authentication method set. It is recommended that you use ""All Users"" with No Authentication method set on the web listener."
WScript.Echo
End If
End If
End If
Set pathmappings = rule.WebPublishingProperties.PathMappings
For each path in pathmappings
If (Ucase(path.InternalPath) = "/*") then
Set PathAll = path
End if
If (Ucase(path.InternalPath) = "/RPC/*") then
Set PathRPC = path
End if
If (Ucase(path.InternalPath) = "/RPCWITHCERT/*") then
Set PathRPCwithCert = path
End if
If (Ucase(path.InternalPath) = "/TS/*") then
Set PathTs = path
End if
If (Ucase(path.InternalPath) = "/RDWEB/*") then
Set PathRdWeb = path
End if