Friday, 20 March 2009

Firewall/System Policy Documentation Tool for ISA Server 2004/2006 (ISAInfo2XLS Viewer)

A commonly revered part of any ISA Server installation is that of documenting the final solution, especially if this involves a complex firewall policy. After trying to document a few Enterprise Edition customer installations which contained several hundred firewall policy rules, it became apparent that we could do with some form of documentation utility or tool. This tool would aim to capture the key rule information and output this into a nice looking format and/or allow it to be stored electronically for future support purposes. 

Rather than create an application from scratch, it made sense to start with the ISAInfo tool, as this provides an XML output which contains all of the raw ISA Server configuration information, including firewall and system policy rules.

After a bit of internal brainstorming, we realised that developing a completely new application to translate data from the ISAinfo XML file into an appropriate format was going to take quite some time. Hence, we decided it would make more sense to modify the display format that is provided with the original ISAInfo Viewer (ISAInfo.hta) in order to manipulate the output. I say “we” here, but I really mean “he” as full kudos for the actual development work goes to one of my esteemed Silversands colleagues, David Hughes, who did the actual development work. I was merely responsible for the inspiration, testing and tea making :)

With this approach in mind, David looked at the default ISAInfo.hta viewer in order to understand what changes would be necessary. The ‘problem’ with the default ISAInfo viewer is that the results are formatted for readable screen output. Hence, if you copy and paste the data, it is not really in an ideal format and requires quite a bit of manipulation to achieve something satisfactory (if you paste it directly into Word for example).

Therefore, by modifying the display format into data that is more copy and paste friendly, like comma separate values (CSV), we greatly improve our chances of obtaining the information in a much more suitable form. The choice of CSV is also an ideal data format for importing into Excel, and this provides an excellent document format for the firewall/system policy rules data.   

So after amending the ISAInfo.hta as necessary, we now have a new ISAInfo viewer called ISAInfo2XLS.hta which outputs firewall and system policy information into an onscreen CSV format. Well, to be precise it’s actually a pipe character “|” separated value format really (PSV), but close enough! A copy of the customised viewer can be downloaded from here.

Please Note: The original ISAInfo.hta file is based upon version 1.0.2161.23 dated 19/07/2007 which is available as part of the archive available from Jim Harrison’s website here.

In order to understand the entire process of using the customised viewer, I have put together the following procedure with some sample screenshots and a quick walkthrough.

Generate the ISAInfo XML Output

Lets start with an example firewall policy as shown below. This contains a web publishing rule, a server publishing rule and an access rule:


In order to dump the configuration information, we need to run the ISAInfo.js utility as shown below:


One this has completed, we then have an XML output file which can be opened in the ISAInfo Viewer:


After opening this XML file in the default ISAInfo viewer, we can see the example firewall policy rule details are shown in the right hand pane of the viewer:


So, this is how things work with the default ISAInfo viewer.

Using the ISAInfo2XLS Viewer

Now, lets look at the display format when we use the ISAInfo2XLS viewer:


As can be seen, the rule information is now provided onscreen in PSV format. If we highlight this text and copy and paste the data into a notepad text file, we get the following:


If we now save this text file to a temporary location, we can open it using Excel. Excel with then automatically recognise the text file format and will run the Text Import Wizard.

Please Note: I am using Excel 2007 in my examples, but it should be a similar process with previous versions of Excel.

On Step 1 of the wizard, select the Delimited radio button as our data is in a separated, or delimited, format. Then click Next to continue to Step 2.


On Step 2 of the wizard, select the Other tick box and enter a pipe character (the vertical line ‘|’ key to the left of the ‘z’ key on UK QWERTY keyboards). Then click Next to continue to Step 3.


On Step 3 of the wizard, accept the defaults and select Finish.


You should then see the imported firewall policy rules, as shown below:


After a bit of basic formatting we get the following result, which looks great!


Repeating the above process with a set of System Policy rules results in a more complex, but equally impressive, spreadsheet:

fwdoc17 fwdoc18

So, there you go! You now have an Excel spreadsheet that contains all firewall or system policy rules, and the key top-level information for each rule.

I will be the first to admit that it’s not the slickest or most elegant tool in the world, but hopefully some of you will find it as useful as I have when it comes to documenting firewall and system policies – Enjoy!


Based upon popular demand, please find an updated version of ISAInfo2XLS.hta now called ISAInfo2XLSv2.hta from here which has been tested with Windows 7, IE9 and Forefront TMG. Many thanks to Richard Knight for his efforts with this update!

Tuesday, 3 March 2009

A day in the life of a Forefront MVP…

So, I’m here in Seattle at the Microsoft MVP Summit to meet with the Forefront product group and other similar MVPs. This is a bit of an unusual post, as for a change this is not an article, or best practice discussion, just a simple brain dump of my current mindset.

These are some pretty smart people here who really seem keen to understand and learn what customers want from the Forefront product suite. A lot of information provided is under NDA, which makes it hard for me to share it with the ISA community at large, but there is some interesting stuff in the pipeline to put Microsoft in a very strong, if not unique, position within the IT security marketplace. It also reinforces my view that I need to expand my current ‘Edge’ skill set to include more of the Forefront products, especially the Microsoft “Stirling” offering.

This is my first time at the Summit, as I was only awarded my MVP in October, and this is the first chance I have had to meet with some of the other MVPs and community guys than I have come to know based upon their ‘online personalities’. This is both an exciting and humbling experience for me and the first real opportunity I have had to interact with Microsoft and other MVPs at this level…the experience has been very positive so far and I have tried to ask as many questions as possible to fuel future blog posts and articles.

I am still kind of jet lagged coming from the UK (an eight hour time zone difference to here) to Seattle. However, I am trying to think coherently and formulate questions to make the best of my time here. ‘Sleepless in Seattle’ is no longer just a film for me, but more of what happens when you keep waking up at 3am when your body clock is still on GMT time :)

So, enough rambling, the key question I ask is this; if you were to meet with the Forefront product group, what questions would you ask? I cannot guarantee to get answers (or provide them due to NDA restrictions) but I am curious to know how people perceive Microsoft in the Forefront area and also determine which messages as getting through to the community and which are not.

Now that Microsoft Forefront Threat Management Gateway (TMG) is public beta released, I am sure that people are starting to formulate ideas and opinions, yet it is still early enough within the product lifecycle to provide valuable feedback and ask “Why are you doing it like that…?” or “Why haven’t you added feature XYZ…?”

So, I am keen to hear you views, both positive and negative of course; either drop your comments here on my blog or drop me an email to the usual address.