Configuring Add-ins

Forefront TMG can be extended by add-ins, whose configuration settings can be accessed through the FPCExtensions object. Forefront TMG add-ins include application filters, which are represented by elements of the FPCApplicationFilters collection, and Web filters, which are represented by elements of the FPCWebFilters collection.

Each FPCApplicationFilter object or FPCWebFilter object representing an add-in is associated with a globally unique identifiers (GUID) that identifies the add-in. An object representing an add-in and other policy-defining objects can provide access to a collection of vendor parameters sets (FPCVendorParametersSets) that can contain configuration settings for add-ins.

This topic describes some details of configuring the following two add-ins:

  • DNS Filter
  • FTP Filter
  • HTTP Filter

DNS Filter

DNS Filter is an application filter that is installed with Forefront TMG. It intercepts and analyzes DNS traffic destined for the Internal network. DNS Filter is the backbone of the Forefront TMG intrusion detection mechanism. Intrusion detection identifies when an attack is attempted against your network and performs a set of configured actions, which are defined by alerts, in case of an attack. To detect unwanted intruders, Forefront TMG compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, sending e-mail messages, and logging.

The following VBScript code example configures DNS Filter by setting values in the vendor parameters set associated with the filter in the collection of vendor parameters sets accessed through the object representing DNS Filter:

Set root = CreateObject("FPC.Root")
Set isaArray = root.GetContainingArray()
Set attackDetection = isaArray.ArrayPolicy.AttackDetection
Set dnsFilter = isaArray.Extensions.ApplicationFilters.Item("{49FE2B2F-3BB4-495C-87C8-3890C3C35756}")
dnsFilter.Enabled = True
Set vpSets = dnsFilter.VendorParametersSets
On Error Resume Next
vpSets.Add "{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}", False, False
On Error Goto 0     ' If a vendor parameters sets for DNS Filter already exists
vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Intrusion_detection") = "1"
vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Hostname_Overflow") = "1"
vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Length_Overflow") = "1"
vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Zone_Transfer") = "0"
vpSets.Save

FTP Access Filter

FTP Access Filter is an application filter that is installed with Forefront TMG. It enables FTP protocols. When running in read-only mode, FTP Access Filter blocks all commands in the control channel except the following commands: ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT. This should block any writing to the server side. The default list of allowed commands can be replaced by a customized list that is written to the collection of vendor parameters sets (FPCVendorParametersSets) associated with the filter. The Firewall service must restarted for the new settings to take effect.

The following VBScript code example configures FTP Access Filter to allow only the USER and PASS commands by setting values in the vendor parameters set associated with the filter in the collection of vendor parameters sets accessed through the object representing FTP Access Filter:

Dim root
Dim ftpFilter
Dim vpSet
On Error Resume Next
Err.Clear
Set root = CreateObject("FPC.Root")
' Get the filter's administration object
Set ftpFilter = root.GetContainingArray.Extensions.ApplicationFilters("{680A928F-22B3-11d1-B026-0000F87750CB}")
If ftpFilter Is Nothing Then
    Wscript.Echo "FTP Access Filter ({680A928F-22B3-11D1-B026-0000F87750CB}) is not installed in array." 
    WScript.Quit
End If
' Get the vendor parameter set containing the filter's configuration.
Set vpSet = ftpFilter.VendorParametersSets.Item("{680A928F-22B3-11D1-B026-0000F87750CB}")
'If this vendor parameters set does not exist, create it.
If vpSet Is Nothing Then
    WScript.Echo "Adding a vendor parameters set ({680A928F-22B3-11D1-B026-0000F87750CB})"
    Err.Clear
    Set vpSet = ftpFilter.VendorParametersSets.Add("{680A928F-22B3-11D1-B026-0000F87750CB}",False)
    ftpFilter.VendorParametersSets.Save
End If
' Add the required parameter.
vpSet.Value("AllowReadCommands") = "USER PASS"
vpSet.Save

HTTP Filter

HTTP Filter is a Web filter that is installed with Forefront TMG. It can be configured on a per-rule basis to block HTTP requests based on the following:

  • Request payload length.
  • URL length.
  • HTTP request method, such as the POST, GET, or HEAD request method.
  • HTTP request file name extension, such as .exe, .asp, or .dll.
  • HTTP request or response header.
  • Signature or pattern in the request or response header or body.

New Web publishing rules and access rules that allow HTTP traffic use a default HTTP filtering configuration, which is not defined in a vendor parameters set and cannot be exported to an XML file. In Forefront TMG Management, you can right-click the name of a Web publishing rule or an access rule that allows HTTP traffic and then click Configure HTTP to open the Configure HTTP policy for rule dialog box. After you click OK in this dialog box and click the Apply button, a new vendor parameters set containing the configuration for the HTTP Filter Web filter is created for the rule. This configuration can be exported from the vendor parameters set of the rule to an XML file and then imported from the XML file to other rules.

The following VBScript subprocedure, which is adapted from the HttpFilterConfig.vbs sample in the Forefront TMG Software Development Kit (SDK), exports the configuration for the HTTP Filter Web filter from the corresponding vendor parameters set of the specified policy rule to the specified file.

Sub ExportConfiguration(ruleName, fileName)
    const FilterGUID = "{f1076e51-bbaf-48ba-a2d7-b0875211e80d}"
    const Error_FileNotFound = &H80070002
    const ConfigParamName = "XML_POLICY"
    Dim rule, vpSets, vpSet
    Dim errorCode, errorDescript
    Dim xmlText
    Dim fso
    Dim file
    Set fso = CreateObject("Scripting.FileSystemObject")
    On Error Resume Next
    Set rule = rules.Item(ruleName)
    Select Case Err.Number
        Case Error_FileNotFound:
            WScript.Echo "The policy rule " & ruleName & " could not be found."
            WScript.Quit
        Case 0:
        Case Else
            ' Add code to display the error.
            WScript.Quit
    End Select
    On Error GoTo 0
       Set vpSets = rule.VendorParametersSets
    On Error Resume Next
    Set vpSet = vpSets.Item(FilterGUID)
    errorCode = Err.Number
    errorDescript = Err.Description
    On Error GoTo 0
    Select Case errorCode
        Case 0:
        Case Error_FileNotFound:
            WScript.Echo "The rule is using the default HTTP Filter configuration, which is not" & VbCrLf _ 
                       & "defined in a vendor parameters set and cannot be exported to an XML" & VbCrLf _ 
                       & "file."
            WScript.Quit
        Case Else
            Err.Raise errorCode,, errorDescript
    End Select
    xmlText = vpSet.Value(ConfigParamName)
    Set file = fso.OpenTextFile(fileName, ForWriting, True)
    file.WriteLine(xmlText)
    file.Close
    WScript.Echo "The configuration was exported successfully."
End Sub

The following VBScript subprocedure, which is also adapted from the HttpFilterConfig.vbs sample in the Forefront TMG SDK, imports the configuration for the HTTP Filter Web filter from the specified file to a new vendor parameters set of the specified policy rule.

Sub ImportConfiguration(ruleName, fileName)
    const FilterGUID = "{f1076e51-bbaf-48ba-a2d7-b0875211e80d}"
    const Error_FileAlreadyExists = &H800700B7
    Dim rule, vpSets, vpSet
    Dim errorCode, errorDescript
    Dim xmlText
    Dim fso
    Dim file
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    On Error Resume Next
    Set rule = rules.Item(ruleName)
    Select Case Err.Number
        Case Error_FileNotFound:
            WScript.Echo "The policy rule " & ruleName & " could not be found."
            WScript.Quit
        Case 0:
        Case Else
            ' Add code to display the error.
            WScript.Quit
    End Select
    On Error GoTo 0
    Set vpSets = rule.VendorParametersSets
    On Error Resume Next
    ' Create a vendor parameters set for the HTTP Filter Web filter
    ' in the vendor parameters sets collection of the specified rule.
    Set vpSet = vpSets.Add(FilterGUID, False)
    errorCode = Err.Number
    errorDescript = Err.Description
    On Error GoTo 0
    Select Case errorCode
        case 0:
        case Error_FileAlreadyExists:
            set vpSet = vpSets(FilterGUID)
        case Else
            Err.Raise errorCode,, errorDescript
    End Select
    Set file = fso.OpenTextFile(fileName)
    xmlText = file.ReadAll
    vpSet.Value(ConfigParamName) = xmlText
    
    rule.Save
    WScript.Echo "The configuration was imported successfully."
End Sub

However, the maximum length of HTTP request headers is a global setting that resides in the vendor parameters set of HTTP Filter and applies to all Web publishing rules and access rules that allow HTTP traffic.

The following VBScript subprocedure configures this setting using the value passed to it.

Sub SetNewSize(newLimit)
    const FilterGUID = "{f1076e51-bbaf-48ba-a2d7-b0875211e80d}"
    const ConfigParamName = "XML_POLICY"
    const Error_FileAlreadyExists = &H800700B7
    Dim httpFilter, vpSets, vpSet, newVal
    Dim errorCode, errorDescript
    Dim root
    
    Set root = WScript.CreateObject("FPC.Root")
    Set httpFilter = root.GetContainingArray.Extensions.Webfilters.Item(FilterGUID)
    Set vpSets = httpFilter.VendorParametersSets
    On Error Resume Next
    Set vpSet = vpSets.Add(FilterGUID, False)
    errorCode = err.Number
    errorDescript = err.Description
    On Error GoTo 0
    Select Case errorCode
        Case 0:
        Case Error_FileAlreadyExists:
            Set vpSet = vpSets.Item(FilterGUID)
        Case Else
            Err.Raise errorCode,, errorDescript
    End Select
    newVal = "<Configuration MaxRequestHeadersLen="" " & newLimit & " ""/>"
    vpSet(ConfigParamName) = newVal 
    httpFilter.Save
    WScript.Echo "The maximum header length was set successfully."
End Sub

See Also

Forefront TMG Administration Script Samples

Send comments about this topic to Microsoft

Build date: 6/30/2010