The FPCNetworkRule object represents a single Forefront TMG network rule. Network rules define routing or network address translation (NAT) relationships between specific network entities.
A network entity can represent a single IP address or multiple IP addresses. The sets of all the source and destination IP addresses in the network entities to which a network rule applies are specified through FPCSelectionIPs objects. The following table lists the network entities that can be referenced in the source and destination FPCSelectionIPs objects of a network rule and the objects that represent a single instance of each network entity.
A routing relationship indicates that traffic allowed by policy rules is routed through the Forefront TMG computer without any address translation. Routing relationships are bidirectional. If a routing relationship is defined from network A to network B, a routing relationship also exists from network B to network A.
A NAT relationship indicates that IP addresses from the source network are always translated when passing through the Forefront TMG computer on the way to the destination network. NAT relationships apply in only one direction. If a NAT relationship is defined from source network A to destination network B, the IP addresses of client computers on network A are replaced with an IP address of the network adapter on the Forefront TMG computer that is connected to network B before requests are passed to a computer on network B. On the other hand, when a packet from the network B is returned to a client computer on network A, the address of the computer on network B is not translated. In other words, clients on network A can see the addresses of computers on network B.
If there is a NAT relationship between source network A and destination network B and a server on network B is published by a server publishing rule, which maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG computer that listens for requests from clients in network A to a port number and an IP address on the published server, requests that meet all the conditions specified by the server publishing rule are redirected to the IP address of the published server. If there is a routing relationship between these networks, the clients must send requests directly to the IP address of the published server.
When an HTTP or FTP request (or response) is handled by the Forefront TMG Web proxy, address translation is always performed, and the host receiving the request (or response) sees the packets as having come from the Forefront TMG computer even if the network rule defines a routing relationship between the source and destination IP addresses.
When there is no network rule defining a network relationship between two IP addresses, Forefront TMG drops all traffic that is sent from one of these IP addresses to the other and is not handled by the Web proxy.
When an enterprise with central array management is deployed, network rules can also be defined on the enterprise level. If an enterprise-level network rule and an array-level network rule define different relationships between the same pair of IP addresses, the array-level network rule takes precedence.
Note Enterprise-level network rules are available only in Forefront TMG Enterprise Edition.
The FPCNetworkRule object is an element of an FPCNetworkRules collection.
Click here to see the Forefront TMG object hierarchy.
This object inherits from the FPCPersist object, which contains methods and properties related to the persistent storage of an object's data. They include methods for exporting the object's data to and importing it from an XML document.
The FPCNetworkRule object does not define any methods.
The FPCNetworkRule object defines the following properties.
Gets or sets the description of the rule.
Gets an FPCSelectionIPs object that specifies the complete set of destination IP addresses to which the rule applies.
Gets or sets a Boolean value that indicates whether the rule is enabled.
Gets or sets the name of the rule.
Gets the position of the rule in the list of network rules corresponding to their order of application.
Gets a Boolean value that indicates whether the network rule is a preinstalled rule that cannot be deleted and whose position in the list of network rules corresponding to their order of application cannot be changed.
Gets or sets a value from the FpcNetworkRoutingTypes enumerated type that specifies the type of relationship between the source and destination network entities to which the rule applies.
Gets an FPCSelectionIPs object that specifies the complete set of source IP addresses to which the rule applies.
Methods Inherited from FPCPersist
|CancelWaitForChanges||Cancels the registration established by the WaitForChanges method (for use in C and C++ programming only).|
|CanImport||Returns a Boolean value that indicates whether the object's properties can be imported from the specified XML document.|
|Export||Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML document.|
|ExportToFile||Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML file.|
|GetServiceRestartMask||Retrieves a 32-bit bitmask of the FpcServices enumerated type that specifies which services need to be restarted for currently unsaved changes to take effect.|
|Import||Recursively copies the values of all the properties of the object and of its subobjects from the specified XML document to persistent storage.|
|ImportFromFile||Recursively copies the values of all the properties of the object and of its subobjects from the specified XML file to persistent storage.|
|LoadDocProperties||Provides the XML document's properties so that you can know what information can be imported from the document.|
|Refresh||Recursively reads the values of all the properties of the object and of its subobjects from persistent storage, overwriting any changes that have not been saved.|
|Save||Recursively writes the current values of all the properties of the object and its subobjects to persistent storage.|
|WaitForChanges||Registers to wait for an event indicating that the contents of the object have changed (for use in C and C++ programming only).|
Properties Inherited from FPCPersist
|PersistentName||Gets the persistent name of the object. The persistent name of an object is a name that is unique for the object at the respective level of the COM object hierarchy.|
|VendorParametersSets||Gets an FPCVendorParametersSets collection that can hold sets of custom data for extending the object.|
Interfaces for C++ Programming
This object implements the IFPCNetworkRule and IFPCNetworkRule2 interfaces.
|Client||Requires Windows 7 or Windows Vista.|
|Server||Requires Windows Server 2008 R2 or Windows Server 2008 x64 Edition with SP2.|
|Version||Requires Forefront Threat Management Gateway (TMG) 2010.|
Declared in Msfpccom.idl.
Build date: 6/30/2010