Forefront TMG - Scripting with VBScript and Powershell
First, I must let you know that I’m not a Scripting and programming guru. At the beginning of the nineties I tried to learn COBOL and C, but the result was not really successful. Over the years I only used sample scripts to automate administrative work and beginning with the PowerShell I often use it in Exchange environments. But I think that this article will give you enough information to understand the power of VBScript and PowerShell for Forefront TMG, so it should be easy for you to build your own scripts. We will also have a look in the Forefront TMG SDK, which comes with a small bunch of very helpful preconfigured scripts to automate some administrative work.
Forefront TMG an COM
COM is used by scripting technologies like VBScript to access Forefront TMG programmatically. Based on Wikipedia COM is short for Component Object Model. Component Object Model (COM) is a binary-interface standard for software componentry introduced by Microsoft in 1993. It is used to enable interprocess communication and dynamic object creation in a large range of programming languages. The term COM is often used in the Microsoft software development industry as an umbrella term that encompasses the OLE, OLE Automation, ActiveX, COM+ and DCOM technologies. COM is an interface technology defined and implemented as standard only on Microsoft Windows and Apple's Core Foundation 1.3 and later plug-in API that in any case implement only a subset of the whole COM interface. For some applications, COM has been replaced at least to some extent by the Microsoft .NET framework, and support for Web Services through the Windows Communication Foundation (WCF). However, COM objects can be used with all .NET languages through .NET COM Interoperability.
The Forefront TMG COM has a root object called FPC.Root. The root object manages the Enterprise object which is identified as FPCEnterprise and the Arrays as FPCArrays.FPC. Root is the root of the administration COM object hierarchy, and provides programmatic access to other FPC objects. Each Forefront TMG computer is associated with a single array as one of many fpcServer objects within the fpcServers collection.
Other objects that are managed by the Enterprise object and the Array object are:
Admin Security object (used by Enterprise and Array)
Extensions object (used by Enterprise and Array)
Policy Rule object (used by Enterprise and Array)
Server object (used by Array)
Rule Elements object (used by Enterprise and Array)
Cache object (used by Array object)
Network Configuration object (used by Enterprise and Array)
Array Policy object (used by Array)
IP object (used by Array)
Based on this knowledge you should have a better understanding about the VBScript script examples which you can found on several Internet websites and in the Forefront TMG SDK. An understanding of COM objects is also helpful when you use the PowerShell to query Forefront TMG objects. Forefront TMG has no built-in PowerShell CMDLets and will use COM.
Forefront TMG SDK
We will start with the Forefront TMG SDK, which is downloadable for free at the Microsoft website. You will find the link to download the SDK at the end of this article. The Forefront TMG SDK comes with a very helpful documentation about programming Forefront TMG but also with some advanced information about internal Forefront TMG concepts. The Forefront TMG SDK comes also with some scripting examples and I will you some of the script examples.
One of the sample scripts allows you to add Forefront TMG Administrators to the role based access model of Forefront TMG, but only to the Monitor group. Feel free to enhance the script to add Administrator the other Forefront TMG roles.
The easiest way to automate some tasks in Forefront TMG is to use VBScript. VBScript was also available in previous version of Forefront TMG and can be used to automate some administration tasks. The first script example will show you all Forefront TMG arrays.
The script starts with configuring the Forefront TMG root which is always the FPC.Root and will set a variable which will contain the Forefront TMG arrays (objFPC.Arrays). The script will display an Input Box to enter the name of the Forefront TMG array or leaving the dialog box blank to get a list of all Forefront TMG arrays.
A real classic script which I often use in ISA Server and Forefront TMG implementations is to export the entire Forefront TMG configuration via script. You can use this script with the Windows Task Scheduler to export the entire Forefront TMG configuration to another host at repeating intervals.
Dim shareName: shareName = WScript.Arguments(0)
Dim xmldom : set xmldom = CreateObject("Msxml2.DOMDocument")
Dim fpc : set fpc = WScript.CreateObject("Fpc.Root")
Dim array : set array = fpc.GetContainingArray
set WSHNetwork = CreateObject("WScript.Network")
fileName=shareName & "\" & WSHNetwork.ComputerName & "-" &
Month(Now) & "-" & Day(Now) & "-" & Year(Now) & ".xml"
array.Export xmldom, 0
The script uses the Windows Scripting Host (WSH), defines the Forefront TMG Root (FPC.Root), sets some variables and creates an XML file based on the current day when the script has been executed. Save the scripting example as a file with the .VBS extension and create a batch file with the following syntax:
Cscript TMGBACKUP.VBS \\RemoteServer\TMG-BACKUP
This will create a backup of your Forefront TMG configuration in the specified file share (TMG-Backup). If you want to create recurring backups of your Forefront TMG configuration create a task with the Windows Task Scheduler, which executes the batch file.
Exporting the ISA Server 2006 VPN configuration and import into Forefront TMG
The following example is more complex. It exports the ISA Server 2006 VPN configuration and imports it to a Forefront TMG Server. My MVP colleague Christian Groebner has created this script. The complete article can be found on a German noncommercial website dedicated to ISA Server and Forefront TMG.
If you want to use this script example copy the entire text into Notepad and save it with the .VBS extension.
Dieses Skript übernimmt die IPSec-Einstellungen für Phase I und II der IPSec-VPN-Tunnel
Die Verwendung dieses Skripts erfolgt auf eigene Verantwortung.
Geschrieben von Christian Gröbner [MVP Forefront]
' ----- Sub restore_ipsec_settings -----
Sub restore_ipsec_settings(fpcRoot, VPN_Name, Int_PhaseI, Enc_PhaseI, Int_PhaseII, Enc_PhaseII)
Intproviders = Array("SHA1","MD5")
set objIPSec = fpcRoot.GetContainingArray.NetworkConfiguration.Networks.Item(VPN_Name).VPNConfiguration.IPSecSettings
wscript.echo "Restoring IPSec-settings for network" & VPN_Name & vbCrLf
' ------ Sub Main -------
config = Inputbox("Please enter the complete path and filename with extension to the existing configuration file of ISA 2006 : (Example: C:\Temp\config.xml)")
Set xmlFile = CreateObject("Microsoft.XMLDOM")
If xmlFile.load(config) then
set objFPC = CreateObject("FPC.Root")
Set networkNodes = xmlFile.getElementsByTagName("fpc4:Network")
For each networkNode in networkNodes
If (Not(networkNode.selectSingleNode("fpc4:NetworkConnectionType") is Nothing)) Then
If (networkNode.selectSingleNode("fpc4:NetworkConnectionType").Text = 4) Then
PhaseI_Int = 0
Set ipsecSettingsNode = networkNode.selectSingleNode("fpc4:VpnNetworkConfiguration/fpc4:VpnNetworkIPSecSettings")
If (Not(ipsecSettingsNode.selectSingleNode("fpc4:VpnNetworkPhase1Encryption") is Nothing)) Then PhaseI_Enc = ipsecSettingsNode.selectSingleNode("fpc4:VpnNetworkPhase1Encryption").Text
restore_ipsec_settings objFPC, Name, PhaseI_Int, PhaseI_Enc, PhaseII_Int, PhaseII_Enc
wscript.echo("The file does not exist!")
'------ Start the script ------
Display Forefront TMG URL categories
One of the new functionality in Forefront TMG is the support for dynamic URL filtering. The URL filtering uses categories. To display all the Forefront TMG URL filter categories, you must create a script with the following code:
For Each cat in root.GetContainingArray().RuleElements.UrlCategories
wscript.echo "'" & cat.Name & "' --> " & cat.CategoryID
The output of the script is shown below:
Forefront TMG and PowerShell
Forefront TMG doesn’t have a built-in Windows PowerShell cmdlet, but you can use COM objects. When you have access to the ProgID of a COM component, which is stored in the Registry you can use the New-Object command in Windows PowerShell as you can see in the following screenshot (Root Object is always FPC.Root).
Display the Forefront TMG Root
After defining the Forefront TMG Root Object in the Windows PowerShell we can get information about the Forefront TMG Root Object configuration, as shown in the following screenshot.
Query single Forefront TMG objects.
If you want to query single Forefront TMG objects enter $TMGRoot. in the Windows PowerShell window and hit the TAB key behind the $TMGRoot. definition to display all elements.
Determine the Forefront TMG Enterprise and Array configuration with Export
Our last example how to use the PowerShell with Forefront TMG is the script example from the following source. This script determines the Forefront TMG Enterprise and associated arrays and exports this configuration to an XML file.
In this article I gave you a quick introduction how to administer Forefront TMG with VBscript and the Microsoft PowerShell. There are a lot of downloadable Script examples on the Internet and with a little bit of experience in programming techniques it should be possible to create your own scripts to ease the daily administration of Forefront TMG. I hope that the next version of Forefront TMG will come with full, not read only PowerShell support.