کد:
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d401d7d1-3805-40ef-a4a6-f3d4763380a2
1.Introduction
This script runs on the ISA server and offers rapid error free configuration of web publishing rules and web listener for publishing RD Gateway server. Additionally, the script can verify existing web publishing rules which are being used to publish RD Gateway. In case of issues discovered, the script will provide a list of warnings and errors to the Administrator.

2. Requirements
1. ISA server (any version above and including ISA server 2004) is installed on the machine.
2. ISA is being used with gateway in the scenario as mentioned in the step by step guide http://technet.microsoft.com/en-us/library/cc731353.aspx
3. The script requires CAPICOM SDK for using CryptoAPI. Please download and install CAPICOM from http://msdn.microsoft.com/en-us/library/ms759176(VS.85).aspx
4. User’s running the script must have administrator privileges


3. How to use the script

The ISA configuration script for RD Gateway can be used for the following purposes:
vCreate a web listener
vCreate a web publishing rule
vValidate existing/newly created rules and diagnose the common problems

3.1 Creating a web listener on ISA server


A web publishing rule uses a web listener to listen for incoming connections. To create a web listener through the script, use the command line switch “-createweblistener”. The following inputs need to be given while creating a web listener:
a)IP address on which to listen for connections :
This is an optional parameter. If no IP address is specified, the script configures the web listener to listen on all IP addresses in the “External” network of the ISA server. Use the switch “/IPaddress” to specify the IP address.

b)SSL server authentication certificate :
The web listener expects a SSL certificate to be used for server authentication as input. This certificate can be specified either as a Personal Information Exchange (.pfx) file or as a X.509 (.cer ) file. Use the command line switch “/CertPath” to specify the certificate file.
Note that the script will not import the certificate to the “Personal” certificate store on the local computer. This needs to be done by the user.

c)Authentication method to authenticate the incoming connection :
Although the ISA server offers multiple options for authentication, only three are supported in RD Gateway scenario namely – “Radius OTP”, “SSL Client Certificate Authentication” and “No Authentication”. Use the command line switch “/ListenerAuthentication” to specify the authentication method – 0 for “No Authentication”, 1 for “Radius OTP” and 2 for “SSL Client Certificate”.
When “Radius OTP” is the preferred authentication scheme, the user also needs to specify the name of the Radius server which will be used by the ISA server for authentication purposes. Use the command line switch “/RadiusServer” to specify the Radius server name.
Also, if the authentication mechanism is “Radius OTP”, the web listener created has its HTTPOnly attribute value is set to false. This eliminates the need of using the script for modifying the HTTPOnly attribute as mentioned in the RD Gateway OTP scenario step by step guide.


3.1.1 Passing parameters to create a Web listener:

There are two modes in which the parameters for web listener creation can be specified:

1.Command line switches
The following example creates a web listener to be used in the RDG-ISA core scenario using the mandatory command line switches.
cscript.exe ISAConfigScript.vbs -createweblistener /wlname:RDGlistener /certpath:certificate.cer /listenerauthentication:0

2.Configuration file
The web listener created using command line switches can also be created by providing the input parameters in a text file. A sample configuration file is shown below. Please copy and save it as a text file.

/*
This is the configuration file for creating a web listener.
Specify the parameter values for the different switches and run the script.
*/

/* Name of the web listener to be created */
wlname:


/* Certificate file(.pfx or .cer) path */
certpath:


/* Web listener authentication: 0 for No Authentication, 1 for Radius OTP, 2 for SSL Client Certificate */
listenerauthentication:


/* Optional paramenter. Specify only if listener authentication is RADIUS OTP */
RadiusServer:


/* Optional parameter. Default value is the IP address in the external network */
IPAddress:

To create the web listener using configuration file, execute the script as follows:

cscript.exe ISAConfigScript.vbs -createweblistener /file: <filename.txt>

3.2Create a web publishing rule on ISA server

A web publishing rule enables the access of a web server placed inside a corpnet from a non-corporate site e.g. internet. It uses a web listener to listen for incoming connections and then takes a decision whether to allow or block the connection. The web publishing rule provides a host of configurable parameters to help make this decision. In RD Gateway scenario, the web server is the RD Gateway server.
This script provides the opportunity to create a web publishing rule. This can be done by using the command line switch “-createwebpublishingrule”. Note that only those parameters which are relevant to RD Gateway scenario can be specified as input while creating the web publishing rule. They are mentioned below:

1.Web rule name: Use the command line switch “/WRNameto specify the name of the web rule.
2.Web Server’s internal name: Internal name of the RD Gateway server. ISA server uses this to establish connection to RD Gateway. Use the command line switch “/ServerName” to specify its value.
3.Web Server’s public name: Public name of the RD Gateway server. Clients specify this as the RD Gateway server name while making a remote connection. Use the command line switch “/PublicName” to specify its value.
4.Web listener name: Name of the web listener which the web publishing rule will use to listen for incoming connections. Use the command line switch “/WLName” to specify its value.
5.Bridging type: ISA server offers users with the option of SSL offloading. This involves terminating the incoming SSL connection from the clients and establishing HTTP connections to the RD Gateway server. Use the command line switch “ /BridgingType” to specify its value - 0 for HTTPS-HTTP bridging, 1 for HTTPS-HTTPS bridging.
6.User Set: This option determines the users who will be allowed access to the RD Gateway server by the server publishing rule. The script offers two choices for this parameter – “All Users” and “All Authenticated Users”. Use the command line switch “/UserSettospecify its value - 0 for “All users”, 1 for “All Authenticated users”.

Certain values are hardcoded when a web publishing rule is created using the script. They are:

1.Authentication Delegation: ISA server can delegate authentication on behalf of the client to the web server. However, in RD Gateway scenario we do not recommend delegation by ISA server. Hence this value is permanently set as “No Delegation but client may authenticate directly”
2.Rule Action: A web publishing rule can be tempered to either “Allow” or “Deny” a connection when a connection satisfies all the pre-requisites as specified in the rule.
This value is set as “Allow” since we want the connection to through if it passes the checks of the web publishing rule.
3.Publishing Type: ISA server allows the user the option of publishing either a single web site, a server farm of load balanced web servers or multiple web sites. RD Gateway scenario is always published using the “Single Web Site” option.

3.2.1 Passing parameters to create a Web publishing rule:

There are two modes in which the parameters for creation of a web publishing rule can be specified:

a)Command line switches
The following example creates a web listener to be used in the RDG-ISA core scenario using command line switches.

cscript.exe ISAConfigScript.vbs -createwebpublishingrule /WRName:RDGrule /ServerName:rdgateway.rdg.com /PublicName:rdgateway.rdg.com /WLName:RDGlistener

b)Configuration file
Similar to a web listener, a web publishing rule can also be created by using a configuration file with input parameters specified in it. A sample configuration file is shown below. Please copy and save it as a text file.

/*
This is the configuration file for creating a web publishing rule.
Specify the parameter values for the different switches and run the script.
*/

/* Name of the web publishing rule to be created */
WRName:

/* Name of the server the ISA server will connect to*/
ServerName:

/* Name of the TSG server the client will connect to */
PublicName:


/* Name of the web listener to be used */
WLName:

/* Bridging type to be used: 0 for HTTPS-HTTP, 1 for HTTPS-HTTPS */
BridgingType:


/* User Sets allowed by the web publishing rule: 0 for All users, 1 for All authenticated users */
UserSet:


To create the web publishing rule using configuration file, execute the script as follows:
cscript.exe ISAConfigScript.vbs -createwebpublishingrule /file: <filename.txt>

3.3 Validating the web publishing rules for RD Gateway-ISA scenario


The script offers basic diagnostic capabilities useful even when the wizards have been used for web listener and web rule creation. It scans the specified web publishing rule and associated web listener for erroneous configurations and reports the same to the user. The checks are done by examining the settings of the web rule and the web listener with the intention of identifying areas which could lead to a problem in connection. RD Gateway settings are not under the purview of this and as such the troubleshooting can be said to be of static nature. The script does not make a run time connection to the published RD Gateway server to verify the web publishing rule. Following are some of the problems which the script will not report:
1.RD Gateway server is unavailable or unreachable.
2.The web listener is not configured with certificates matching one or more public names defined in the web rule used to publish RD Gateway server. This can, however, be seen as a warning under the “Listener” tab of the web publishing rule in the ISA server management console.
3.ISA server needs to trust the certificate which is installed on RD Gateway server. The script does not intimate the user if the certificate is not trusted.
4.RD Gateway server supports various certificate types - self signed, public CA, private CA, wildcard certificates, and SAN certificates. However, the ISA server versions – 2004, 2006 or 2006 sp1 impose certain restrictions on the different types of certificates which can be used with RD Gateway server. The blog mentions them under the heading Certificates that can be used on TS Gateway. The script does not report an issue if the RD Gateway - ISA server certificate configuration is different from what is recommended.

To validate a web publishing rule, use the “-validaterule” switch with the rule name as shown below:
cscript.exe ISAConfigScript.vbs -validaterule /wrname: <RuleName>

4. Restrictions

1. The script will work for both Standard and Enterprise editions of ISA server. However, for the Enterprise edition, the user must run the script on an ISA server machine which is part of the array for which the configuration is to be done. The script does not work for CSS-only or management console only scenarios for ISA server.
2. Usage on non-English ISA server - To make the script work on non-English versions of ISA server, there are certain strings mentioned at the start of the script which need to be localized.
Windows PowerShell
کد:
Option Explicit



'Define the constants needed

const Error_FileNotFound = &H80070002

const Error_WebListenerNotFound = &HC0040357

const Error_IncorrrectCertificatePassword = -2147024810

const Error_InvalidIpAddress = -2147024809

const Error_CAPICOMnotInstalled = 429

const Error_PropertyDoesNotExist = 438

const fpcAllow  = 0

const fpcWebServerThruHTTP = 0

const fpcWebServerThruSSL = 1

const fpcPolicyRuleWebPublishing = 2

const fpcSystemPolicyConfigGroup_CRL = 23

const GUIDforHTTPOnlyCookie = "{29022EBA-B030-4839-9CA6-DD8875BC7B47}"

const GUIDforWebRule = "{5e302ed5-f5d5-4fad-9b8a-01c72e1569f3}"



'These strings are English local only. Please localize them appropriately in case of non-English languages.

const FBAWITHRADIUSOTP = "FBA WITH RADIUS OTP"         

const ALLUSERS = "ALL USERS"

const ALLAUTHENTICATEDUSERS = "ALL AUTHENTICATED USERS"

const EXTERNAL = "EXTERNAL"



'Command line arguments

Dim ruleName           : ruleName        = NULL

Dim serverName         : serverName      = NULL

Dim publicName         : publicName      = NULL

Dim certName           : certName        = NULL

Dim certPassword       : certPassword    = ""

Dim wlName             : wlName          = NULL

Dim BridgingType       : BridgingType    = NULL

Dim weblistenerauthentication : weblistenerauthentication = NULL

Dim userset            : userset         = NULL

Dim Certificate        : Certificate     = NULL

Dim RadiusServerName   : RadiusServerName  = NULL

Dim ipaddress          : ipaddress       = NULL

Dim root               : root            = NULL  'A FPCLib.FPC root object

Dim oArray             : oArray          = NULL  'A FPCArray object 



'We Start here

Main



Sub Main()

   

    'First make sure the script is executed by CScript.exe.

    If InStr(1, UCase(Wscript.FullName), "CSCRIPT.EXE", 1) = 0 Then

       Wscript.Echo "This script can only be executed by CScript.exe."

       Exit Sub

    End If



    If not(Init)then 

       WScript.Echo "This script should only be run on an ISA server."

       WScript.Echo

       DisplayUsage

       Exit Sub

    End If   



    If (ParseCommandLine) then

        WScript.Echo "Saving data..."

        oArray.Save false,false

    End if

    

End Sub 'Main



'This function contains the main logic for the script. It decides what is to be done - create a rule , create a

'web listener or vaildate a rule. Thereafter is calls the appropriate functions to accomplish the task.

Function ParseCommandLine

  

   ParseCommandLine = false



    'If the number of arguments passed from commmand line are zero then display help

    if (Wscript.Arguments.Count = 0) then 

     DisplayUsage

     exit Function

    end if

  

   'Parse command line.



   Select Case UCase(Wscript.Arguments(0))



     case "-CREATEWEBPUBLISHINGRULE"

       

       'Parse command line arguments for web listener

       if not(ParseCommandLineForWebPublishingRule) then exit Function

       

       'Creating web publishing rule

       if not(AddWebPubRule) then exit Function



       'Adding custom Vendor Parameter Name Value pairs to the created rule which are required for RPC over HTTP traffic

       if not(CustomizeWebRulewithVPS(ruleName)) then exit Function

 

       'Checking the created web publishing rule for common misconfigurations

       if not(CheckWebPublishingRule ) then exit Function

       

       ParseCommandLine = true



     Case "-CREATEWEBLISTENER"

      

       'Parse command line arguments for web listener

       if not(ParseCommandLineForWebListener) then exit Function



       'Creating web listener

       if not(CreateWebListener) then exit Function

       

       'Set HTTPOnly Cookie value to false incase listener uses RADIUS OTP

       if not(CustomizeWebListenerWithVPS(wlName)) then exit Function



       ParseCommandLine = true

         

     Case "-VALIDATERULE"

       

       'Parse command line arguments for validating rule

       if not(ParseCommandLineForValidateRule) then exit Function

        

       'Validate the web publishing rule 

       if not(CheckWebPublishingRule) then exit Function

 

     Case Else

    

        WScript.Echo "Please specify one of the following switches: CREATEWEBPUBLISHINGRULE, CREATEWEBLISTENER, or VALIDATERULE"

        WScript.Echo

        DisplayUsage

   

   End Select

      

     

End Function ' ParseCommandLine



'This function creates the root object and gets reference to the array object for the ISA server

Function Init



	Init = false

	On Error Resume Next

	'Create the root obect.

	Set root = CreateObject("FPC.Root")

	If err.number <> 0 Then  

        WScript.Echo Err.Description

        WScript.Echo Err.number

        exit Function

    End If  

    'Get reference to the array object

	Set oArray = root.GetContainingArray

	If err.number <> 0 Then  

        WScript.Echo Err.Description

        WScript.Echo Err.number

        exit Function

    End If  

    On Error Goto 0

	Init = true



End Function 'Init





'This function creates a web publishing rule

Function AddWebPubRule()



     AddWebPubRule = false



    Dim rules        ' An FPCPolicyRules collection

    Dim rule         ' An FPCPolicyRule object

    Dim publicNames  ' An FPCPublicNames collection

    Dim path         ' An FPCPathMapping Object

    Dim retval       ' A bool variable



    Set rules = oArray.ArrayPolicy.PolicyRules



    On Error Resume Next

    Set rule = rules.Item(ruleName)

    If err.number <> 0 Then  

        If err.Number <> Error_FileNotFound Then

          WScript.Echo "An error has occurred while creating the web publishing rule."

          WScript.Echo Err.Description

          WScript.Echo Err.number

          WScript.Echo "Ending the script ..."

          exit Function

        Else

          WScript.Echo "Creating the web publishing rule ..."

          On Error Goto 0

          Set rule = rules.AddWebPublishingRule(ruleName)

         End If

    Else

        On Error Goto 0

        retval = MsgBox ("The web publishing rule """ & ruleName &  """ already exists. Do you want to recreate it?",VBYesNo)

	    If retval = vbYes Then

          rules.Remove(ruleName)

          WScript.Echo "Deleted web publishing rule """ & ruleName & """"

          Set rule = rules.AddWebPublishingRule(ruleName)

        Else

          WScript.Echo "New rule """ & ruleName & """ has not been created."

          exit Function

        End If

    End If



    'Set  general properties   

    rule.Description="Publishes TSG"

    rule.Enabled = true

    'Rule action 0 means Allow connections that match this rule

    rule.Action = fpcAllow   

    rule.WebPublishingProperties.TranslateLinks = false

        

    'Set rule properties.

    rule.WebPublishingProperties.WebSite = serverName

    Set publicNames = rule.WebPublishingProperties.PublicNames

    publicNames.Add(publicName)

    

   'Set the web listener for the web publishing rule. 

    Err.Clear

    On Error Resume Next 

    rule.WebPublishingProperties.SetWebListener(wlName)

    If err.Number = Error_WebListenerNotFound Then

        WScript.Echo "The web listener """ & wlName & """ does not exist."

        WScript.Echo "Please create the associated web listener before creating the web publishing rule."

        WScript.Echo "Ending the script ..."

        exit Function

    ElseIf err.Number <> 0 Then

        WScript.Echo Err.Description

        WScript.Echo Err.number

        WScript.Echo "Ending the script ..."

        exit Function

    End If



	On Error Goto 0

	'We need to check whether the web listener authentication is set to HTML form based using

	'RADIUS OTP as validation method. If yes, it sets the value of HTTPOnlyCookie attribute in web listener to false

	If NOT(CustomizeWebListenerWithVPS(wlName)) Then

		exit Function

	End If



	'In case the web listener uses SSL CLient Certificate authentication the system policy rule

	' "Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"

	If NOT(EnableCRLDownloads) Then exit Function

     

    If (BridgingType = 1) Then

      'For HTTPS-HTTPS briging

      rule.WebPublishingProperties.PublishedServerType = fpcWebServerThruSSL

      rule.WebPublishingProperties.SSLRedirectPort = 443

    Else

      'For HTTPS-HTTP briging

       rule.WebPublishingProperties.PublishedServerType = fpcWebServerThruHTTP

       rule.WebPublishingProperties.HTTPRedirectPort =  80

    End If



   

    'Authentication delegation property is only present in ISA Server 2006 and above 

    'we set the authentication delegation type to 0 ( No delegation but client may authenticate directly)

     Err.Clear

     On Error Resume Next

     rule.WebPublishingProperties.CredentialsDelegationType = 0

     If (err.Number <> 0) AND (err.Number <> Error_PropertyDoesNotExist) Then

        WScript.Echo Err.Description

        WScript.Echo Err.number

        WScript.Echo "Ending the script ..."

        exit Function

     End If

     On Error Goto 0



    'Associating the appropriate user set with the web publishing rule



    'Clearing any user sets already present

      If Not(rule.WebPublishingProperties.UserSets.Count = 0) then

        rule.WebPublishingProperties.UserSets.RemoveAll()

      End If

 

    Select Case userset 

     Case 0

      rule.WebPublishingProperties.UserSets.Add ALLUSERS, 0  

     Case 1

      rule.WebPublishingProperties.UserSets.Add ALLAUTHENTICATEDUSERS, 0   

    End Select  



    WScript.Echo "Web publishing rule """ & ruleName & """ has been created."



    'Printing the settings of the rule created

    PrintWebRuleSettings

       

    AddWebPubRule = true

   

End Function 'AddWebPubRule



'This function creates a web listener

Function CreateWebListener()



    CreateWebListener =false

       

    'Setting constants

    const  fpcAllIPAddresses =0

    const fpcSpecifiedIPAddresses = 2

   'Declare the other objects needed.

    Dim weblisteners  ' An FPCWebListeners collection

    Dim newlistener    ' An FPCWebListener object

    Dim SSLCertificates 'An FPCCertificates collection

    Dim server          ' An FPCServer object

    Dim SSLCertificate   ' An FPCCertificate object

    Dim retval             ' A bool variable

    Dim newWebListenerCreated   ' A bool variable

    Dim AuthenticationSchemes    'An FPCRefs object

    Dim AuthenticationScheme     'An FPCRef object

    Dim CertHash                 'Stores the hash value of the certificate

    Dim IsCertInStore            'Bool variable

    

    'Get references to the array object,and the policy rules collection, 

    Set weblisteners = oArray.RuleElements.WebListeners





    On Error Resume Next

    Set newlistener = weblisteners.Item(wlName)

    'If the web listener does not exist, create it

    If err.number <> 0 Then 

        If err.Number <> Error_FileNotFound Then

            WScript.Echo "An error has occurred while creating the web listener."

            WScript.Echo Err.Description

            WScript.Echo Err.number

            WScript.Echo "Ending the script ..."

            exit Function

        Else

            WScript.Echo "Creating the web listener ..."

            On Error GoTo 0     

            Set newlistener = weblisteners.Add(wlName)

            newWebListenerCreated = "true"

       End If

    Else

        On Error Goto 0

        retval = MsgBox ("The """ & wlName  & """ web listener already exists. Do you want to delete it and create a new one?",VBYesNo)

        If retval = vbYes Then

            'A web listener cannot be deleted if is already being used in some rule. 

            'Make sure that the web listener is not being used in some web rule before deleting it

            If NOT(CheckIfWebListenerIsBeingUsed) Then

                exit Function

            End If

                 

            'Deleting the existing web listener

             weblisteners.Remove(newlistener.Name)

             WScript.Echo "Deleted web listener """ & wlName  & """"

             Set newlistener = weblisteners.Add(wlName)

             newWebListenerCreated = "true"

        Else

             WScript.Echo "A new web listener has not been created."

             exit Function

        End If

    End If



    If  newWebListenerCreated = "true" Then

        'Load the certificate file

        If not(LoadCertificate) then exit Function

    

        'Set the ip's for web listener to listen on

        If isNull(ipaddress) Then

            'Set the web listener to listen on all ip's in external network

            newlistener.IPsOnNetworks.Add EXTERNAL,fpcAllIPAddresses,""    

        Else

            'Set the web listener to specified ip in  external network

            newlistener.IPsOnNetworks.Add EXTERNAL,fpcSpecifiedIPAddresses,ipaddress     

        End if



        'Set the web listener to listen for SSL requests on port 443

        'Setting TCP port to 0 implies that the web listener will not handle incoming HTTP requests

        newlistener.Properties.TCPPort=0

        newlistener.Properties.SSLPort=443



        'Associating SSL cert with the web listener

        Set server = root.GetContainingServer()   

        Set SSLCertificates = server.SSLServerCertificates



        'Get the hash value of the certificate given as input

        CertHash = Certificate.Thumbprint

      

        'Check if the certificate given as input is present in the store

        For Each SSLCertificate In SSLCertificates 

            If CertHash = ByteArrayToHexString(SSLCertificate.Hash) Then

                IsCertInStore  = "true"

                newlistener.Properties.AppliedSSLCertificates.Add SSLCertificate.Hash,""

            End If

        Next

         

        If IsEmpty(IsCertInStore) Then

            WScript.Echo "The certificate """ & certName & """ is not available for use by the web listener."

            WScript.Echo "Make sure the certificate has been added to the ""Personal"" store store of the computer, has an associated private key and is meant for server authentication."

            exit Function

        End If

     

        'Set the web listener authentication mode to "No authentication"

        'Default for BasicAuthentication, DigestAuthentication, Integrated Windows Authentication is false

        newlistener.Properties.BasicAuthentication = false  

        newlistener.Properties.DigestAuthentication = false

        newlistener.Properties.IntegratedWindowsAuthentication = false

        newlistener.Properties.AlwaysAuthenticate =false



        'Set SSLCertificateAuthentication (authentication method available only if SSL listening is enabled) to false

        'Default is also false

        newlistener.Properties.SSLCertificateAuthentication = false  



        'Get the authentication schemes object which contains the pre-existing schemes like Radius,Radius with OTP etc. which are used with this web listener 

        Set AuthenticationSchemes = newlistener.Properties.AuthenticationSchemes

            

        'Set authenitcation scheme on web listener as given in input   

        Select Case weblistenerauthentication

            Case 1

                On Error Resume Next

                ' Authentication scheme "FBA with RADIUS OTP" is not aviable in ISA server 2004

                Set AuthenticationScheme = AuthenticationSchemes.Add(FBAWITHRADIUSOTP,0) 

                If Err.Number <> 0 Then

                    WScript.Echo "The RADIUS OTP property is not available on ISA server 2004"

                    WScript.Echo Err.Description

                    WScript.Echo Err.number

                    WScript.Echo "Ending the script ..."

                    exit Function

                End If 

                On Error Goto 0

                ' Adding the radius client in the ISA server

                If NOT(AddRadiusServer) Then

                    exit Function

                End If

            Case 2

                newlistener.Properties.SSLCertificateAuthentication = true

        End Select  



        'Saving web listener collection

        WScript.Echo "The web listener """ & wlName & """ has been created."



        'Print the settings of the web listener created

        PrintWebListenerSettings

    End If

    

    CreateWebListener = true    

      

End Function  ' CreateWebListener



'This function checks if the web listener is associated with some web rule. 

'If it is,it specifies the web rule name and aborts the script.

Function CheckIfWebListenerIsBeingUsed()



    CheckIfWebListenerIsBeingUsed =false



    'Declare the other objects needed.

    Dim rules        ' An FPCPolicyRules collection

    Dim rule         ' An FPCPolicyRule object

    Dim publicNames  ' An FPCPublicNames collection

    Dim webListernerUsed 'A variable to store web listener names

   



    Set rules = oArray.ArrayPolicy.PolicyRules



     

    For Each rule In rules

		'Get the web listener name associated with the web rule

	    If fpcPolicyRuleWebPublishing = rule.Type Then

		    Set webListernerUsed = rule.WebPublishingProperties.WebListenerUsed

			If LCase(webListernerUsed.Name) = LCase(wlName) Then

			    WScript.Echo "The web listener """ & wlName & """ is associated with the web publishing rule """ & rule.Name & """." & VbCrLf _ 

			    & "Please delete the rule """ & rule.Name & """ and re-run the script to create the web listener."

			    exit Function

			End If

		End If

    Next

        

    CheckIfWebListenerIsBeingUsed = true   

   

End Function  'CheckIfWebListenerIsBeingUsed





'This function adds the radius server in the ISA server which the web listener will use for authentication when 

'it authenticatses using FBA with Radius OTP

Function AddRadiusServer()

  

    AddRadiusServer = false

  

    Dim RadiusServers    'An FPCRadiusServers object

    Dim RadiusServer     'An FPCRadiusServer object

    Dim retval           'A bool variable



    'Get the list of Radius servers already configured on the ISA server

    Set RadiusServers = oArray.RuleElements.RadiusServers



    On Error Resume Next

   'Check if the specified Radius server is already present

    Set RadiusServer = RadiusServers.Item(RadiusServerName)

    If Err.number <> 0 Then 

        If Err.number <> Error_FileNotFound Then 

            WScript.Echo "* An error has occurred while adding radius server"

            WScript.Echo Err.Description

            WScript.Echo Err.number

            WSript.Echo "* Ending the script ..."

            exit Function

        Else

            WScript.Echo "Adding the Radius server """ & RadiusServerName & """ to the Radius Servers list."

            On Error Goto 0

            Set RadiusServer = RadiusServers.Add(RadiusServerName)

        End If

    Else

        On Error Goto 0

        retval = MsgBox ("The Radius server """ & RadiusServerName &  """ already exists in the RADIUS Servers list. Do you want to delete the existing RADIUS server and then re-add it?",VBYesNo)

        If retval = vbYes Then

            'Deleting the existing radius server 

            RadiusServers.Remove(RadiusServerName)

            WScript.Echo "Radius server """ & RadiusServerName & """ has been deleted from the RADIUS servers list."

            'Adding the radius server

            Set RadiusServer = RadiusServers.Add(RadiusServerName)

        Else

            WScript.Echo "The existing Radius Server """ & RadiusServerName & """ will be used for authentication"

        End If

     End If



    AddRadiusServer = true 

   

End Function 'AddRadiusServer





'This function loads the .cer or .pfx certificate. It uses CAPICOM.dll which needs to be installed

Function LoadCertificate()



    LoadCertificate = false 

     

    Err.Clear

    On Error Resume Next

    Set Certificate = CreateObject("CAPICOM.Certificate")

    If Err.number <> 0 then 

        If Err.number = Error_CAPICOMnotInstalled then

            WScript.Echo Err.Description

            WScript.Echo Err.number

            WScript.Echo "Make sure CAPICOM is installed. You can install it from http://msdn.microsoft.com/en-us/library/ms759176(VS.85).aspx"

        Else

            WScript.Echo Err.Description

            WScript.Echo Err.number

        End If

        WScript.Echo "Ending the script..." 

        exit Function

    End If

   

    On Error Goto 0 

    'Checking if certificate type is .pfx or .cer

    If (Right(certName,3) = "pfx" Or (Mid( certName,Len(certName)-3,3) = "pfx") And Right(certName,1)="""") then

        'If certificate is .pfx type , get password from user

        certPassword = GetCertPassword()

    End If   

    

    Err.Clear

    On Error Resume Next



  

    Certificate.Load certName, certPassword

    If Err.number <> 0 then 

        If Err.Number = Error_IncorrrectCertificatePassword Then

            WScript.Echo "The password specified for the certificate file is incorrect."

            WScript.Echo "Please specify the correct password and then re-run the script."

            exit Function

         End If

         WScript.Echo "An error occurred while loading the certificate."

         WScript.Echo Err.Description

         WScript.Echo Err.number

         exit Function

    End If



    On Error Goto 0

    LoadCertificate = true



End Function 'LoadCertificate





'This function checks if the certificate file exists

Function CheckIfCertificateExists()

 

    CheckIfCertificateExists = false

    Dim CertificateFile : CertificateFile = null

    Err.Clear

    On Error Resume Next

    Set CertificateFile = CreateObject("CAPICOM.Certificate")

    If Err.number <> 0 then 

        If Err.number = Error_CAPICOMnotInstalled then

            WScript.Echo Err.Description

            WScript.Echo Err.number

            WScript.Echo "Please ensure that the CAPICOM is installed. You can install it from http://msdn.microsoft.com/en-us/library/ms759176(VS.85).aspx"

        Else

            WScript.Echo Err.Description

            WScript.Echo Err.number

        End If

        WScript.Echo "Ending the script..." 

        exit Function

    End If

    

    Err.Clear

    CertificateFile.Load certName, ""

    If Err.number <> 0 then 

        If err.Number = Error_FileNotFound Then

                WScript.Echo "The system cannot find the file " & certName

                WScript.Echo "Please specify the correct certificate path and then re-run the script."

                exit Function

        End If



    End If

    

    On Error Goto 0

    

    CheckIfCertificateExists = true

    

End Function

    

'This function gets the password needed for .pfx certificate file from user

Function GetCertPassword()

 

    Dim objPassword

    Set objPassword = CreateObject("ScriptPW.Password") 

    WScript.StdOut.Write "Please enter the certificate password:" 

    Wscript.Echo

    GetCertPassword = objPassword.GetPassword() 

  

End Function 'GetCertPassword





'This function parses the input paramters if a web publishing rule is being created

Function ParseCommandLineForWebPublishingRule



    ParseCommandLineForWebPublishingRule = false

  

    Dim filename: filename = null



    If WScript.Arguments.Named.Exists("?") Then

        DisplayUsage

        exit Function

    End If

  

    If Not(WScript.Arguments.Named.Exists("File")) Then

        'Read command line parameters

        If WScript.Arguments.Named.Exists("WRNAME") Then

            ruleName= WScript.Arguments.Named.Item("WRNAME")

            ruleName= IfEmptyStringAssignNull(ruleName)

        End if

        If WScript.Arguments.Named.Exists("SERVERNAME") Then

            serverName= WScript.Arguments.Named.Item("SERVERNAME")

            serverName= IfEmptyStringAssignNull(serverName)

        End if

        If WScript.Arguments.Named.Exists("PUBLICNAME") Then

            publicName= WScript.Arguments.Named.Item("PUBLICNAME")

            publicName= IfEmptyStringAssignNull(publicName)

        End if

        If WScript.Arguments.Named.Exists("WLNAME") Then

            wlName = WScript.Arguments.Named.Item("WLNAME")

            wlName= IfEmptyStringAssignNull(wlName)

        End if

        If WScript.Arguments.Named.Exists("BRIDGINGTYPE") Then

            BridgingType= WScript.Arguments.Named.Item("BRIDGINGTYPE")

            BridgingType= IfEmptyStringAssignNull(BridgingType)

        End if

        If WScript.Arguments.Named.Exists("USERSET") Then

            userset= WScript.Arguments.Named.Item("USERSET")

            userset= IfEmptyStringAssignNull(userset)

        End if

    Else

        filename = WScript.Arguments.Named.Item("File")

        filename= IfEmptyStringAssignNull(filename)

     

        If IsNull(filename) Then

            WScript.Echo "Please enter a file name and then re-run the script."

            WScript.Echo "Ending the script ..."

            exit Function

        End if 

     

        If InvalidFile(filename) Then 

            exit Function

        end if



        ruleName = ReadKeyValueFromFile ("WRNAME",filename)

        serverName = ReadKeyValueFromFile ("SERVERNAME",filename)

        publicName = ReadKeyValueFromFile ("PUBLICNAME",filename)

        wlName = ReadKeyValueFromFile ("WLNAME",filename)

        BridgingType = ReadKeyValueFromFile ("BRIDGINGTYPE",filename)

        userset = ReadKeyValueFromFile ("USERSET",filename)

    End If



 'Check the passed parameters  

   

 'Check if all mandatory parameters have been specified 

    If (IsNull(ruleName) OR IsNull(serverName) OR IsNull(publicName) OR IsNull(wlName) OR IsNull(BridgingType) or isnull(userset))  Then

        WScript.Echo "The following mandatory parameter values are missing: "

        If IsNull(ruleName) Then WScript.Echo "WRNAME"

        If IsNull(serverName) Then WScript.Echo "SERVERNAME"

        If IsNull(publicName) Then WScript.Echo "PUBLICNAME"

        If IsNull(wlName) Then WScript.Echo "WLNAME"

        If IsNull(BridgingType) Then WScript.Echo "BRIDGINGTYPE"

        If Isnull(userset) Then WScript.Echo "USERSET"

        WScript.Echo 

        DisplayUsage

        exit Function

    End If  

   

 'Check the parameter passed for bridging type 

    If IsNumeric(BridgingType) = FALSE Then

        DisplayUsage 

        exit Function

    Else  

        If (BridgingType <> 0 And BridgingType <> 1) Then

            WScript.Echo "Please enter a valid option for bridging type (0 or 1):"

            WScript.Echo

            DisplayUsage

            exit Function

       End If

    End If 

  

'Check the parameter passed for user set

    If IsNumeric(userset) = FALSE Then

        DisplayUsage

        exit Function

    Else

        If Not(userset=0 Or userset=1)  then

            WScript.Echo "Please enter a valid option for user sets (0 or 1):"

            WScript.Echo

            DisplayUsage

            exit Function

         End If

     End If

   

    ParseCommandLineForWebPublishingRule = true  

  

End Function ' ParseCommandLineForWebPublishingRule



'This function parses the input paramters if a web listener is being created

Function ParseCommandLineForWebListener



  ParseCommandLineForWebListener = false 

  

  Dim filename: filename = null



  If WScript.Arguments.Named.Exists("?") Then   

  DisplayUsage

  exit Function

  End If

  

  If Not(WScript.Arguments.Named.Exists("File")) Then

  'Read command line parameters

         If WScript.Arguments.Named.Exists("CERTPATH") Then

          certName= WScript.Arguments.Named.Item("CERTPATH")

          certName= IfEmptyStringAssignNull(certName)

        End if

        If WScript.Arguments.Named.Exists("WLNAME") Then

          wlName= WScript.Arguments.Named.Item("WLNAME")

          wlName= IfEmptyStringAssignNull(wlName)

        End if

        If WScript.Arguments.Named.Exists("LISTENERAUTHENTICATION") Then

          weblistenerauthentication= WScript.Arguments.Named.Item("LISTENERAUTHENTICATION")

          weblistenerauthentication= IfEmptyStringAssignNull(weblistenerauthentication)

        End if

        If WScript.Arguments.Named.Exists("RADIUSSERVER") Then

          RadiusServerName= WScript.Arguments.Named.Item("RADIUSSERVER")

          RadiusServerName= IfEmptyStringAssignNull(RadiusServerName)

        End if

        If WScript.Arguments.Named.Exists("IPADDRESS") Then

          ipaddress= WScript.Arguments.Named.Item("IPADDRESS")

          ipaddress= IfEmptyStringAssignNull(ipaddress)

        End if

   Else

         filename = WScript.Arguments.Named.Item("File")

         filename= IfEmptyStringAssignNull(filename)

         

         if IsNull(filename) then

              WScript.Echo "Please enter a file name and then re-run the script."

              WScript.Echo "Ending the script ..."

              exit Function

         end if 

         

         if InvalidFile(filename) then 

            exit Function

         end if

         certName = ReadKeyValueFromFile ("CERTPATH",filename)

         wlName = ReadKeyValueFromFile ("WLNAME",filename)

         weblistenerauthentication = ReadKeyValueFromFile ("LISTENERAUTHENTICATION",filename)

         RadiusServerName = ReadKeyValueFromFile ("RADIUSSERVER",filename)

         ipaddress = ReadKeyValueFromFile ("IPADDRESS",filename)

   End If

    

  'Check passed parameters

    

  'Checking if all mandatory parameters have been given

  If (IsNull(certName) OR IsNull(wlName) OR IsNull(weblistenerauthentication))  Then

   WScript.Echo "The following mandatory parameter values are missing: "

   If IsNull(wlName) Then WScript.Echo "WLNAME"

   If IsNull(certName) Then WScript.Echo "CERTPATH"

   If IsNull(weblistenerauthentication) Then WScript.Echo "LISTENERAUTHENTICATION"

   WScript.Echo

   DisplayUsage

   exit Function

  End If 

    

  'Check certificate 

  If NOT(Right(certName,3) = "pfx" Or (Mid(certName,Len(certName)-3,3) = "pfx" And Right(certName,1)="""") Or Right(certName,3) = "cer" Or (Mid(certName,Len(certName)-3,3) = "cer" And Right(certName,1)="""")) Then

   WScript.Echo "Please enter a valid certificate file. It should have either a .cer or a .pfx extension."

   WScript.Echo

   DisplayUsage

   exit Function

  End If



  'Remove the quotations from the certificate path if they exist

  If Left(certName,1) = """" And Right(certName,1)="""" Then

   CertName = Mid(certName,2,Len(CertName)-2)

  End If

  

  

  'Check if certificate file exists

  If Not(CheckIfCertificateExists) Then

   WScript.Echo

   DisplayUsage

   exit Function

  End If



  'Check listener authentication value

  If Not(weblistenerauthentication=0 Or weblistenerauthentication=1 Or weblistenerauthentication=2) then

    WScript.Echo "Please enter a valid option for the web listener authentication scheme ( 0, 1, or 2):"

    WScript.Echo

    DisplayUsage

    exit Function

  End If



 

  'Check that web listener authentication has not been specified on ISA server 2004

   If (weblistenerauthentication = 1) and (Left(GetISAProductVersion,1)="4") Then

    WScript.Echo "The authentication scheme RADIUS OTP is not available on ISA server 2004 versions. Please install ISA server 2006 with supportability update or later to use RADIUS OTP in ISA RD Gateway scenarios."

    exit Function

   End If

  

  'Check that radius client has been specified if RADIUS OTP is being used

  If (weblistenerauthentication = 1) and (IsNull(RadiusServerName)) then

   WScript.Echo "HTML form-based authentication(RADIUS OTP) needs a RADIUS server."

   WScript.Echo "Please specify a RADIUS server."

   WScript.Echo

   DisplayUsage

   exit Function

  End If



  'Check that the ip address specified is a valid one

  If not(IsNull(ipaddress)) then

   If NOT(CheckifValidIP) Then

   exit Function

   End If

  End if



ParseCommandLineForWebListener = true



End Function ' ParseCommandLineForWebListener'





Function IfEmptyStringAssignNull(variable)

 

  if variable = "" then

  IfEmptyStringAssignNull = null

  else

  IfEmptyStringAssignNull = variable

  end if

  

End Function 'IfEmptyStringAssignNull





'This function parses the input paramters if a rule validation is being done

Function ParseCommandLineForValidateRule



    ParseCommandLineForValidateRule = false



    If WScript.Arguments.Named.Exists("?") Then   

        DisplayUsage

        exit Function

    End If

  

    If WScript.Arguments.Named.Exists("WRNAME") Then

        ruleName= WScript.Arguments.Named.Item("WRNAME")

    End if

        

    If IsNull(ruleName ) Then

        WScript.Echo "Not all parameters have been specified."

        WScript.Echo

        DisplayUsage

        exit Function

    End If



    ParseCommandLineForValidateRule = true



End Function ' ParseCommandLine



'This function reads a key value from the configuration file

Function ReadKeyValueFromFile (key,filename)



    Dim filesystemobject

    Dim strLine

    Dim fileobject

    Dim pos



    ReadKeyValueFromFile = null



    Set filesystemobject = CreateObject( "Scripting.FileSystemObject" )



    Set fileobject = filesystemobject.OpenTextFile(filename, 1, False )

    Do While fileobject.AtEndOfStream = False

        strLine = Trim(fileobject.ReadLine)

        pos=InStr(strLine,":")

        If not(pos=0) Then

            If UCase(Mid(strLine,1,pos-1)) = UCase(key) Then

                ReadKeyValueFromFile = Trim (Right(strLine,Len(strLine) - pos))

                exit do

            End if

        End if

    Loop



    fileobject.Close



    If ReadKeyValueFromFile = "" Then

        ReadKeyValueFromFile = null

    end if



End function 'ReadKeyValueFromFile



'This function checks if the configuration file exists

Function InvalidFile(filename)



    InvalidFile = true 

    Dim filesystemobject

    Set filesystemobject = CreateObject( "Scripting.FileSystemObject" )

    If NOT(filesystemobject.FileExists( filename )) Then

        WScript.Echo "Please specify a valid configuration file."

        WScript.Echo "Ending the script ..."

        exit Function

    End If

    InvalidFile = false



End function 'InvalidFile



'This function checks that the ip supplied by the user is valid i.e. it is an ip associated with one of the nic's 

'and in the "External" network of the ISA computer

Function CheckifValidIP()

 

    CheckifValidIP = false

 

    ' Web listener should listen on an ip which is in the adress range set of one of the nic's 

    'and belonging to the "External" network of ISA computer 



    Dim server         'An FPCServer object

    Dim adapters       'An FPCAdapters object

    Dim adapter        'An FPCAdapter object

    Dim retval         'A bool variable

    Dim internalnetwork  'An FPCNetwork object

    Dim boolval          'A bool variable

 

 

    Set server = root.GetContainingServer()

    Set adapters = server.adapters

   

  

    'Here we check if the ip address actually belongs to one of the nic's on the machine

    For Each adapter in adapters

   

        Err.Clear

        On Error Resume Next

        boolval = adapter.IsIpInAddressSet(ipaddress)  

     

        If Err.Number = Error_InvalidIpAddress Then 

            WScript.Echo "Please specify a valid IPv4 address and then re-run the script."

            exit Function

        End If

     

        If Err.number <> 0 Then

            WScript.Echo Err.Description

            WScript.Echo Err.number

            exit Function

        End If

     

        On Error goto 0

     

        If  boolval then

            retval = true

            end if

    Next



    If not(retval) Then

        WScript.Echo "The IP address """ & ipaddress & """ does not belong to any enabled network adapter of the computer." 

        Wscript.Echo "Please specify an IP address which is in the address range of the enabled network adapters of the computer and then re-run the script."

        exit Function

    End if

 



    'Check if the ip address belongs to the external network.

    'This is being done by checking if it is in the Internal network.

    Set internalnetwork = oArray.NetworkConfiguration.Networks.Item("Internal")

    

    'We do not check if it is in external network because there is no iprange set property associated with "External" network

    'This is a inverted test.

    If internalnetwork.IPRangeSet.IsIpInSet(ipaddress) Then

        retval = MsgBox ("The IP address is not in the external network range of ISA server. Do you still want to continue?",VBYesNo)

        If retval = 7 Then

            Wscript.Echo "Ending the script ... "

            exit Function

        End If  

    End if



    CheckifValidIP = true



End Function 'CheckifValidIP



'This function enables a system policy rule to be used with "SSL Client Certificate authentication" on web listener

Function  EnableCRLDownloads



    EnableCRLDownloads = false



    Dim WebListener               'An FPCWebListener object

    Dim configGroup               'An FPCSystemPolicyConfigGroup  object

  

    'Get the object containing the web listener

    Set WebListener = oArray.RuleElements.WebListeners(wlName)



    'Check if the listener authentication scheme is SSL Client Certificate authentication

    If WebListener.Properties.SSLCertificateAuthentication = true Then

        Set configGroup = oArray.SystemPolicy.CreateConfigurationGroupInstance(fpcSystemPolicyConfigGroup_CRL)

        configGroup.Enabled = True

        configGroup.Save

        WScript.Echo "Enabling the system policy rule ""Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"" is needed for authentication method ""SSL Client Certificate"" of the web listener."

    End if



    EnableCRLDownloads = true



 End Function 'EnableCRLDownloads



'This function checks that is the user set in web publishing rule is "All Authenticated Users"

'then the associated web listener authentication should not be "No Authentication".

'This is one of the common misconfigurations done on ISA server which leads to a continuous

'credentials prompt for user

Function CheckWebPublishingRule 

  

    CheckWebPublishingRule = false



    Dim WebListener 									

    Dim IsAlwaysAuthenticate :  IsAlwaysAuthenticate = false   				'A bool variable

    Dim IsBasicAuthentication : IsBasicAuthentication = false  				'A bool variable

    Dim IsDigestAuthentication : IsDigestAuthentication =false   				'A bool variable

    Dim IsIntegratedWindowsAuthentication : IsIntegratedWindowsAuthentication =false  	'A bool variable

    Dim IsSSLCertificateAuthentication : IsSSLCertificateAuthentication = false   	'A bool variable

    Dim IsAuthenticationFBAWithRadiusOTP : IsAuthenticationFBAWithRadiusOTP = false   	'A bool variable

    Dim AuthenticationSchemes    								

    Dim AuthenticationScheme 								

    Dim AuthenticationSchemeCount : AuthenticationSchemeCount = false                     'A bool variable

    Dim IsUserSetAllUsers :   IsUserSetAllUsers  = false                                  'A bool variable

    Dim IsUserSetAllAuthenticatedUsers : IsUserSetAllAuthenticatedUsers = false           'A bool variable

    Dim CredentialsDelegationType : CredentialsDelegationType = 0

    Dim userSets

    Dim userSet

    Dim rules

    Dim rule

    Dim PathAll : PathAll = null

    Dim PathRPC : PathRPC = null

    Dim PathRPCwithCert : PathRPCwithCert = null

    Dim PathTs : PathTs = null

    Dim PathRdWeb : PathRdWeb = null

    Dim path

    Dim pathmappings

    Dim WebListenerVps

    Dim CookieAuthVps

    Dim configGroup                                        



    Set rules = oArray.ArrayPolicy.PolicyRules

   

    Err.Clear

    On Error Resume Next

    Set rule = rules.Item(ruleName)

    If err.number <> 0 Then

        If err.Number = Error_FileNotFound Then

            WScript.Echo "The web publishing rule """ & ruleName & """ does not exist."

            WScript.Echo "Please enter a valid web publishing rule name and re-run script."

            exit Function

        Else

            WScript.Echo "An error occurred while reading the web publishing rule """ & ruleName 

            WScript.Echo Err.Description

            WScript.Echo Err.number

            WScript.Echo "Ending the script..."

            exit Function

        End If  

    End If

  

      

    If fpcPolicyRuleWebPublishing <> rule.Type Then

	    Wscript.Echo "The rule """ & ruleName & """ is not a web publishing rule."

        WScript.Echo "Please enter a valid web publishing rule name and re-run script."

        exit Function

	End If

    

    Err.Clear     

 

    Set WebListener = oArray.RuleElements.WebListeners(rule.WebPublishingProperties.WebListenerUsed.Name)

    If err.Number <> 0 Then

        WScript.Echo "An error occurred while reading the web listener."

        WScript.Echo Err.Description

        WScript.Echo Err.number

        WScript.Echo "Ending the script..."

        exit Function

    End If

    On Error goto 0 



    If WebListener.Properties.TCPPort <> 0 and WebListener.Properties.SSLPort <> 0 Then 

        WScript.Echo "*WARNING* The web listener has been configured to listen for both HTTP and SSL requests. It is recommended that it only listens for SSL requests on port 443."

        WScript.Echo 

    Else

        If WebListener.Properties.SSLPort <> 443 and WebListener.Properties.SSLPort <> 0 Then 

            WScript.Echo "*WARNING* The web listener SSL port is " & WebListener.Properties.SSLPort & ". Please configure the web listener to listen for SSL requests on port 443."

            WScript.Echo 

        Else

        If  WebListener.Properties.TCPPort <> 0 Then

            WScript.Echo "*WARNING* The web listener is only listening for HTTP requests. Please disable HTTP listening and enable SSL client connections on port 443."

            WScript.Echo 

        End if

        End if

    End if

   

   'Check for authentication delegation on web publishing rule

    Err.Clear

    On Error Resume Next

    CredentialsDelegationType = rule.WebPublishingProperties.CredentialsDelegationType

    If (err.Number <> 0) AND (err.Number <> Error_PropertyDoesNotExist) Then

        WScript.Echo Err.Description

        WScript.Echo Err.number

        WScript.Echo "Ending the script ..."

    exit Function

    ElseIf  CredentialsDelegationType <> 0 then

       	WScript.Echo "*WARNING* Authentication delegation on the web publishing rule is not set to ""No delegation but client may authenticate directly"". It is recommended that you use ""No delegation but client may authenticate directly"" as the authentication delegation method for all RD Gateway ISA scenarios."

        WScript.Echo

    End If  

 

    'Check for user sets on web publishing rule

    Set UserSets = rule.WebPublishingProperties.UserSets

    For Each userSet in UserSets

        If UCase(userSet.Name) = ALLUSERS Then 

            IsUserSetAllUsers = true

        End If

        If UCase(userSet.Name) = ALLAUTHENTICATEDUSERS Then 

            IsUserSetAllAuthenticatedUsers = true

        End If

    Next

    

    'Check if authentication scheme on Web listener is always authenticate client

    If WebListener.Properties.AlwaysAuthenticate  = true then

        IsAlwaysAuthenticate = true

    End if



    'Check if authentication scheme on Web listener is set to basic authentication

    If WebListener.Properties.BasicAuthentication  = true then

    IsBasicAuthentication = true

    End if



    'Check if authentication scheme on Web listener is set to digest authentication

    If WebListener.Properties.DigestAuthentication  = true then

        IsDigestAuthentication = true

    End if



    'Check if authentication scheme on Web listener is set to integrated windows authentication

    If WebListener.Properties.IntegratedWindowsAuthentication  = true then

        IsIntegratedWindowsAuthentication = true

    End if



    'Check if authentication scheme on Web listener is SSL CLient Certificate Authentication

    If WebListener.Properties.SSLCertificateAuthentication = true then

        IsSSLCertificateAuthentication =true

    End if

    



    'If SSL Certification is used then system policy rule "Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)" should be enabled

    If IsSSLCertificateAuthentication then

        Set configGroup = oArray.SystemPolicy.CreateConfigurationGroupInstance(fpcSystemPolicyConfigGroup_CRL)

        If configGroup.Enabled = False then

            WScript.Echo "*WARNING* SSL certificate authentication on the web listener requires the system policy rule ""Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)"" to be enabled. It is currently disabled."

            WScript.Echo 

        End if

        WScript.Echo "*WARNING* SSL certificate authentication on the web listener can only be used when the ISA server is joined to a domain. Please make sure that it is joined to a domain."

        WScript.Echo 

   End if



    'Check if any authentication scheme is set on the  web listener 

    Set AuthenticationSchemes = WebListener.Properties.AuthenticationSchemes

    For each AuthenticationScheme in AuthenticationSchemes

        AuthenticationSchemeCount = true

        If UCase(AuthenticationScheme.Name) = FBAWITHRADIUSOTP then   

            IsAuthenticationFBAWithRadiusOTP = true

        End If

    Next

   

    'Check that "All Authenticated Users" should not be configured without an authentication scheme on web listener

    If IsUserSetAllAuthenticatedUsers Then

        If not (IsAlwaysAuthenticate or IsBasicAuthentication or IsDigestAuthentication or IsIntegratedWindowsAuthentication or IsSSLCertificateAuthentication or AuthenticationSchemeCount) then

            WScript.Echo "*WARNING* No authentication scheme has been specified on the web listener but the user set on the web publishing rule contains ""All Authenticated Users"". Please set it to one of the supported types for RD Gateway scenarios  - ""SSL Client Certificate"" or ""FBA with RADIUS OTP""."

            WScript.Echo

        Else 

        If not(IsAuthenticationFBAWithRadiusOTP or IsSSLCertificateAuthentication) Then

            WScript.Echo "*WARNING* An authentication scheme not supported for RD Gateway scenarios has been specified on the web listener. Please set it to one of the supported types: ""SSL Client Certificate"" or ""FBA with RADIUS OTP""."

            WScript.Echo

        End If

        End If

    End If





 

    If IsUserSetAllUsers and not(IsUserSetAllAuthenticatedUsers)  Then

        If (IsAuthenticationFBAWithRadiusOTP or IsSSLCertificateAuthentication) Then       

            WScript.Echo "*WARNING* A supported authenticaion scheme has been set on the web listener but the web publishing rule contains ""All Users"" in its User Set. This is a security risk as even unauthenticated users can access RD Gateway."

            WScript.Echo

        Else

        If (IsAlwaysAuthenticate or IsBasicAuthentication or IsDigestAuthentication or IsIntegratedWindowsAuthentication or IsSSLCertificateAuthentication or AuthenticationSchemeCount) then

            WScript.Echo "*WARNING* The web publishing rule contains ""All users"" in its User Set but the web listener has an authentication method set. It is recommended that you use ""All Users"" with No Authentication method set on the web listener."

            WScript.Echo

        End If

        End If

    End If   

  

   

    Set pathmappings = rule.WebPublishingProperties.PathMappings



    For each path in pathmappings

        If (Ucase(path.InternalPath) = "/*") then 

            Set PathAll = path

        End if

 

        If (Ucase(path.InternalPath) = "/RPC/*") then 

            Set PathRPC = path

        End if



        If (Ucase(path.InternalPath) = "/RPCWITHCERT/*") then 

            Set PathRPCwithCert = path

        End if

        

        If (Ucase(path.InternalPath) = "/TS/*") then 

            Set PathTs = path

        End if

        

        If (Ucase(path.InternalPath) = "/RDWEB/*") then 

            Set PathRdWeb = path

        End if




موضوعات مشابه: