Friday, 20 March 2009

Firewall/System Policy Documentation Tool for ISA Server 2004/2006 (ISAInfo2XLS Viewer)

A commonly revered part of any ISA Server installation is that of documenting the final solution, especially if this involves a complex firewall policy. After trying to document a few Enterprise Edition customer installations which contained several hundred firewall policy rules, it became apparent that we could do with some form of documentation utility or tool. This tool would aim to capture the key rule information and output this into a nice looking format and/or allow it to be stored electronically for future support purposes. 

Rather than create an application from scratch, it made sense to start with the ISAInfo tool, as this provides an XML output which contains all of the raw ISA Server configuration information, including firewall and system policy rules.

After a bit of internal brainstorming, we realised that developing a completely new application to translate data from the ISAinfo XML file into an appropriate format was going to take quite some time. Hence, we decided it would make more sense to modify the display format that is provided with the original ISAInfo Viewer (ISAInfo.hta) in order to manipulate the output. I say “we” here, but I really mean “he” as full kudos for the actual development work goes to one of my esteemed Silversands colleagues, David Hughes, who did the actual development work. I was merely responsible for the inspiration, testing and tea making :)

With this approach in mind, David looked at the default ISAInfo.hta viewer in order to understand what changes would be necessary. The ‘problem’ with the default ISAInfo viewer is that the results are formatted for readable screen output. Hence, if you copy and paste the data, it is not really in an ideal format and requires quite a bit of manipulation to achieve something satisfactory (if you paste it directly into Word for example).

Therefore, by modifying the display format into data that is more copy and paste friendly, like comma separate values (CSV), we greatly improve our chances of obtaining the information in a much more suitable form. The choice of CSV is also an ideal data format for importing into Excel, and this provides an excellent document format for the firewall/system policy rules data.   

So after amending the ISAInfo.hta as necessary, we now have a new ISAInfo viewer called ISAInfo2XLS.hta which outputs firewall and system policy information into an onscreen CSV format. Well, to be precise it’s actually a pipe character “|” separated value format really (PSV), but close enough! A copy of the customised viewer can be downloaded from here.

Please Note: The original ISAInfo.hta file is based upon version 1.0.2161.23 dated 19/07/2007 which is available as part of the ISAInfo.zip archive available from Jim Harrison’s www.isatools.org website here.

In order to understand the entire process of using the customised viewer, I have put together the following procedure with some sample screenshots and a quick walkthrough.

Generate the ISAInfo XML Output

Lets start with an example firewall policy as shown below. This contains a web publishing rule, a server publishing rule and an access rule:

fwdoc1

In order to dump the configuration information, we need to run the ISAInfo.js utility as shown below:

fwdoc2

One this has completed, we then have an XML output file which can be opened in the ISAInfo Viewer:

fwdoc3

After opening this XML file in the default ISAInfo viewer, we can see the example firewall policy rule details are shown in the right hand pane of the viewer:

fwdoc4

So, this is how things work with the default ISAInfo viewer.

Using the ISAInfo2XLS Viewer

Now, lets look at the display format when we use the ISAInfo2XLS viewer:

fwdoc5

As can be seen, the rule information is now provided onscreen in PSV format. If we highlight this text and copy and paste the data into a notepad text file, we get the following:

fwdoc8

If we now save this text file to a temporary location, we can open it using Excel. Excel with then automatically recognise the text file format and will run the Text Import Wizard.

Please Note: I am using Excel 2007 in my examples, but it should be a similar process with previous versions of Excel.

On Step 1 of the wizard, select the Delimited radio button as our data is in a separated, or delimited, format. Then click Next to continue to Step 2.

fwdoc9

On Step 2 of the wizard, select the Other tick box and enter a pipe character (the vertical line ‘|’ key to the left of the ‘z’ key on UK QWERTY keyboards). Then click Next to continue to Step 3.

fwdoc10

On Step 3 of the wizard, accept the defaults and select Finish.

fwdoc11

You should then see the imported firewall policy rules, as shown below:

fwdoc12 

After a bit of basic formatting we get the following result, which looks great!

fwdoc14

Repeating the above process with a set of System Policy rules results in a more complex, but equally impressive, spreadsheet:

fwdoc17 fwdoc18

So, there you go! You now have an Excel spreadsheet that contains all firewall or system policy rules, and the key top-level information for each rule.

I will be the first to admit that it’s not the slickest or most elegant tool in the world, but hopefully some of you will find it as useful as I have when it comes to documenting firewall and system policies – Enjoy!

UPDATE!

Based upon popular demand, please find an updated version of ISAInfo2XLS.hta now called ISAInfo2XLSv2.hta from here which has been tested with Windows 7, IE9 and Forefront TMG. Many thanks to Richard Knight for his efforts with this update!

36 comments:

  1. Thanks! Nice and simple, just the way I want it.
    /Magnus

    ReplyDelete
  2. Can you provide a new location for the ISAInfo2XLS.hta. It is no longer availble for download at the loaction listed.

    ReplyDelete
  3. Superb! Just as I was facing the task of documenting my rule set I found your article. Only one question, I tried the link to download the ISAInfo2XLS.hta file but it reports file not found. Any chance this could be updated? Thanks - Chunk

    ReplyDelete
  4. The download link is not working! Can you tell me from where else I can download ISAInfo2XLS.hta please.

    ReplyDelete
  5. Hey Guys,

    Links now updated! - sorry for the inconvenience...

    Cheers

    JJ

    ReplyDelete
  6. Absolutely brilliant, this probably saved me four hours work.

    ReplyDelete
  7. Hello, Jason.

    I have a probleb when using your ISAInfo2XLS.hta program. When I try to load ISAInfo dump in your modified ISAInfo Viewer application waits for a some time and output text "Sucessfully rendered C:\Documents and Settings\draven\Desktop\ISAInfo_proxy.xml" as a result. Nothing else information can be viewed at all.
    While the default ISAInfo Viewer loads and renders the SAME dump file successfully and dislays all the configuration info. Version of the ISAInfo.js script is 1.0.2161.23.

    Can you help me with resolving this problem.
    Thanks in advance :)

    ReplyDelete
  8. Hi, Jason.

    Have you any new info about resolving my problem?

    Thank you in advance ;)

    ReplyDelete
  9. Sorry, I cannot replicate this :(

    ReplyDelete
  10. Jason I was able to duplicate the problem Artyom is having with the utility, the problem is with the rendering in IE8. This utility works fine under IE6.

    Here is the code change in the original ISAInfo tool.

    1.0.2161.24 08/09/2007 - Added Enterprise networks IP set display at array networks
    - Added "Exchange Server STORE Async EMSMDB Interface" to Exch RPC VPS
    - Added "Protocol Keep-alive Settings" VPS
    12/27/2007 - Fixed web listeners SSO settings display
    02/11/2008 - added support for hosts & lmhosts file data
    1.0.2161.25 03/16/2009 - fixed IE8 display bug (thx, Lars)
    1.0.2161.26 08/02/2009 - fixed path mapping display bug

    ReplyDelete
  11. hey, Jason, how you deal with users in your organisation by-passing your ISA firewall.

    ReplyDelete
  12. Hi Jason, i unable to find the ISAInfo2XLS Viewer download link. can you provide the same.

    Krishna

    ReplyDelete
  13. Hi Krishna,

    Try here: http://cid-a2e64de91bfcad09.skydrive.live.com/self.aspx/Blog/ISAInfo2XLS.hta?wa=wsignin1.0&sa=655576622

    Cheers

    JJ

    ReplyDelete
  14. Hi Jason, This tool helped me a lot & minimize my task on reporting while audit. Thanks you very much.

    Is there a chance to include "Published Server IP" & "HTTP Redirect Port" in ISAInfo2XLS ?

    -Vishnoo

    ReplyDelete
  15. Hi Jasan,

    Awaiting for your reply. It would be really helpful if you alter ISAInfo2XLS tool to report "Published Server IP" & "HTTP Redirect Port" also.

    Thanks,Vishnoo

    ReplyDelete
  16. No reply, as I have limited time ;)

    ReplyDelete
  17. Hi Jason, great tool. I just wanted to point out that the current ISAInfo2XLS Viewer from the download link, does not have the following fixes:

    1.0.2161.24 08/09/2007 - Added Enterprise networks IP set display at array networks
    - Added "Exchange Server STORE Async EMSMDB Interface" to Exch RPC VPS
    - Added "Protocol Keep-alive Settings" VPS
    12/27/2007 - Fixed web listeners SSO settings display
    02/11/2008 - added support for hosts & lmhosts file data
    1.0.2161.25 03/16/2009 - fixed IE8 display bug (thx, Lars)
    1.0.2161.26 08/02/2009 - fixed path mapping display bug

    ReplyDelete
  18. Thanks David...yeah, it needs updating really :(

    ReplyDelete
  19. Hello,
    Good Job, I was searching for this kind of simple solution from last 3 years.. Thanks for a good solution

    CB

    ReplyDelete
  20. Jason, as we are already running on IE9, is there an ETA for a new version which will work with a higer IE version than version 6?

    ReplyDelete
  21. Yes, that would be great if we had something to work with IE9. I am working on a migration from ISA 2006 to TMG and am rebuilding all my rules for clean up and would like to have this utility for reference

    ReplyDelete
  22. Hi,

    See my update section at the bottom of the original article.

    I have now uploaded a new version that support Windows 7, IE9 and Forefront TMG.

    Enjoy!

    Cheers

    JJ

    ReplyDelete
  23. Thanks for the update for IE9.

    ReplyDelete
  24. Hi Jason.
    You have just wont he spot as my hero for 2012. Thanks very much for the time you put into this. It is greatly appreciated and thanks for this great tool.
    Best regards
    Morris
    afridata.net

    ReplyDelete
  25. Replies
    1. Hi Jason,

      Great job, but, I can not view the "Address Range" definitions on both old and new version.

      Delete
  26. Jason, that's awesome.

    As a suggestion, could you move the "update!" to the top of the original article? I missed it when I first read over this and only found it from your comment about it, looking at the comments to see if anyone had asked about a newer version.

    It's perfectly clear but not when you're skim reading like I did. :)

    This utility is incredibly handy, I had used it to document an ISA 2006 install and now a TMG install. Thanks very much for making this available.

    ReplyDelete
  27. Hey! This iѕ mу 1ѕt сοmment
    herе so I just ωаnted to gіνe
    a quick shоut οut and tell уou
    I truly еnjoу readіng уοur blog ρosts.

    Cаn уou reсommend any otheг blogs/wеbsitеѕ/forums thаt deal with the ѕame subϳeсts?
    Thаnks а ton!
    Feel free to surf my blog ; Dubai Abogados

    ReplyDelete
  28. Thanks Jason
    Really useful tools and very clear instructions
    Saved me A LOT of time :)

    Mark

    ReplyDelete
  29. Hi, can you please help with this error: Unable to set value of the property of 'outerHTML': object is null or undefined

    It points to a line wthout any apparent error. I tried deleting whole PolicyRule , which contained the error line. It did not help, still error on the same line.

    Any ideas?

    Ginta

    ReplyDelete
  30. Sorry, my mistake. Everything works fine.

    Thank you, for the tool to save my Friday :)

    Ginta

    ReplyDelete
  31. Thanks, saved me a lot of work. Please be aware you have to check the output of the "array rules", I noticed that with server publishing rules the in TMG specified protocols are missing in ISAinfo Viewer.

    BR,

    Erik Mast

    ReplyDelete
  32. hi,
    can i get sample of firewall policy which contain more than or atleast 100 rules.

    ReplyDelete
  33. Hi Snehal,

    Sorry, I don't have one of those :(

    Even if I did, most customers wouldn't be too happy for me to share their rulebase ;)

    Cheers

    JJ

    ReplyDelete