Documenting the ISA Server 2004 Design


The process of designing an ISA Server environment can include multiple design decisions, various decision rationales, and specific implementation settings. It is often difficult, after the design is complete, to retain the knowledge of why particular decisions were made during the design process. Subsequently, one of the first and most important sets of documentation for an ISA environment relates to the design of the environment itself.

This type of documentation can take many forms, but typically involves a formal design document, a server as-built document, and specific information on configured rules and settings, which can be ascertained through the creation of a custom script. Examples of this type of script, which can be extremely valuable in the documentation of ISA settings, is provided in this section of the chapter.

For more information on designing an ISA Server environment, refer to Chapter 4, "Designing an ISA Server 2004 Environment."

Documenting the ISA Design Process

The first step in the implementation of an ISA Server 2004 environment is the development and approval of a design. Documenting this design contributes to the success of the project. The design document records the decisions made during the design process and provides a reference for testing, implementation, and support. The key components to a design document include

  • The goals and objectives of the project

  • The background or what led up to the design

  • The approach that will be used to implement the solution

  • The details of the end state of the project

Goals and objectives can be surprisingly hard to pin down. They need to be detailed and concrete enough to define the results that you want while staying at a high level. For instance, "reduce down time" is too vague to be considered a functional goal, whereas "implement Network Load Balancing with ISA Server 2004 Enterprise Edition to reduce downtime to less than one minute in the case of single server failure" is much more specific.

Including the background of meetings and brainstorming sessions that led up to the decisions for the end state of the project provides the groundwork for the detailed designs provided later in the document. For example, a decision may have been made "because the CEO wants it that way," which affects the post-migration environment. Other decisions may have come about after many hours of debates over the particulars and required technical research to come up with the "right" answer. Recording this level of information can be extremely useful in the future if performance issues are encountered or additional changes to the network are being considered.

The description of the end state to be implemented can be very high level or can drill down to more specific configurations of each server, depending on the document's audience. However, it is recommended that the design document not include step-by-step procedures or other details of how the process is to be accomplished. This level of detail is better handled, in most cases, in dedicated configuration or training documents as discussed later in this chapter.

Formalizing ISA Server Configuration with As-Built Documentation

The configuration document, often referred to as an as-built, details a snapshot configuration of the ISA Server 2004 system as it is built. This document contains essential information required to rebuild a server.

One way to create an as-built document is to export settings on a server using tools such as the script illustrated in the next section of this chapter and with built-in Windows utilities such as WinMSD. WinMSD is a simple export utility that is included in the base Windows operating system, and exports server-specific settings to a text file. This data can then be imported into formal documentation easily.

To export the configuration of an ISA Server using WinMSD, perform the following steps:

1.

Log in to the ISA Server as a local administrator.

2.

Go to Start, Run, and type winmsd and click Run.

3.

From the System Information dialog box, shown in Figure 20.1, go to File, Export.

Figure 20.1. Using WinMSD to export Windows settings for ISA documentation.


4.

Enter a name and a location for the exported text file and click Save.

After the specific settings on an ISA server have been acquired, they can be formalized into as-built documentation. The following is an example of an ISA Server 2004 as-built document template:

 Introduction The purpose of this ISA Server 2004 as-built document is to assist an experienced network administrator or engineer in restoring the server in the event of a hardware failure. This document contains screen shots and configuration settings for the server at the time it was built. If settings are not implicitly defined in this document, they are assumed to be set to defaults. It is not intended to be a comprehensive disaster recovery plan with step-by-step procedures for rebuilding the server. For this document to remain useful as a recovery aid, it must be updated as configuration settings change System Configuration     Hardware Summary     Disk Configuration         Physical Disk Configuration        Logical Disk Configuration     System Summary     Device Manager     RAID Configuration     TCP/IP Configuration ISA Configuration        Networks       Network Rules         Firewall Policy Rules         VPN Configuration        Antivirus Configuration Add-Ons 

Documenting Specific ISA Configuration with Custom Scripting

The ISA Server Console gives easy view access to firewall policy rules, network rules, VPN configuration, and other ISA settings. Although individual elements and entire configurations can be exported for backup or migration purposes, there is no built-in way to export these settings to simple text format for documentation purposes.

Fortunately, the ISA Server development team included a relatively straightforward scripting mechanism called the FPC object that allows for the export of ISA settings to text, CSV, or other formats. This enables administrators with scripting knowledge to generate documentation from an ISA server easily, without having to decipher the XML export files. For more information about the FPC object, reference the following Microsoft website:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaobj1_97lg.asp

The following custom script gives an example of the type of capabilities that the FPC object can give an administrator who is tasked with the documentation of ISA rules. It exports the ISA Firewall Policy rules on the local server on which it is run. All the rules information is exported to a CSV file, such as the one shown in Figure 20.2.

Figure 20.2. Examining the CSV file that the ISA documentation custom script generates.


NOTE

The isaconfig.wsf script, along with others referenced in this book, can be downloaded from the Sams Publishing website.


This particular script can be run by executing the following command from the directory where the script is located:

 Cscript isaconfig.wsf /path:C:\ 

Listing 20.1 shows the code for the custom documentation script.

Listing 20.1. Examining the isaconfig.wsf Documentation Script

[View full width]

 <?xml version="1.0" ?> <package>  <job >   <runtime>     <description> ************************************************************ ISA Configuration Report Job ************************************************************     </description>       <named name="path" helpstring="The UNC or file path you want to export the  configuration report to."type="string" required="1" />       <named name="silent" helpstring="Runs script in silent mode." type="simple"  required="0" />     <example> Example: cscript isaconfig.wsf /path:"\\remoteserver\sharename" cscript isaconfig.wsf /path:"c:\isainfo"     </example>   </runtime>   <form>   </form>   <script language="VBScript"> <![CDATA[ '=================================================================== ' Comments about the script '=================================================================== ' This script uses the FPC object to produce a report of the policies in an ' ISA configuration.  As currently written, this script can be run only on the ' local ISA server that you are trying to export the configuration from. In conjunction with the FPCArray object the ' script can be modified to produce a script that would allow for a centralized ' report of all ISA servers in an organization. ' ' It is also important to note that this script was developed in an effort to ' try to give a visual representation of the policy configuration that is ' present on an ISA server.  Not all the elements that are in a policy are ' represented in the report.  The report is therefore not a complete ' configuration and should be used only to document the current policies that ' are in place. ' ' To expand upon the script and for more information about the FPC object ' please see the following URL: ' ' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isasdk /isa/fpc_object.asp ' ' Please note that in all cases usage of the FPC object is limited to a ' server that has ISA 2004 or greater installed on it. ' '=================================================================== ' Check args '=================================================================== If WScript.Arguments.Named.Exists("path") = FALSE Then   WScript.Arguments.ShowUsage()   WScript.Quit End If Const ForWriting = 2 Dim FSO, WSHNetwork Dim objLogFile Dim strPath Dim strFileName Dim dtmThisMinute, dtmThisHour Dim dtmThisDay, dtmThisMonth, dtmThisYear Set WSHNetwork = CreateObject("WScript.Network") strPath = WScript.Arguments.Named("path") Set FSO = CreateObject("Scripting.FileSystemObject") dtmThisMinute = PadDigits(Minute(Now), 2) dtmThisHour = PadDigits(Hour(Now), 2) dtmThisDay = PadDigits(Day(Now), 2) dtmThisMonth = PadDigits(Month(Now), 2) dtmThisYear = Year(Now) strFileName = WSHNetwork.ComputerName & "-" & dtmThisYear & "-" & dtmThisMonth & "-" &_        dtmThisDay & "-" & dtmThisHour & "-" & dtmThisMinute & ".csv" Set objLogFile = FSO.OpenTextFile(strPath & "\" & strFileName, ForWriting, true) Dim objRoot   ' The FPCLib.FPC root object Dim isaArray  ' An FPCArray object Set objRoot = CreateObject("FPC.Root") Set isaArray = objRoot.GetContainingArray() '-------------------- ' Write Headers '-------------------- objLogFile.Write("Order") objLogFile.Write(",") objLogFile.Write("Name") objLogFile.Write(",") objLogFile.Write("Action") objLogFile.Write(",") objLogFile.Write("Type") objLogFile.Write(",") objLogFile.Write("Protocols") objLogFile.Write(",") objLogFile.Write("From/Listener") objLogFile.Write(",") objLogFile.Write("To") objLogFile.Write(",") objLogFile.Write("Condition") objLogFile.WriteLine() For Each Policy in isaArray.ArrayPolicy.PolicyRules   objLogFile.Write(Policy.Order)   objLogFile.Write(",")   objLogFile.Write(Policy.Name)   objLogFile.Write(",")   strPolicyAction = Policy.Action   If strPolicyAction = 0 Then     objLogFile.Write("Allow")   Else     objLogFile.Write("Deny")   End If   objLogFile.Write(",")   strPolicyType = Policy.Type   '--------------------   ' Policy Type Cases   '--------------------   ' There are three basic ISA Policy Types (Access Rule, Server Publishing Rule,   ' Web Publishing Rule)   Select Case strPolicyType     Case "0"       objLogFile.Write("Access Rule")       objLogFile.Write(",")       '--------------------       ' Get Protocol Information       '--------------------       j = 1       strProSelctMethod = Policy.AccessProperties.ProtocolSelectionMethod       If strProSelctMethod = 0 Then         objLogFile.Write("All Outbound Taffic")       ElseIf strProSelctMethod = 2 Then         objLogFile.Write("All Except:")       End If       For Each Item in Policy.AccessProperties.SpecifiedProtocols         objLogFile.Write(Item)         If j <> Policy.AccessProperties.SpecifiedProtocols.Count Then           objLogFile.Write("; ")         End IF         j = j + 1       Next       objLogFile.Write(",")       '--------------------       ' Get Source Network Information       '--------------------       GetNet(Policy.SourceSelectionIPs)       '--------------------       ' Get Destion Network Information       '--------------------       GetNet(Policy.AccessProperties.DestinationSelectionIPs)       '--------------------       ' Get Conditions       '--------------------       GetConditions(Policy.AccessProperties.UserSets)     Case "1"       objLogFile.Write("Server Publishing Rule")       objLogFile.Write(",")       '--------------------       ' Get Published Protocol       '--------------------       objLogFile.Write(Policy.ServerPublishingProperties.PublishedProtocol)       objLogFile.Write(",")       '--------------------       ' Get Source Network Information       '--------------------       GetNet(Policy.SourceSelectionIPs)       '--------------------       ' Get Published Server       '--------------------       objLogFile.Write(Policy.ServerPublishingProperties.PublishedServerIP)     Case "2"       objLogFile.Write("Web Publishing Rule")       objLogFile.Write(",")       '--------------------       ' Get Web Server Type       '--------------------       strWebPubType = Policy.WebPublishingProperties.PublishedServerType       If strWebPubType = 0 Then         objLogFile.Write("HTTP")       ElseIf strWebPubType = 1 Then         objLogFile.Write("HTTPS")       ElseIf strWebPubType = 2 Then         objLogFile.Write("HTTP & HTTPS")       ElseIf strWebPubType = 3 Then         objLogFile.Write("FTP")       End If       objLogFile.Write(",")       '--------------------       ' Get Web Listener       '--------------------       objLogFile.Write(Policy.WebPublishingProperties.WebListenerUsed)       objLogFile.Write(",")       '--------------------       ' Get Published Web Site Name       '--------------------       objLogFile.Write(Policy.WebPublishingProperties.WebSite)       objLogFile.Write(",")       '--------------------       ' Get Conditions       '--------------------       GetConditions(Policy.WebPublishingProperties.UserSets)     Case Else   End Select objLogFile.WriteLine() Next If WScript.Arguments.Named.Exists("silent") = FALSE Then   WScript.Echo("Finished export to " & strPath & "\" & strFileName) End If '=================================================================== ' Functions '=================================================================== '-------------------- ' Pad Digits '-------------------- ' This function is used to pad date variables that contain only one digit. Function PadDigits(n, totalDigits)   If totalDigits > len(n) then     PadDigits = String(totalDigits-len(n),"0") & n   Else     PadDigits = n   End If End Function '-------------------- ' Get Conditions '-------------------- ' This function is used to get the conditions of a rule. Function GetConditions(ObjectPath)   Dim objConditions, objConditionsDict   Set objConditions = ObjectPath   Set objConditionsDict = CreateObject("Scripting.Dictionary")   j = 1   For Each Item in objConditions     objConditionsDict.Add j, Item     j = j + 1   Next   j = 1   For Each Condition in objConditionsDict     objLogFile.Write(objConditionsDict.item(Condition))     If j <> objConditionsDict.Count Then       objLogFile.Write("; ")     End If     j = j + 1   Next   Set objConditionsDict = Nothing   Set objConditions = Nothing End Function '-------------------- ' Get Network Information '-------------------- ' This function is used to get the network information for a rule. Function GetNet(ObjectPath)   Dim objNet, objNetDict   Set objNet = ObjectPath   Set objNetDict = CreateObject("Scripting.Dictionary")   j = 1   For Each Item in objNet.AddressRanges     objNetDict.Add j, Item     j = j + 1   Next   For Each Item in objNet.Computers     objNetDict.Add j, Item     j = j + 1   Next   For Each Item in objNet.ComputerSets     objNetDict.Add j, Item     j = j + 1   Next   For Each Item in objNet.Networks      objNetDict.Add j, Item      j = j + 1   Next   For Each Item in objNet.NetworkSets     objNetDict.Add j, Item     j = j + 1   Next   For Each Item in objNet.Subnets     objNetDict.Add j, Item     j = j + 1   Next   j = 1   For Each Net in objNetDict     objLogFile.Write(objNetDict.item(Net))     If j <> objNetDict.Count Then       objLogFile.Write("; ")     End If     j = j + 1   Next   objLogFile.Write(",")   Set objNetDict = Nothing   Set objNet = Nothing End Function ]]>   </script>  </job> </package> 



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net