Keith Combs' Blahg

Ramblings from another nerd on the grid

January, 2005

  • Blocking Peer File Sharing and Chat Clients Using ISA Server 2004

    As usual, the TechNet ISA Server 2004 webcast generated a huge number of great questions.  I’ll be reviewing many of those and will post a few good ones here over time.

     

    One question that comes up every time we deliver this content is how to block the various chat and peer file sharing programs.  It’s really very easy with ISA 2004.  The trick is to look inside the HTTP stream with a firewall policy rule.  Here are some steps:

     

    1. Create a Firewall Policy New Access Rule allowing the internal network, users, etc. access to the external network (internet).
    2. Go to the firewall policy container and right mouse click the rule you created.
    3. Select the Configure HTTP menu item (see screenshot below).

      

     

    1. Click the Signatures property page.
    2. Click the Add button.
    3. Fill out the dialog box with the appropriate information.  In the example screen shot below, we are blocking MSN Messenger.  A number of other common applications are listed in the table at the bottom of this article.

      

     

    1. Click the OK button to save the application add.
    2. Repeat for any other applications you want to block.
    3. Apply the changes to ISA Server 2004.

    Common Application HTTP Signatures

     

    Application

    Search in

    HTTP header

    Signature

    MSN Messenger

    Request headers

    User-Agent:

    MSN Messenger

    Windows Messenger

    Request headers

    User-Agent:

    MSMSGS

    AOL Messenger

    Request headers

    User-Agent:

    Gecko/

    Yahoo Messenger

    Request headers

    Host

    msg.yahoo.com

    Kazaa

    Request headers

    P2P-Agent

    Kazaa

    Kazaa

    Request headers

    User-Agent:

    KazaaClient

    Kazaa

    Request headers

    X-Kazaa-Network:

    KaZaA

    Gnutella

    Request headers

    User-Agent:

    Gnutella

    Gnucleus

    Edonkey

    Request headers

    User-Agent:

    e2dk

    Morpheus

    Response header

    Server

    Morpheus

     

    Enjoy!

  • Blocking Websites - Creating A Firewall Access Rule Using Scripting

    Many of you have asked for a script we use in the TechNet ISA Server 2004 Technical Overview (TNT1–111) webcast.  The blockwebsites.vbs script creates a ISA firewall access rule and builds a list of websites that will be blocked.

    This script is obviously useful for a number of reasons.  First, it could be used quite immediately to block websites you deem inappropriate to your companies day to day business.  Second, it is a good example of how to use a script and create a rule inside ISA Server 2004.

    The following set of code is very similar to the script we run in the demos you saw during my webcast.  This sample is taken directly from the ISA Server 2004 CD so I would recommend reviewing the other samples that are there.  Enjoy!!!

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script creates a new URL set in the URLSets collection of the firewall,
    ' adds sites to the URL set, creates a new access rule, and adds the new URL set
    ' to the objects referenced in the URLSets property of the access rule.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    Sub AddRuleAndUrlSet()

        ' Define enumeration values.
        const fpcInclude = 0
        const fpcSpecifiedProtocols = 1

        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")

        'Declare the other objects needed.
        Dim firewall    ' An FPCArray object
        Dim policyrules ' An FPCPolicyRules collection
        Dim urlsets     ' An FPCURLSets colection
        Dim urlset      ' An FPCURLSet object
        Dim newrule     ' An FPCPolicyRule object

        ' Get references to the array object (firewall), the policy rules collection,
        ' and the URL sets collection.
        Set firewall = root.GetContainingArray
        Set policyrules = firewall.ArrayPolicy.PolicyRules
        Set urlsets = firewall.RuleElements.URLSets


        WScript.Echo "Creating a new URL set containing sites to be blocked ..."

        Set urlset = urlsets.Add("Blocked Web Sites")
        urlset.Add "
    http://www.northwindtraders.com"
        urlset.Add "
    http://www.widgets.com"
        urlset.Save

        WScript.Echo "Creating a new access rule ..."
        Set newrule = policyrules.AddAccessRule("Deny Access to Some Web Sites")

        ' Define the source for the new access rule.
        newrule.SourceSelectionIPs.Networks.Add "External", fpcInclude

        ' Add the new destination URL set to the objects referenced by the URLSets property
        ' of the new access rule.
        newrule.AccessProperties.URLSets.Add "Blocked Web Sites", fpcInclude

        'Set the protocols to HTTP and HTTPS.
        newrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
        newrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude 
        newrule.AccessProperties.ProtocolSelectionMethod =  fpcSpecifiedProtocols

        ' Set the user set to which the rule applies.
        newrule.AccessProperties.UserSets.Add "All Users", fpcInclude

        'Save the changes to the new access rule.
        policyrules.Save
        WScript.Echo "Done!"

    End Sub

    AddRuleAndUrlSet

  • ADUC Exchange Tasks - move mailbox error

    It’s possible you may encounter a move error when migrating Exchange 5.5 mailboxes to an Exchange Server 2003 storage group.  In fact, several presenters on my team hit this error in front of live audiences last week.  Considering the session we were delivering is an Exchange 5.5 to Exchange Server 2003 Migration seminar, this could be pretty embarrassing. 

     

    So what happened and how do you fix it?  Fortunately, the problem we encountered in our content was documented nicely in KB article 886700.   Since our content is in a Mixed Exchange environment we hit the MAPI logon failure.

     

    There are two methods suggested as fixes in the KB article.  The first is to perform the move from an administrative workstation that is not the Exchange server.  Having a workstation on the network with the server admin tools is a likely scenario for most organizations.

     

    For our content, we simply applied Exchange Server 2003 SP1 immediately after the install of Exchange Server 2003.  That fixed the problem, too.  We liked the SP1 fix because it meant we didn’t need to build another Virtual PC VM with the admin tools for NT4, Exchange 5.5, Windows Server 2003 and Exchange Server 2003.  I’ll probably do it anyway in my spare time... J