A commonly revered part of any ISA Server installation is that of documenting the final solution, especially if this involves a complex firewall policy. After trying to document a few Enterprise Edition customer installations which contained several hundred firewall policy rules, it became apparent that we could do with some form of documentation utility or tool. This tool would aim to capture the key rule information and output this into a nice looking format and/or allow it to be stored electronically for future support purposes.
Rather than create an application from scratch, it made sense to start with the ISAInfo tool, as this provides an XML output which contains all of the raw ISA Server configuration information, including firewall and system policy rules.
After a bit of internal brainstorming, we realised that developing a completely new application to translate data from the ISAinfo XML file into an appropriate format was going to take quite some time. Hence, we decided it would make more sense to modify the display format that is provided with the original ISAInfo Viewer (ISAInfo.hta) in order to manipulate the output. I say “we” here, but I really mean “he” as full kudos for the actual development work goes to one of my esteemed Silversands colleagues, David Hughes, who did the actual development work. I was merely responsible for the inspiration, testing and tea making :)
With this approach in mind, David looked at the default ISAInfo.hta viewer in order to understand what changes would be necessary. The ‘problem’ with the default ISAInfo viewer is that the results are formatted for readable screen output. Hence, if you copy and paste the data, it is not really in an ideal format and requires quite a bit of manipulation to achieve something satisfactory (if you paste it directly into Word for example).
Therefore, by modifying the display format into data that is more copy and paste friendly, like comma separate values (CSV), we greatly improve our chances of obtaining the information in a much more suitable form. The choice of CSV is also an ideal data format for importing into Excel, and this provides an excellent document format for the firewall/system policy rules data.
So after amending the ISAInfo.hta as necessary, we now have a new ISAInfo viewer called ISAInfo2XLS.hta which outputs firewall and system policy information into an onscreen CSV format. Well, to be precise it’s actually a pipe character “|” separated value format really (PSV), but close enough! A copy of the customised viewer can be downloaded from here.
Please Note: The original ISAInfo.hta file is based upon version 1.0.2161.23 dated 19/07/2007 which is available as part of the ISAInfo.zip archive available from Jim Harrison’s www.isatools.org website here.
In order to understand the entire process of using the customised viewer, I have put together the following procedure with some sample screenshots and a quick walkthrough.
Generate the ISAInfo XML Output
Lets start with an example firewall policy as shown below. This contains a web publishing rule, a server publishing rule and an access rule:
In order to dump the configuration information, we need to run the ISAInfo.js utility as shown below:
One this has completed, we then have an XML output file which can be opened in the ISAInfo Viewer:
After opening this XML file in the default ISAInfo viewer, we can see the example firewall policy rule details are shown in the right hand pane of the viewer:
So, this is how things work with the default ISAInfo viewer.
Using the ISAInfo2XLS Viewer
Now, lets look at the display format when we use the ISAInfo2XLS viewer:
As can be seen, the rule information is now provided onscreen in PSV format. If we highlight this text and copy and paste the data into a notepad text file, we get the following:
If we now save this text file to a temporary location, we can open it using Excel. Excel with then automatically recognise the text file format and will run the Text Import Wizard.
Please Note: I am using Excel 2007 in my examples, but it should be a similar process with previous versions of Excel.
On Step 1 of the wizard, select the Delimited radio button as our data is in a separated, or delimited, format. Then click Next to continue to Step 2.
On Step 2 of the wizard, select the Other tick box and enter a pipe character (the vertical line ‘|’ key to the left of the ‘z’ key on UK QWERTY keyboards). Then click Next to continue to Step 3.
On Step 3 of the wizard, accept the defaults and select Finish.
You should then see the imported firewall policy rules, as shown below:
After a bit of basic formatting we get the following result, which looks great!
Repeating the above process with a set of System Policy rules results in a more complex, but equally impressive, spreadsheet:
So, there you go! You now have an Excel spreadsheet that contains all firewall or system policy rules, and the key top-level information for each rule.
I will be the first to admit that it’s not the slickest or most elegant tool in the world, but hopefully some of you will find it as useful as I have when it comes to documenting firewall and system policies – Enjoy!
UPDATE!
Based upon popular demand, please find an updated version of ISAInfo2XLS.hta now called ISAInfo2XLSv2.hta from here which has been tested with Windows 7, IE9 and Forefront TMG. Many thanks to Richard Knight for his efforts with this update!
Thanks! Nice and simple, just the way I want it.
ReplyDelete/Magnus
Can you provide a new location for the ISAInfo2XLS.hta. It is no longer availble for download at the loaction listed.
ReplyDeleteSuperb! Just as I was facing the task of documenting my rule set I found your article. Only one question, I tried the link to download the ISAInfo2XLS.hta file but it reports file not found. Any chance this could be updated? Thanks - Chunk
ReplyDeleteThe download link is not working! Can you tell me from where else I can download ISAInfo2XLS.hta please.
ReplyDeleteHey Guys,
ReplyDeleteLinks now updated! - sorry for the inconvenience...
Cheers
JJ
Absolutely brilliant, this probably saved me four hours work.
ReplyDeleteHello, Jason.
ReplyDeleteI have a probleb when using your ISAInfo2XLS.hta program. When I try to load ISAInfo dump in your modified ISAInfo Viewer application waits for a some time and output text "Sucessfully rendered C:\Documents and Settings\draven\Desktop\ISAInfo_proxy.xml" as a result. Nothing else information can be viewed at all.
While the default ISAInfo Viewer loads and renders the SAME dump file successfully and dislays all the configuration info. Version of the ISAInfo.js script is 1.0.2161.23.
Can you help me with resolving this problem.
Thanks in advance :)
Let me investigate!
ReplyDeleteHi, Jason.
ReplyDeleteHave you any new info about resolving my problem?
Thank you in advance ;)
Sorry, I cannot replicate this :(
ReplyDeleteJason I was able to duplicate the problem Artyom is having with the utility, the problem is with the rendering in IE8. This utility works fine under IE6.
ReplyDeleteHere is the code change in the original ISAInfo tool.
1.0.2161.24 08/09/2007 - Added Enterprise networks IP set display at array networks
- Added "Exchange Server STORE Async EMSMDB Interface" to Exch RPC VPS
- Added "Protocol Keep-alive Settings" VPS
12/27/2007 - Fixed web listeners SSO settings display
02/11/2008 - added support for hosts & lmhosts file data
1.0.2161.25 03/16/2009 - fixed IE8 display bug (thx, Lars)
1.0.2161.26 08/02/2009 - fixed path mapping display bug
hey, Jason, how you deal with users in your organisation by-passing your ISA firewall.
ReplyDeleteHi Jason, i unable to find the ISAInfo2XLS Viewer download link. can you provide the same.
ReplyDeleteKrishna
Hi Krishna,
ReplyDeleteTry here: http://cid-a2e64de91bfcad09.skydrive.live.com/self.aspx/Blog/ISAInfo2XLS.hta?wa=wsignin1.0&sa=655576622
Cheers
JJ
Hi Jason, This tool helped me a lot & minimize my task on reporting while audit. Thanks you very much.
ReplyDeleteIs there a chance to include "Published Server IP" & "HTTP Redirect Port" in ISAInfo2XLS ?
-Vishnoo
Hi Jasan,
ReplyDeleteAwaiting for your reply. It would be really helpful if you alter ISAInfo2XLS tool to report "Published Server IP" & "HTTP Redirect Port" also.
Thanks,Vishnoo
No reply, as I have limited time ;)
ReplyDeleteHi Jason, great tool. I just wanted to point out that the current ISAInfo2XLS Viewer from the download link, does not have the following fixes:
ReplyDelete1.0.2161.24 08/09/2007 - Added Enterprise networks IP set display at array networks
- Added "Exchange Server STORE Async EMSMDB Interface" to Exch RPC VPS
- Added "Protocol Keep-alive Settings" VPS
12/27/2007 - Fixed web listeners SSO settings display
02/11/2008 - added support for hosts & lmhosts file data
1.0.2161.25 03/16/2009 - fixed IE8 display bug (thx, Lars)
1.0.2161.26 08/02/2009 - fixed path mapping display bug
Thanks David...yeah, it needs updating really :(
ReplyDeleteGreat work. Thanks!
ReplyDeleteHello,
ReplyDeleteGood Job, I was searching for this kind of simple solution from last 3 years.. Thanks for a good solution
CB
Jason, as we are already running on IE9, is there an ETA for a new version which will work with a higer IE version than version 6?
ReplyDeleteYes, that would be great if we had something to work with IE9. I am working on a migration from ISA 2006 to TMG and am rebuilding all my rules for clean up and would like to have this utility for reference
ReplyDeleteHi,
ReplyDeleteSee my update section at the bottom of the original article.
I have now uploaded a new version that support Windows 7, IE9 and Forefront TMG.
Enjoy!
Cheers
JJ
Thanks for the update for IE9.
ReplyDeleteHi Jason.
ReplyDeleteYou have just wont he spot as my hero for 2012. Thanks very much for the time you put into this. It is greatly appreciated and thanks for this great tool.
Best regards
Morris
afridata.net
Lol, thanks!
ReplyDeleteHi Jason,
DeleteGreat job, but, I can not view the "Address Range" definitions on both old and new version.
Jason, that's awesome.
ReplyDeleteAs a suggestion, could you move the "update!" to the top of the original article? I missed it when I first read over this and only found it from your comment about it, looking at the comments to see if anyone had asked about a newer version.
It's perfectly clear but not when you're skim reading like I did. :)
This utility is incredibly handy, I had used it to document an ISA 2006 install and now a TMG install. Thanks very much for making this available.
Hey! This iѕ mу 1ѕt сοmment
ReplyDeleteherе so I just ωаnted to gіνe
a quick shоut οut and tell уou
I truly еnjoу readіng уοur blog ρosts.
Cаn уou reсommend any otheг blogs/wеbsitеѕ/forums thаt deal with the ѕame subϳeсts?
Thаnks а ton!
Feel free to surf my blog ; Dubai Abogados
Thanks Jason
ReplyDeleteReally useful tools and very clear instructions
Saved me A LOT of time :)
Mark
Hi, can you please help with this error: Unable to set value of the property of 'outerHTML': object is null or undefined
ReplyDeleteIt points to a line wthout any apparent error. I tried deleting whole PolicyRule , which contained the error line. It did not help, still error on the same line.
Any ideas?
Ginta
Sorry, my mistake. Everything works fine.
ReplyDeleteThank you, for the tool to save my Friday :)
Ginta
Thanks, saved me a lot of work. Please be aware you have to check the output of the "array rules", I noticed that with server publishing rules the in TMG specified protocols are missing in ISAinfo Viewer.
ReplyDeleteBR,
Erik Mast
hi,
ReplyDeletecan i get sample of firewall policy which contain more than or atleast 100 rules.
Hi Snehal,
ReplyDeleteSorry, I don't have one of those :(
Even if I did, most customers wouldn't be too happy for me to share their rulebase ;)
Cheers
JJ
Is there any newer version of this tool available?
ReplyDeleteI still see it doesn't show anything from "This rule applies to the published site" field.
Cheers!
Hello Jason,
ReplyDeleteThanks for this tool, still usefull :)
Thank you! This is an excellent tool!
ReplyDelete