Controlling Access by a Schedule and a User Set
This VBScript example creates the user set, URL set, and access rules needed to allow a specific group of workers in an organization restricted access to the Internet. The group is allowed to access only the sites listed in the URL set and only during the hours specified in the Work hours schedule supplied with Forefront TMG. All other workers using computers that belong to the Internal network are granted unlimited access to the Internet. The script includes three subroutines:
- ControlAccessByScheduleAndUserSet
- RemoveExistingItem
- CheckError
This example is included as the ControlAccessByScheduleAndUserSet.vbs script in the Samples\Admin folder of the Forefront TMG Software Development Kit (SDK).
The following procedure lists the steps used to create a user set, a URL set, and two access rules in the code example that follows.
To control access by a schedule and a user set
- Define values from the FpcPolicyRuleActions, FpcIncludeStatus, FpcProtocolSelectionType, and FpcAppliesToContentMethodType enumerations. For more information about using values defined in Forefront TMG enumerated types in scripts, see Using Enumerated Types in Scripts.
- Create an instance of the FPC COM object, which provides access to the other Forefront TMG administration COM objects.
- Declare an FPCArray object, an FPCPolicyRules collection, two FPCPolicyRule objects, an FPCUserSets collection, an FPCUserSet object, an FPCURLSets collection, and an FPCURLSet object.
- Get references to the existing FPCArray object, FPCPolicyRules collection, FPCUserSets collection, and FPCURLSets collection.
- Call the RemoveExistingItem subroutine to remove an access rule (an FPCPolicyRule object) named Allow All to Internet Rule if it already exists.
- Call the RemoveExistingItem subroutine to remove an access rule named Internal Network Internet Access Deny Rule if it already exists.
- Call the RemoveExistingItem subroutine to remove a user set named Staff if it already exists.
- Call the Add method of the user sets collection to create a new user set named Staff that will have restricted access to the Internet.
- Call the RemoveExistingItem subroutine to remove a URL set named Allowed Web Sites if it already exists.
- Call the Add method of the URL sets collection to create a new set of URLs named Allowed Web Sites that will be allowed for users belonging to the Staff users group.
- Call the AddAccessRule method of the policy rules collection to create a new access rule named Allow All to Internet Rule that will allow unrestricted access to the Internet to users in the organization.
- Configure the Allow All to Internet Rule access rule to apply to the HTTP, HTTPS, and FTP protocols, to the Internal network as the source, to the External network (the Internet) as the destination, to the predefined All Users user set, and to all content types.
- Call the AddAccessRule method of the policy rules collection to create a new access rule named Internal Network Internet Access Deny Rule that will deny access to the Internet from the Internal network, except for specific sites, by users belonging to the Staff user set.
- Configure the Internal Network Internet Access Deny Rule access rule to apply to the HTTP, HTTPS, and FTP protocols, to the Internal network as the source, to the External network as the destination, to the Allowed Web Sites URL set, to the Staff user set, to the Work hours schedule, and to all content types.
- Call the Save method on the policy rules collection to write the changes to the new cache rules to persistent storage.
The following code can be saved to a .vbs file and run from a command prompt on a computer running Forefront TMG with the Microsoft Firewall service installed.
Sub ControlAccessByScheduleAndUserSet()
' Define users. Replace these fictitious user account names by real
' user accounts in your organization.
user1 = "Corporate\Mike"
user2 = "Coporate\Stephanie"
' Define enumeration values.
Const fpcPolicyRuleActionAllow = 0
Const fpcPolicyRuleActionDeny = 1
Const fpcInclude = 0
Const fpcExclude = 1
Const fpcSpecifiedProtocols = 1
Const fpcAppliesToAllContent = 0
' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim isaArray ' An FPCArray object
Dim policyrules ' An FPCPolicyRules collection
Dim denyrule ' An FPCPolicyRule object
Dim allowrule ' An FPCPolicyRule object
Dim usersets ' An FPCUserSets colection
Dim userset ' An FPCUserSet object
Dim urlsets ' An FPCURLSets colection
Dim urlset ' An FPCURLSet object
' Get references to the array object, the policy rules collection,
' the user sets collection, and the URL sets collection.
Set isaArray = root.GetContainingArray()
Set policyrules = isaArray.ArrayPolicy.PolicyRules
Set usersets = isaArray.RuleElements.UserSets
Set urlsets = isaArray.RuleElements.URLSets
' If an access rule named "Allow All to Internet Rule" already exists,
' remove it.
RemoveExistingItem policyrules, "Allow All to Internet Rule"
' If an access rule named "Internal Network Internet Access Deny Rule" already exists,
' remove it.
RemoveExistingItem policyrules, "Internal Network Internet Access Deny Rule"
' If a user set named "Staff" already exists, remove it.
RemoveExistingItem usersets, "Staff"
WScript.Echo "Creating a new user set, Staff, containing the users who are considered staff ..."
On Error Resume Next
Set userset = usersets.Add("Staff")
userset.Accounts.Add user1
CheckError
userset.Accounts.Add user2
CheckError
usersets.Save
CheckError
' If a URL set named "Allowed Web Sites" already exists, remove it.
Err.Clear
RemoveExistingItem urlsets, "Allowed Web Sites"
WScript.Echo "Creating a new URL set containing sites to be allowed ..."
Set urlset = urlsets.Add("Allowed Web Sites")
urlset.Add "http://www.northwindtraders.com"
CheckError
urlset.Add "http://www.widgets.com"
CheckError
urlsets.Save
CheckError
WScript.Echo "Creating an allow access rule ..."
Set allowrule = policyrules.AddAccessRule("Allow All to Internet Rule")
allowrule.Description = "Allows unrestricted Internet access to all users on break room computers"
allowrule.Enabled = True
allowrule.Action = fpcPolicyRuleActionAllow
'Set the protocols to HTTP, HTTPS, and FTP.
allowrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
allowrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude
allowrule.AccessProperties.SpecifiedProtocols.Add "FTP", fpcInclude
allowrule.AccessProperties.ProtocolSelectionMethod = fpcSpecifiedProtocols
' Add the Internal network to the objects referenced by the Networks property
' of the FPCSelectionIPs object accessed through the SourceSelectionIPs property
' of the access rule.
allowrule.SourceSelectionIPs.Networks.Add "Internal", fpcInclude
' Add the External network (the Internet) to the objects referenced by the Networks
' property of the FPCSelectionIPs object accessed through the DestinationSelectionIPs
' property of the access rule.
allowrule.AccessProperties.DestinationSelectionIPs.Networks.Add "External", fpcInclude
' Add the All Users user set to the user sets to which the rule applies.
allowrule.AccessProperties.UserSets.Add "All Users", fpcInclude
' Configure the rule to apply to all content types.
allowrule.AccessProperties.AppliesToContentMethod = fpcAppliesToAllContent 'Default setting
WScript.Echo "Creating a deny access rule ..."
Set denyrule = policyrules.AddAccessRule("Internal Network Internet Access Deny Rule")
denyrule.Description = "Denies access to the Internet from the Internal network, except for specific sites"
denyrule.Enabled = True
denyrule.Action = fpcPolicyRuleActionDeny
'Set the protocols to HTTP, HTTPS, and FTP.
denyrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
denyrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude
denyrule.AccessProperties.SpecifiedProtocols.Add "FTP", fpcInclude
denyrule.AccessProperties.ProtocolSelectionMethod = fpcSpecifiedProtocols
' Add the Internal network to the objects referenced by the Networks property
' of the FPCSelectionIPs object accessed through the SourceSelectionIPs property
' of the access rule.
denyrule.SourceSelectionIPs.Networks.Add "Internal", fpcInclude
' Add the External network (the Internet) to the objects referenced by the Networks
' property of the FPCSelectionIPs object accessed through the DestinationSelectionIPs
' property of the access rule.
denyrule.AccessProperties.DestinationSelectionIPs.Networks.Add "External", fpcInclude
' Add the Allowed Web Sites URL set to the objects that are referenced by the URLSets
' property of the access rule and are excluded from the rule.
denyrule.AccessProperties.URLSets.Add "Allowed Web Sites", fpcExclude
' Add the Staff user set to the user sets to which the rule applies.
denyrule.AccessProperties.UserSets.Add "Staff", fpcInclude
' Set the Work hours schedule as the schedule applying to the rule.
denyrule.SetSchedule "Work hours"
' Configure the rule to apply to all content types.
denyrule.AccessProperties.AppliesToContentMethod = fpcAppliesToAllContent
'Save the changes to the new access rules.
policyrules.Save
CheckError
WScript.Echo "Done!"
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
Sub RemoveExistingItem(collection, name)
Dim member ' Object in the collection
Err.Clear
On Error Resume Next
Set member = collection.Item(name)
If Err.Number = 0 Then
WScript.Echo name & " exists. Removing it ..."
collection.Remove name
CheckError
collection.Save
CheckError
End If
End Sub
ControlAccessByScheduleAndUserSet
Build date: 7/12/2010