Configuring ISA with Powershell: more examples


Some time ago I posted a few examples of Powershell scripts to configure ISA. Now that I look back at it, I saw it was posted on April 1st. Rest assured, those examples are no joke :)

It's now about 3 weeks later and time for another update.

Before I paste the scripts, some explanation is needed.

First of all, all my scripts are processed by a template engine before they are executed. We currently have 3 domains (2 experimental and 1 production) where 2 ISA servers and CSS server need to be setup.
I want the setup to be identical, except for things like SSL certificates, IP addresses and usernames and such. All of those variables are placed in the scripts (and INIfiles not shown here) by the template engine. Such variables can be recognized by the "$$$" in front and to the back of them. For example: $$$__DOMAIN$$$ will be replaced with the name of the domain that is currently being installed in.

Next, What do these scripts do ?


access_rule_for_scom.ps1

Creates an access rule for the SCOM (MOM) monitoring server. This will allow connections from the ISA server to the SCOM server on some port.

access_rule_for_sqllogging.ps1


add_nagios_to_remote_monitoring.ps1

Adds our Nagios server to the "Remote Monitoring Computers" computerset defined in some other script.

allow_mgmt_from_css.ps1

Adds the CSS server to the Remote Management Computers computerset, because otherwise, it won't be able to keep a look on the ISA servers (when having the CSS on a different physical machine than the ISA servers)

allow_mgmt_from_subnet.ps1

Adds a specific subnet to the Remote Management Computers computerset, as to not lock us out when we install from a different location than the usual one

allow_RDP_from_kulnetnat.ps1

This one adds our NAT to the "Enterprise Remote Management Computers" computerset

configure_intra_array_addresses.ps1

Configures the intra-array IP addresses used by the ISA servers. We use a separate network for this, with their own IP addresses. Beware !! Both ISA servers need to be installed and joined in the ISA array before you can configure these IP addresses. Why ? Well because joining the ISA server in the array will create some entries in the CSS that can't be created otherwise (I think)

create_new_array.ps1

Create a fresh array. At first, I used the "InstallNewArrayAndServer.ini" configfile provided with the ISA installation files, for unattended installation. But after a while I was sick of waiting untill an ISA was installed to configure the CSS. This script takes care of that. It will create an array in the CSS and you can start configuring it, even before any ISA servers are joined.

create_weblisteners.ps1

Here, I've experimented with a powershell function. The function creates a weblistener the way we want it and it is then called for every weblistenenr we want to add. We use a separate IP per certificate, and 1 IP per weblistener. Authentication method differs depending to the weblistener.

debug_access_rule_allow_all.ps1

Creates a debug accessrule allowing all traffic from the ISA to the Internal network. It is disabled by default.

enable_ICMP_from_remote_monitoring.ps1

Adds the "Remote Monitoring Computers" computerset to the ICMP system policy rule. System policy rules are configured differently from other policy rules, so it was sortof interesting to get this working.

enable_NLB.ps1

Enable Network Load Balancing on the External network and add all the IPs we will use in the weblisteners. We're also using unicast NLB because we're too lazy to configure our network infrastructure for multicast NLB.

enable_sqllogging.ps1

Configures the Logging settings to log to an external SQL server. We also don't want ISA to stop working when SQL fails, so this script disables that.

publish_all_https.ps1

This script created all webpublishing rules, using the weblisteners created in an earlier script. Again, a function is used to keep the code short. This script also shows how to reorder rules.

publish_imaps_pops.ps1

Publish IMAPs and POPs

select_network_template_and_default_policy.ps1

Select the "Edge Firewall" network template and set the default policy to "block all"



Here they are, copied directly from my screen:

access_rule_for_scom.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

# we want to allow connections to SCOM from the ISA server
# First, lets define a group "Remote Monitoring Computers" that will hold all SCOM computers
$newset = $arr.RuleElements.ComputerSets.Add("Remote Monitoring Computers")

# Now we add an IP address in it, and name it "SCOM"
# We only have 1 SCOM computer at the moment.
$newset.Computers.Add("SCOM","$$$SCOM_IP_ADDRESS$$$")

# save this new computer set
$arr.save()

# create a new protocol definition
$proto = $arr.RuleElements.ProtocolDefinitions.Add("System Center Operations Manager 2007 agent")
# outbound to port 5723
$proto.PrimaryConnections.AddTCP(1, 5723, 5723)
$proto.save()

$scomrule = $arr.ArrayPolicy.PolicyRules.AddAccessRule("Outbound to SCOM")

# Allow
$scomrule.Action = 0
# only the following selected protocols ...
$scomrule.AccessProperties.ProtocolSelectionMethod = 1
# ... The SCOM 2007 protocol
$scomrule.AccessProperties.SpecifiedProtocols.Add("System Center Operations Manager 2007 agent", 0)
# From Local Host
$scomrule.SourceSelectionIPs.Networks.Add("Local Host", 0)
# To Remote Monitoring Computers
$scomrule.AccessProperties.DestinationSelectionIPs.ComputerSets.Add("Remote Monitoring Computers", 0)
# By All Users
$scomrule.AccessProperties.UserSets.Add("All Users", 0)

$scomrule.save()


access_rule_for_sqllogging.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


# First, create a new protocol definition
$proto = $arr.RuleElements.ProtocolDefinitions.Add("SQL Cluster")
# outbound to SQL server port
$proto.PrimaryConnections.AddTCP(1, $$$SQL_SERVER_PORT$$$, $$$SQL_SERVER_PORT$$$)
$proto.save()

# Next, create a computerset for the SQL cluster
$newset = $arr.RuleElements.ComputerSets.Add("SQL Server Cluster")
$newset.Computers.Add("SQL Server for ISA","$$$SQL_SERVER_IP_ADDRESS$$$")
$newset.save()


$sqlrule = $arr.ArrayPolicy.PolicyRules.AddAccessRule("Outbound to SQL Cluster")

# Allow
$sqlrule.Action = 0
# only the following selected protocols ...
$sqlrule.AccessProperties.ProtocolSelectionMethod = 1
# ... The SQL Cluster protocol
$sqlrule.AccessProperties.SpecifiedProtocols.Add("SQL Cluster", 0)
# From Local Host
$sqlrule.SourceSelectionIPs.Networks.Add("Local Host", 0)
# To SQL Cluster
$sqlrule.AccessProperties.DestinationSelectionIPs.ComputerSets.Add("SQL Server Cluster", 0)
# By All Users
$sqlrule.AccessProperties.UserSets.Add("All Users", 0)

$sqlrule.save()


add_nagios_to_remote_monitoring.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

$set = $arr.RuleElements.ComputerSets | where-object {$_.name -eq "Remote Monitoring Computers"}
$set.Computers.Add("KulNet Nagios","$$$NAGIOS_IP_ADDRESS$$$")
$set.save()


allow_mgmt_from_css.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


$mgmt = $arr.RuleElements.ComputerSets | where-object { $_.name -eq "Remote Management Computers" }
$mgmt.Computers.Add("CSS1","$$$STORAGESERVER_IP$$$")
$arr.save()


allow_mgmt_from_subnet.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


$mgmt = $arr.RuleElements.ComputerSets | where-object { $_.name -eq "Remote Management Computers" }
$mgmt.Subnets.Add("Management Subnet","$$$MANAGEMENT_SUBNET$$$", "$$$MANAGEMENT_SUBNET_MASK$$$")
$arr.save()


allow_RDP_from_kulnetnat.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict

$remotemgmt = $root.Enterprise.RuleElements.ComputerSets | where-object { $_.name -eq "Enterprise Remote Management Computers" }

$remotemgmt.Computers.add("$$$KULNET_NAT_NAME$$$", "$$$KULNET_NAT_IP$$$")
$remotemgmt.Computers.save()


configure_intra_array_addresses.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

# let NLB communication go over the specialised network
$isa1 = $arr.Servers | Where-Object { $_.name -eq "$$$__HOST_ISA1_NAME$$$" }
$isa1.IntraArrayAddress = "$$$__HOST_ISA1_HB$$$"
$isa1.save()

$isa2 = $arr.Servers | Where-Object { $_.name -eq "$$$__HOST_ISA2_NAME$$$" }
$isa2.IntraArrayAddress = "$$$__HOST_ISA2_HB$$$"
$isa2.save()



create_new_array.ps1


$root = new-object -comobject "FPC.Root" -strict

$arr = $root.Arrays.add("$$$ARRAY_NAME$$$")
$internal = $arr.NetworkConfiguration.Networks | Where-Object {$_.name -eq "Internal"}
$internal.IpRangeSet.Add("$$$ARRAY_INTERNALNET_START$$$","$$$ARRAY_INTERNALNET_END$$$")

$root.save()


create_weblisteners.ps1


$fpcSpecifiedIPAddress = 2

$fpcRedirectHTTPAsHTTPSDisabled = 0
$fpcRedirectHTTPAsHTTPSIfAuthenticated = 1
$fpcRedirectHTTPAsHTTPSAlways = 2

function spawnWebListener([string]$name,
[string]$ip,
[string]$cn,
[boolean]$basicauth=$true,
[boolean]$digest=$false,
[boolean]$integrated=$false) {
$hash = (dir cert:\localmachine\my | where-object { $_.subject -like "CN=$cn*" }).getCertHash()

$nwl = $arr.RuleElements.WebListeners.add($name)

$res = $nwl.IPsOnNetworks.Add("External", $fpcSpecifiedIPAddress, $ip)
$nwl.Properties.TCPPort = 80
$nwl.Properties.RedirectHTTPAsHTTPS = $fpcRedirectHTTPAsHTTPSAlways
$nwl.Properties.SSLPort = 443
$res = $nwl.Properties.AppliedSSLCertificates.Add([byte[]]($hash))
$nwl.Properties.BasicAuthentication = $basicauth
$nwl.Properties.DigestAuthentication = $digest
$nwl.Properties.IntegratedWindowsAuthentication = $integrated
$nwl.Properties.AlwaysAuthenticate = $true
$nwl.save()

return $nwl
}


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


$wl = spawnWebListener "ActiveSync WebListener" "$$$ISA_EXTERNAL_NLB_ACTIVESYNC_IP$$$" "$$$ISA_EXTERNAL_NLB_ACTIVESYNC_NAME$$$" $false $true $true
$wl = spawnWebListener "Sharepoint WebListener" "$$$ISA_EXTERNAL_NLB_SHAREPOINT_IP$$$" "$$$ISA_EXTERNAL_NLB_SHAREPOINT_NAME$$$" # FIXME
$wl = spawnWebListener "OWA WebListener" "$$$ISA_EXTERNAL_NLB_OWA_IP$$$" "$$$ISA_EXTERNAL_NLB_OWA_NAME$$$" $false $false $false
$wl.Properties.AuthenticationSchemes.Add("FBA with AD", 0)
$wl.Properties.DomainForAuthentication = "$$$__DOMAIN$$$"
$wl.save()

$wl = spawnWebListener "Outlook Anywhere WebListener" "$$$ISA_EXTERNAL_NLB_OUTLOOKANYWHERE_IP$$$" "$$$ISA_EXTERNAL_NLB_OUTLOOKANYWHERE_NAME$$$" $false $true $true
$wl = spawnWebListener "Entourage WebListener" "$$$ISA_EXTERNAL_NLB_ENTOURAGE_IP$$$" "$$$ISA_EXTERNAL_NLB_ENTOURAGE_NAME$$$" $true $false $false
$wl = spawnWebListener "Evolution WebListener" "$$$ISA_EXTERNAL_NLB_EVOLUTION_IP$$$" "$$$ISA_EXTERNAL_NLB_EVOLUTION_NAME$$$" $true $false $false
$wl = spawnWebListener "Autodiscover WebListener" "$$$ISA_EXTERNAL_NLB_AUTODISCOVER_IP$$$" "$$$ISA_EXTERNAL_NLB_AUTODISCOVER_NAME$$$" # FIXME
$wl = spawnWebListener "Mailarchive WebListener" "$$$ISA_EXTERNAL_NLB_MAILARCHIVE_IP$$$" "$$$ISA_EXTERNAL_NLB_MAILARCHIVE_NAME$$$" $false $false $false
$wl.Properties.AuthenticationSchemes.Add("FBA with AD", 0)
$wl.Properties.DomainForAuthentication = "$$$__DOMAIN$$$"
$wl.save()

# $wl = spawnWebListener "FS AAI WebListener" "$$$ISA_EXTERNAL_NLB_FSAAI_IP$$$" "$$$ISA_EXTERNAL_NLB_FSAAI_NAME$$$" # FIXME



debug_access_rule_allow_all.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

$debug = $arr.ArrayPolicy.PolicyRules.AddAccessRule("[DEBUG] Allow all to Internal")

# Allow
$debug.Action = 0
# all traffic
$debug.AccessProperties.ProtocolSelectionMethod = 0
# From Local Host
$debug.SourceSelectionIPs.Networks.Add("Local Host", 0)
# To Internal
$debug.AccessProperties.DestinationSelectionIPs.Networks.Add("Internal", 0)
# By All Users
$debug.AccessProperties.UserSets.Add("All Users", 0)

# disable by default
$debug.Enabled = $false

$debug.save()



enable_ICMP_from_remote_monitoring.ps1


# get the ENUM value
$fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP = 8

# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


# if adding the computerset fails, that means its already added, but the policy could be disabled
# so enable it now and save it, then add the computerset
$icmp = $arr.SystemPolicy.CreateConfigurationGroupInstance($fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP)
$icmp.Enabled = $true
$icmp.save()

""
"The following command may fail with a flashy red error, but that's ok"
""

$icmp = $arr.SystemPolicy.CreateConfigurationGroupInstance($fpcSystemPolicyConfigGroup_RemoteMgmt_ICMP)
$icmp.SourceSelectionIPs.ComputerSets.add("Remote Monitoring Computers",0)
$icmp.save()



enable_NLB.ps1


$fpcNLBOperationModeUnicast = 0

# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


$arr.NetworkConfiguration.NLBConfiguration.NLBIntegrationEnabled = $true

# Get the external network
$ext = $arr.NetworkConfiguration.Networks | where-Object { $_.name -eq "External" }

# NLB settings
$ext.NLBCluster.SetVIPAndMask("$$$ISA_EXTERNAL_NLB_ACTIVESYNC_IP$$$","$$$ISA_EXTERNAL_NLB_NETMASK$$$")

# generate a list of unique IP address to add (but skip the master VIP added above)
$iplist = (("$$$ISA_EXTERNAL_NLB_ACTIVESYNC_IP$$$",
"$$$ISA_EXTERNAL_NLB_SHAREPOINT_IP$$$",
"$$$ISA_EXTERNAL_NLB_IMAPS_IP$$$",
"$$$ISA_EXTERNAL_NLB_POPS_IP$$$",
"$$$ISA_EXTERNAL_NLB_OWA_IP$$$",
"$$$ISA_EXTERNAL_NLB_OUTLOOKANYWHERE_IP$$$",
"$$$ISA_EXTERNAL_NLB_ENTOURAGE_IP$$$",
"$$$ISA_EXTERNAL_NLB_EVOLUTION_IP$$$",
"$$$ISA_EXTERNAL_NLB_AUTODISCOVER_IP$$$",
# "$$$ISA_EXTERNAL_NLB_FSAAI_IP$$$", #FIXME
"$$$ISA_EXTERNAL_NLB_MAILARCHIVE_IP$$$") | Sort-Object) | Get-Unique | where-object { $_ -ne "$$$ISA_EXTERNAL_NLB_ACTIVESYNC_IP$$$" }

foreach ($ip in $iplist) {
$ext.NLBCluster.AdditionalVIPs.Add($ip)
}

$ext.NLBCluster.OperationMode = $fpcNLBOperationModeUnicast
$ext.NLBCluster.NLBEnabled = $true

$ext.save()


enable_sqllogging.ps1


$fpcProxyWebLog = 1
$fpcProxyFwLog = 2
$fpcSQLDirectConnection = 4

# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1



$log = $arr.Logging.item($fpcProxyFwLog)

$log.SQLServerName = "$$$SQL_SERVER_NAME$$$"
$log.SQLServerPort = $$$SQL_SERVER_PORT$$$
$log.LogDBTableName = "$$$SQL_FIREWALLLOG_TABLE$$$"
$log.SQLForceEncryption = $false
$log.LogDBUserName = "$$$SQL_SERVER_USER$$$"
$log.LogType = $fpcSQLDirectConnection
$log.SQLDatabase = "$$$SQL_FIREWALLLOG_DB$$$"
$log.DropConnectionOnLogError = $false

$log.save()


$log = $arr.Logging.item($fpcProxyWebLog)

$log.SQLServerName = "$$$SQL_SERVER_NAME$$$"
$log.SQLServerPort = $$$SQL_SERVER_PORT$$$
$log.LogDBTableName = "$$$SQL_WEBPROXYLOG_TABLE$$$"
$log.SQLForceEncryption = $false
$log.LogDBUserName = "$$$SQL_SERVER_USER$$$"
$log.LogType = $fpcSQLDirectConnection
$log.SQLDatabase = "$$$SQL_WEBPROXYLOG_DB$$$"
$log.DropConnectionOnLogError = $false

$log.save()

# don't stop firewalling on Log Failure
$logfail = $arr.Alerts | Where-Object {$_.name -eq "Log Failure"}
$stopfw = $logfail.Actions.SetStopServices("StopServices", 1)
$stopfw.Enabled = $false
$stopfw.save()




publish_all_https.ps1


$fpcWebServerThruHTTP = 0
$fpcWebServerThruSSL = 1
$fpcWebServerThruBothHTTPAndSSL = 2
$fpcFTPServer = 3

$fpcSSLDontRequireSecureChannel = 0
$fpcSSLRequireSecureChannel = 1
$fpcSSLRequire128BitSecureChannel = 2
$fpcSSLRequireBoth = 3

$fpcDelegationNonePassThrough = 0
$fpcDelegationNoneBlock = 1
$fpcDelegationSecurID = 2
$fpcDelegationBasic = 3
$fpcDelegationNTLM = 4
$fpcDelegationSPNEGO = 5
$fpcDelegationKerberosConstrained = 6



# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

function spawnWebPublishingRule([string]$name,
[string]$listener,
[string]$ip,
[string]$backend,
[int]$authtype=$fpcDelegationNonePassThrough) {

$https = $arr.ArrayPolicy.PolicyRules.AddWebPublishingRule("$name")
$res = $https.WebPublishingProperties.SetWebListener("$listener")
$https.WebPublishingProperties.WebSite = "$backend"
$https.WebPublishingProperties.PublishedServer = "$ip"
$https.WebPublishingProperties.PublishedServerType = $fpcWebServerThruSSL
$https.WebPublishingProperties.SSLRequireSecureChannel = $fpcSSLRequireBoth
$res = $https.WebPublishingProperties.PublicNames.Add("$backend")
$https.WebPublishingProperties.CredentialsDelegationType = $authtype

# remove default path mapping and add a new one, "same as internal"
$res = $https.WebPublishingProperties.PathMappings.Remove(1)
$res = $https.WebPublishingProperties.PathMappings.add("/*", $true, "/*")

$https.WebPublishingProperties.SendOriginalHostHeader = $true


if($authtype -eq $fpcDelegationKerberosConstrained) {
$https.WebPublishingProperties.ServicePrincipalName = "$$$SPN_CAS$$$"
}
$https.save()

return $https
}


###########################
###
### OWA
###
###########################
$wpr = spawnWebPublishingRule "Publish OWA" "OWA WebListener" "$$$ISA_INTERNAL_NLB_OWA_IP$$$" "$$$ISA_INTERNAL_NLB_OWA_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/UnifiedMessaging/*", "/public/*", "/OWA/*", "/OAB/*", "/Exchweb/*", "/Exchange/*", "/EWS/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Redirect / to /OWA/ for OWA
###
###########################
$wpr = spawnWebPublishingRule "Redirect OWA" "OWA WebListener" "$$$ISA_INTERNAL_NLB_OWA_IP$$$" "$$$ISA_INTERNAL_NLB_OWA_NAME$$$" $fpcDelegationNonePassThrough
$wpr.Action = 1 # Deny rule
$wpr.WebPublishingProperties.RedirectUrl = "https://$$$ISA_EXTERNAL_NLB_OWA_NAME$$$/OWA/"
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Entourage
###
###########################
$wpr = spawnWebPublishingRule "Publish Entourage" "Entourage WebListener" "$$$ISA_INTERNAL_NLB_ENTOURAGE_IP$$$" "$$$ISA_INTERNAL_NLB_ENTOURAGE_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/UnifiedMessaging/*", "/public/*", "/OWA/*", "/OAB/*", "/Exchweb/*", "/Exchange/*", "/EWS/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Evolution
###
###########################
$wpr = spawnWebPublishingRule "Publish Evolution" "Evolution WebListener" "$$$ISA_INTERNAL_NLB_EVOLUTION_IP$$$" "$$$ISA_INTERNAL_NLB_EVOLUTION_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/UnifiedMessaging/*", "/public/*", "/OWA/*", "/OAB/*", "/Exchweb/*", "/Exchange/*", "/EWS/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Outlook Anywhere
###
###########################
$wpr = spawnWebPublishingRule "Publish Outlook Anywhere" "Outlook Anywhere WebListener" "$$$ISA_INTERNAL_NLB_OUTLOOKANYWHERE_IP$$$" "$$$ISA_INTERNAL_NLB_OUTLOOKANYWHERE_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/UnifiedMessaging/*", "/rpc/*", "/OAB/*", "/EWS/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Mailarchive
###
###########################
$wpr = spawnWebPublishingRule "Publish Mailarchive" "Mailarchive WebListener" "$$$ISA_INTERNAL_NLB_MAILARCHIVE_IP$$$" "$$$ISA_INTERNAL_NLB_MAILARCHIVE_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/EnterpriseVault/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.WebPublishingProperties.ServicePrincipalName = "$$$SPN_EVAULT1$$$"
$wpr.save()

###########################
###
### Redirect / to /EnterpriseVault/ for Mailarchive
###
###########################
$wpr = spawnWebPublishingRule "Redirect Mailarchive" "Mailarchive WebListener" "$$$ISA_INTERNAL_NLB_MAILARCHIVE_IP$$$" "$$$ISA_INTERNAL_NLB_MAILARCHIVE_NAME$$$" $fpcDelegationNonePassThrough
$wpr.Action = 1 # Deny rule
$wpr.WebPublishingProperties.RedirectUrl = "https://$$$ISA_EXTERNAL_NLB_MAILARCHIVE_NAME$$$/EnterpriseVault/"
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### Cold Mailarchive
###
###########################
$wpr = spawnWebPublishingRule "Publish Cold Mailarchive" "Mailarchive WebListener" "$$$ISA_INTERNAL_NLB_COLDMAILARCHIVE_IP$$$" "$$$ISA_INTERNAL_NLB_COLDMAILARCHIVE_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/EnterpriseVault/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.WebPublishingProperties.ServicePrincipalName = "$$$SPN_EVAULT2$$$"
$wpr.Enabled = $false
$wpr.save()

###########################
###
### ActiveSync
###
###########################
$wpr = spawnWebPublishingRule "Publish ActiveSync" "ActiveSync WebListener" "$$$ISA_INTERNAL_NLB_ACTIVESYNC_IP$$$" "$$$ISA_INTERNAL_NLB_ACTIVESYNC_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/Microsoft-Server-ActiveSync/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()

###########################
###
### AutoDiscover
###
###########################
$wpr = spawnWebPublishingRule "Publish Autodiscover" "Autodiscover WebListener" "$$$ISA_INTERNAL_NLB_AUTODISCOVER_IP$$$" "$$$ISA_INTERNAL_NLB_AUTODISCOVER_NAME$$$" $fpcDelegationKerberosConstrained
$wpr.WebPublishingProperties.TranslateLinks = $false
$wpr.WebPublishingProperties.PathMappings.Remove(1)
foreach ($path in @("/Autodiscover/*")) {
$wpr.WebPublishingProperties.PathMappings.add("$path", $true, "$path")
}
$wpr.save()


###########################
###
### move "Redirect OWA" rule to the top
###
###########################
$denyrule = $arr.ArrayPolicy.PolicyRules | where-object { $_.name -eq "Redirect OWA"}
$denyruleorder = $denyrule.Order

for ($i=$denyruleorder; $i -gt 1; $i--) {
$arr.ArrayPolicy.PolicyRules.MoveUp($i)
}
$arr.save()

###########################
###
### move "Redirect Mailarchive" rule to the top
###
###########################
$denyrule = $arr.ArrayPolicy.PolicyRules | where-object { $_.name -eq "Redirect Mailarchive"}
$denyruleorder = $denyrule.Order

for ($i=$denyruleorder; $i -gt 1; $i--) {
$arr.ArrayPolicy.PolicyRules.MoveUp($i)
}
$arr.save()



publish_imaps_pops.ps1


$fpcAllIPAddresses = 0
$fpcSpecifiedIPAddress = 2


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1


# A new server publishing rule
$imaps = $arr.ArrayPolicy.PolicyRules.AddServerPublishingRule("Publish IMAPs","$$$ISA_INTERNAL_NLB_IMAPS_IP$$$", "IMAPS Server")

# listen on the external side
$imaps.ServerPublishingProperties.IPsOnNetworks.Add("External", $fpcSpecifiedIPAddress, "$$$ISA_EXTERNAL_NLB_IMAPS_IP$$$")

# and make connections appear to come from the ISA server
$imaps.ServerPublishingProperties.UseFirewallIPAsSource = $true
$imaps.save()

$pops = $arr.ArrayPolicy.PolicyRules.AddServerPublishingRule("Publish POPs", "$$$ISA_INTERNAL_NLB_POPS_IP$$$", "POP3S Server")
$pops.ServerPublishingProperties.IPsOnNetworks.Add("External", $fpcSpecifiedIPAddress, "$$$ISA_EXTERNAL_NLB_POPS_IP$$$")
$pops.ServerPublishingProperties.UseFirewallIPAsSource = $true
$pops.save()



select_network_template_and_default_policy.ps1


# find our little array, reference it from $arr
$root = new-object -comobject "FPC.Root" -strict
$arr = $root.Arrays | select-object -first 1

# template: Edge firewall
# default policy: block all

$arr.SelectNetworkTemplateAndPolicy("Edge Firewall", "Block all")