Many of you have asked for a script we use in the TechNet ISA Server 2004 Technical Overview (TNT1–111) webcast.  The blockwebsites.vbs script creates a ISA firewall access rule and builds a list of websites that will be blocked.

This script is obviously useful for a number of reasons.  First, it could be used quite immediately to block websites you deem inappropriate to your companies day to day business.  Second, it is a good example of how to use a script and create a rule inside ISA Server 2004.

The following set of code is very similar to the script we run in the demos you saw during my webcast.  This sample is taken directly from the ISA Server 2004 CD so I would recommend reviewing the other samples that are there.  Enjoy!!!

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script creates a new URL set in the URLSets collection of the firewall,
' adds sites to the URL set, creates a new access rule, and adds the new URL set
' to the objects referenced in the URLSets property of the access rule.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Sub AddRuleAndUrlSet()

    ' Define enumeration values.
    const fpcInclude = 0
    const fpcSpecifiedProtocols = 1

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim firewall    ' An FPCArray object
    Dim policyrules ' An FPCPolicyRules collection
    Dim urlsets     ' An FPCURLSets colection
    Dim urlset      ' An FPCURLSet object
    Dim newrule     ' An FPCPolicyRule object

    ' Get references to the array object (firewall), the policy rules collection,
    ' and the URL sets collection.
    Set firewall = root.GetContainingArray
    Set policyrules = firewall.ArrayPolicy.PolicyRules
    Set urlsets = firewall.RuleElements.URLSets

    WScript.Echo "Creating a new URL set containing sites to be blocked ..."

    Set urlset = urlsets.Add("Blocked Web Sites")
    urlset.Add "http://www.northwindtraders.com"
    urlset.Add "http://www.widgets.com"
    urlset.Save

    WScript.Echo "Creating a new access rule ..."
    Set newrule = policyrules.AddAccessRule("Deny Access to Some Web Sites")

    ' Define the source for the new access rule.
    newrule.SourceSelectionIPs.Networks.Add "External", fpcInclude

    ' Add the new destination URL set to the objects referenced by the URLSets property
    ' of the new access rule.
    newrule.AccessProperties.URLSets.Add "Blocked Web Sites", fpcInclude

    'Set the protocols to HTTP and HTTPS.
    newrule.AccessProperties.SpecifiedProtocols.Add "HTTP", fpcInclude
    newrule.AccessProperties.SpecifiedProtocols.Add "HTTPS", fpcInclude 
    newrule.AccessProperties.ProtocolSelectionMethod =  fpcSpecifiedProtocols

    ' Set the user set to which the rule applies.
    newrule.AccessProperties.UserSets.Add "All Users", fpcInclude

    'Save the changes to the new access rule.
    policyrules.Save
    WScript.Echo "Done!"

End Sub

AddRuleAndUrlSet

As usual, the TechNet ISA Server 2004 webcast generated a huge number of great questions.  I’ll be reviewing many of those and will post a few good ones here over time.

One question that comes up every time we deliver this content is how to block the various chat and peer file sharing programs.  It’s really very easy with ISA 2004.  The trick is to look inside the HTTP stream with a firewall policy rule.  Here are some steps:

1. Create a Firewall Policy New Access Rule allowing the internal network, users, etc. access to the external network (internet).
2. Go to the firewall policy container and right mouse click the rule you created.
3. Select the Configure HTTP menu item (see screenshot below).

1. Click the Signatures property page.
2. Click the Add button.
3. Fill out the dialog box with the appropriate information.  In the example screen shot below, we are blocking MSN Messenger.  A number of other common applications are listed in the table at the bottom of this article.

1. Click the OK button to save the application add.
2. Repeat for any other applications you want to block.
3. Apply the changes to ISA Server 2004.

Common Application HTTP Signatures

Enjoy!

It’s possible you may encounter a move error when migrating Exchange 5.5 mailboxes to an Exchange Server 2003 storage group.  In fact, several presenters on my team hit this error in front of live audiences last week.  Considering the session we were delivering is an Exchange 5.5 to Exchange Server 2003 Migration seminar, this could be pretty embarrassing. 

So what happened and how do you fix it?  Fortunately, the problem we encountered in our content was documented nicely in KB article 886700.   Since our content is in a Mixed Exchange environment we hit the MAPI logon failure.

There are two methods suggested as fixes in the KB article.  The first is to perform the move from an administrative workstation that is not the Exchange server.  Having a workstation on the network with the server admin tools is a likely scenario for most organizations.

For our content, we simply applied Exchange Server 2003 SP1 immediately after the install of Exchange Server 2003.  That fixed the problem, too.  We liked the SP1 fix because it meant we didn’t need to build another Virtual PC VM with the admin tools for NT4, Exchange 5.5, Windows Server 2003 and Exchange Server 2003.  I’ll probably do it anyway in my spare time... J