Configuring ISA through Powershell: some examples
01 Apr 2008 I have been working on automating the unattended installation of ISA last week. The installation itself can be done by using the Appendix C: Unattended Setup section of the ISA 2006 EE installation guide.Configuring ISA can be done using Microsoft Powershell. There are really not much examples out there on how this is accomplished, so I will provide some here.
Selecting a network template and default policy
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# template: Edge firewall
# default policy: block all
$arr.SelectNetworkTemplateAndPolicy("Edge Firewall", "Block all")
Enabling NLB on the External network and using a dedicated heartbeat network
$fpcNLBOperationModeUnicast = 0
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
$arr.NetworkConfiguration.NLBConfiguration.NLBIntegrationEnabled = $true
# Get the external network
$ext = $arr.NetworkConfiguration.Networks | where-Object { $_.name -eq "External" }
# NLB settings
$ext.NLBCluster.SetVIPAndMask("10.33.113.108","255.255.255.0")
$ext.NLBCluster.OperationMode = $fpcNLBOperationModeUnicast
$ext.NLBCluster.NLBEnabled = $true
$ext.save()
# let NLB communication go over the specialised network
# FIXME: one for each ISA
$isa = $arr.Servers | Select-Object -first 1
$isa.IntraArrayAddress = "192.168.51.138"
$isa.save()
Enabling SCOM Monitoring
# get the ENUM value for the MOM group
$fpcSystemPolicyConfigGroup_MOM = 18
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# we want to allow connections to SCOM from the ISA server
# First, lets define a group "Remote Monitoring Computers" that will hold all SCOM computers
$newset = $arr.RuleElements.ComputerSets.Add("Remote Monitoring Computers")
# Now we add an IP address in it, and name it "SCOM"
# We only have 1 SCOM computer at the moment.
$newset.Computers.Add("SCOM","10.32.6.11")
# save this new computer set
$arr.save()
# To enable the MOM System Policy, we need to do something counter intuitive
# We can't modify the System Policy directly (stored in $arr.SystemPolicy),
# so we create a new instance of the configgroup we would like to change.
# In our case, the MOM group. Store it in $mom
$mom = $arr.SystemPolicy.CreateConfigurationGroupInstance($fpcSystemPolicyConfigGroup_MOM)
# This instance, we can modify. First, enable the configgroup
$mom.Enabled = $true
# And now, add the "Remote Monitoring Computers" as destination for this config group
# The 0 means we allow connections, 1 would be "Exclude"
$mom.DestinationSelectionIPs.ComputerSets.add("Remote Monitoring Computers",0)
# saving this instance will make the changes in the System Policy
$mom.save()
Enabling ICMP from Remote Monitoring Computers
# get the ENUM value
$fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP = 8
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# if adding the computerset fails, that means its already added, but the policy could be disabled
# so enable it now and save it, then add the computerset
$icmp = $arr.SystemPolicy.CreateConfigurationGroupInstance($fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP)
$icmp.Enabled = $true
$icmp.save()
""
"The following command may fail with a flashy red error, but that's ok"
""
$icmp = $arr.SystemPolicy.CreateConfigurationGroupInstance($fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP)
$icmp.SourceSelectionIPs.ComputerSets.add("Remote Monitoring Computers",0)
$icmp.save()
Creating an access rule for outgoing SCOM 2007 traffic
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# First, create a new protocol definition
$proto = $arr.RuleElements.ProtocolDefinitions.Add("System Center Operations Manager 2007 agent")
# outbound to port 5723
$proto.PrimaryConnections.AddTCP(1, 5723, 5723)
$proto.save()
$scomrule = $arr.ArrayPolicy.PolicyRules.AddAccessRule("Outbound to SCOM")
# Allow
$scomrule.Action = 0
# only the following selected protocols ...
$scomrule.AccessProperties.ProtocolSelectionMethod = 1
# ... The SCOM 2007 protocol
$scomrule.AccessProperties.SpecifiedProtocols.Add("System Center Operations Manager 2007 agent", 0)
# From Local Host
$scomrule.SourceSelectionIPs.Networks.Add("Local Host", 0)
# To Remote Monitoring Computers
$scomrule.AccessProperties.DestinationSelectionIPs.ComputerSets.Add("Remote Monitoring Computers", 0)
# By All Users
$scomrule.AccessProperties.UserSets.Add("All Users", 0)
$scomrule.save()
Creating an access rule for SQL logging
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# First, create a new protocol definition
$proto = $arr.RuleElements.ProtocolDefinitions.Add("SQL Cluster")
# outbound to port 3572
$proto.PrimaryConnections.AddTCP(1, 3572, 3572)
$proto.save()
# Next, create a computerset for the SQL cluster
$newset = $arr.RuleElements.ComputerSets.Add("SQL Server Cluster")
$newset.Computers.Add("SQL Server for ISA","10.32.6.45")
$newset.save()
$scomrule = $arr.ArrayPolicy.PolicyRules.AddAccessRule("Outbound to SQL Cluster")
# Allow
$scomrule.Action = 0
# only the following selected protocols ...
$scomrule.AccessProperties.ProtocolSelectionMethod = 1
# ... The SQL Cluster protocol
$scomrule.AccessProperties.SpecifiedProtocols.Add("SQL Cluster", 0)
# From Local Host
$scomrule.SourceSelectionIPs.Networks.Add("Local Host", 0)
# To SQL Cluster
$scomrule.AccessProperties.DestinationSelectionIPs.ComputerSets.Add("SQL Server Cluster", 0)
# By All Users
$scomrule.AccessProperties.UserSets.Add("All Users", 0)
$scomrule.save()
Enabling SQL Logging and setting the parameters
$fpcProxyWebLog = 1
$fpcProxyFwLog = 2
$fpcSQLDirectConnection = 4
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
$log = $arr.Logging.item($fpcProxyFwLog)
$log.SQLServerName = "sqlsrviisa.pad.kuleuven.be"
$log.SQLServerPort = 3572
$log.LogDBTableName = "FirewallLog"
$log.SQLForceEncryption = $false
$log.LogDBUserName = "PAD\ICTS_ISA_SQL"
$log.LogType = $fpcSQLDirectConnection
$log.SQLDatabase = "db_isa_firewall"
$log.save()
$log = $arr.Logging.item($fpcProxyWebLog)
$log.SQLServerName = "sqlsrviisa.pad.kuleuven.be"
$log.SQLServerPort = 3572
$log.LogDBTableName = "WebProxyLog"
$log.SQLForceEncryption = $false
$log.LogDBUserName = "PAD\ICTS_ISA_SQL"
$log.LogType = $fpcSQLDirectConnection
$log.SQLDatabase = "db_isa_proxy"
$log.save()
Publishing IMAPs and POPs
$fpcAllIPAddresses = 0
$fpcSpecifiedIPAddress = 2
# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1
# A new server publishing rule
$imaps = $arr.ArrayPolicy.PolicyRules.AddServerPublishingRule("Publish IMAPs","10.32.6.6", "IMAPS Server")
# listen on the external side
$imaps.ServerPublishingProperties.IPsOnNetworks.Add("External", $fpcSpecifiedIPAddress, "10.33.113.108")
# and make connections appear to come from the ISA server
$imaps.ServerPublishingProperties.UseFirewallIPAsSource = $true
$imaps.save()
$pops = $arr.ArrayPolicy.PolicyRules.AddServerPublishingRule("Publish POPs", "10.32.6.6", "POP3S Server")
$pops.ServerPublishingProperties.IPsOnNetworks.Add("External", $fpcSpecifiedIPAddress, "10.33.113.108")
$pops.ServerPublishingProperties.UseFirewallIPAsSource = $true
$pops.save()