Forefront TMG – Scripting with VBScript and Powershell

Let’s begin

First, I must let you know that I’m not a Scripting and programming guru. At the beginning of the nineties I tried to learn COBOL and C, but the result was not really successful. Over the years I only used sample scripts to automate administrative work and beginning with the PowerShell I often use it in Exchange environments. But I think that this article will give you enough information to understand the power of VBScript and PowerShell for Forefront TMG, so it should be easy for you to build your own scripts. We will also have a look in the Forefront TMG SDK, which comes with a small bunch of very helpful preconfigured scripts to automate some administrative work.

Forefront TMG an COM

COM is used by scripting technologies like VBScript to access Forefront TMG programmatically. Based on Wikipedia COM is short for Component Object Model. Component Object Model (COM) is a binary-interface standard for software componentry introduced by Microsoft in 1993. It is used to enable interprocess communication and dynamic object creation in a large range of programming languages. The term COM is often used in the Microsoft software development industry as an umbrella term that encompasses the OLE, OLE Automation, ActiveX, COM+ and DCOM technologies. COM is an interface technology defined and implemented as standard only on Microsoft Windows and Apple’s Core Foundation 1.3 and later plug-in API that in any case implement only a subset of the whole COM interface. For some applications, COM has been replaced at least to some extent by the Microsoft .NET framework, and support for Web Services through the Windows Communication Foundation (WCF). However, COM objects can be used with all .NET languages through .NET COM Interoperability.

The Forefront TMG COM has a root object called FPC.Root. The root object manages the Enterprise object which is identified as FPCEnterprise and the Arrays as FPCArrays.FPC. Root is the root of the administration COM object hierarchy, and provides programmatic access to other FPC objects. Each Forefront TMG computer is associated with a single array as one of many fpcServer objects within the fpcServers collection.

Other objects that are managed by the Enterprise object and the Array object are:

  • Admin Security object (used by Enterprise and Array)
  • Extensions object (used by Enterprise and Array)
  • Policy Rule object (used by Enterprise and Array)
  • Server object (used by Array)
  • Rule Elements object (used by Enterprise and Array)
  • Cache object (used by Array object)
  • Network Configuration object (used by Enterprise and Array)
  • Array Policy object (used by Array)
  • IP object (used by Array)

Based on this knowledge you should have a better understanding about the VBScript script examples which you can found on several Internet websites and in the Forefront TMG SDK. An understanding of COM objects is also helpful when you use the PowerShell to query Forefront TMG objects. Forefront TMG has no built-in PowerShell CMDLets and will use COM.

Forefront TMG SDK

We will start with the Forefront TMG SDK, which is downloadable for free at the Microsoft website. You will find the link to download the SDK at the end of this article. The Forefront TMG SDK comes with a very helpful documentation about programming Forefront TMG but also with some advanced information about internal Forefront TMG concepts. The Forefront TMG SDK comes also with some scripting examples and I will you some of the script examples.

Figure 1: Forefront TMG SDK – Script examples
Figure 1: Forefront TMG SDK – Script examples

One of the sample scripts allows you to add Forefront TMG Administrators to the role based access model of Forefront TMG, but only to the Monitor group. Feel free to enhance the script to add Administrator the other Forefront TMG roles.

Figure 2: Add a user to the Monitor role group on Forefront TMG
Figure 2: Add a user to the Monitor role group on Forefront TMG

VBScript examples

The easiest way to automate some tasks in Forefront TMG is to use VBScript. VBScript was also available in previous version of Forefront TMG and can be used to automate some administration tasks. The first script example will show you all Forefront TMG arrays.

The script starts with configuring the Forefront TMG root which is always the FPC.Root and will set a variable which will contain the Forefront TMG arrays (objFPC.Arrays). The script will display an Input Box to enter the name of the Forefront TMG array or leaving the dialog box blank to get a list of all Forefront TMG arrays.

Figure 3: Display Forefront TMG array information
Figure 3: Display Forefront TMG array information

Scripting classic

A real classic script which I often use in ISA Server and Forefront TMG implementations is to export the entire Forefront TMG configuration via script. You can use this script with the Windows Task Scheduler to export the entire Forefront TMG configuration to another host at repeating intervals.

Dim fileName

Dim WSHNetwork

Dim shareName: shareName = WScript.Arguments(0)

Dim xmldom : set xmldom = CreateObject(“Msxml2.DOMDocument”)

Dim fpc : set fpc = WScript.CreateObject(“Fpc.Root”)

Dim array : set array = fpc.GetContainingArray

set WSHNetwork = CreateObject(“WScript.Network”)

fileName=shareName & “\” & WSHNetwork.ComputerName & “-” &

Month(Now) & “-” & Day(Now) & “-” & Year(Now) & “.xml”

array.Export xmldom, 0

The script uses the Windows Scripting Host (WSH), defines the Forefront TMG Root (FPC.Root), sets some variables and creates an XML file based on the current day when the script has been executed. Save the scripting example as a file with the .VBS extension and create a batch file with the following syntax:


This will create a backup of your Forefront TMG configuration in the specified file share (TMG-Backup). If you want to create recurring backups of your Forefront TMG configuration create a task with the Windows Task Scheduler, which executes the batch file.

Exporting the ISA Server 2006 VPN configuration and import into Forefront TMG

The following example is more complex. It exports the ISA Server 2006 VPN configuration and imports it to a Forefront TMG Server. My MVP colleague Christian Groebner has created this script. The complete article can be found on a German noncommercial website dedicated to ISA Server and Forefront TMG.

If you want to use this script example copy the entire text into Notepad and save it with the .VBS extension.


Dieses Skript übernimmt die IPSec-Einstellungen für Phase I und II der IPSec-VPN-Tunnel
aus der ISA Server 2006-Konfiguration nach dem Import und wendet diese auf die Konfiguration
von Microsoft TMG an.

Die Verwendung dieses Skripts erfolgt auf eigene Verantwortung.
Es wird keine Haftung für eventuelle Schäden übernommen!

Geschrieben von Christian Gröbner [MVP Forefront]

‘ —– Sub restore_ipsec_settings —–

Sub restore_ipsec_settings(fpcRoot, VPN_Name, Int_PhaseI, Enc_PhaseI, Int_PhaseII, Enc_PhaseII)

Dim Intproviders
Dim Encproviders

Intproviders = Array(“SHA1″,”MD5”)
Encproviders = Array(“DES”,”3DES”)

set objIPSec = fpcRoot.GetContainingArray.NetworkConfiguration.Networks.Item(VPN_Name).VPNConfiguration.IPSecSettings

wscript.echo “Restoring IPSec-settings for network” & VPN_Name & vbCrLf
wscript.echo “Phase I integrity : ” & Intproviders(Int_PhaseI)
objIPSec.Phase1Integrity = Int_PhaseI
wscript.echo “Phase I encryption : ” & Encproviders(Enc_PhaseI)
objIPSec.Phase1Encryption = Enc_PhaseI
wscript.echo “Phase II integrity : ” & Intproviders(Int_PhaseII)
objIPSec.Phase2Integrity = Int_PhaseII
wscript.echo “Phase II encryption : ” & Encproviders(Enc_PhaseII) & vbCrLf
objIPSec.Phase2Encryption = Enc_PhaseII
wscript.echo “Successfully applied the settings”
wscript.echo “———————————————————–” & vbCrLf

End Sub

‘ —— Sub Main ——-

Sub Main()

Dim PhaseI_Int
Dim PhaseI_Enc
Dim PhaseII_Int
Dim PhaseII_Enc
Dim config

config = Inputbox(“Please enter the complete path and filename with extension to the existing configuration file of ISA 2006 : (Example: C:\Temp\config.xml)”)

Set xmlFile = CreateObject(“Microsoft.XMLDOM”)

If xmlFile.load(config) then

set objFPC = CreateObject(“FPC.Root”)

Set networkNodes = xmlFile.getElementsByTagName(“fpc4:Network”)

For each networkNode in networkNodes

If (Not(networkNode.selectSingleNode(“fpc4:NetworkConnectionType”) is Nothing)) Then

If (networkNode.selectSingleNode(“fpc4:NetworkConnectionType”).Text = 4) Then

PhaseI_Int = 0
PhaseI_Enc = 1
PhaseII_Int = 0
PhaseII_Enc = 1
Name = networkNode.selectSingleNode(“fpc4:Name”).Text

Set ipsecSettingsNode = networkNode.selectSingleNode(“fpc4:VpnNetworkConfiguration/fpc4:VpnNetworkIPSecSettings”)

If (Not(ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase1Encryption”) is Nothing)) Then PhaseI_Enc = ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase1Encryption”).Text
If (Not(ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase1Integrity”) is Nothing)) Then PhaseI_Int = ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase1Integrity”).Text
If (Not(ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase2Encryption”) is Nothing)) Then PhaseII_Enc = ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase2Encryption”).Text
If (Not(ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase2Integrity”) is Nothing)) Then PhaseII_Int = ipsecSettingsNode.selectSingleNode(“fpc4:VpnNetworkPhase2Integrity”).Text

restore_ipsec_settings objFPC, Name, PhaseI_Int, PhaseI_Enc, PhaseII_Int, PhaseII_Enc

End If

End If




wscript.echo(“The file does not exist!”)

End If

End Sub

‘—— Start the script ——


Display Forefront TMG URL categories

One of the new functionality in Forefront TMG is the support for dynamic URL filtering. The URL filtering uses categories. To display all the Forefront TMG URL filter categories, you must create a script with the following code:

set root=CreateObject(“FPC.Root”)

For Each cat in root.GetContainingArray().RuleElements.UrlCategories

    wscript.echo “‘” & cat.Name & “‘ –> ” & cat.CategoryID


The output of the script is shown below:

Figure 4: Display Forefront TMG array information
Figure 4: Display Forefront TMG array information

Forefront TMG and PowerShell

Forefront TMG doesn’t have a built-in Windows PowerShell cmdlet, but you can use COM objects. When you have access to the ProgID of a COM component, which is stored in the Registry you can use the New-Object command in Windows PowerShell as you can see in the following screenshot (Root Object is always FPC.Root).

Figure 5: Define TMG Root Object
Figure 5: Define TMG Root Object

Display the Forefront TMG Root

After defining the Forefront TMG Root Object in the Windows PowerShell we can get information about the Forefront TMG Root Object configuration, as shown in the following screenshot.

Figure 6: Display Forefront TMG root
Figure 6: Display Forefront TMG root

Query single Forefront TMG objects.

If you want to query single Forefront TMG objects enter $TMGRoot. in the Windows PowerShell window and hit the TAB key behind the $TMGRoot. definition to display all elements.

Figure 7: Query Forefront TMG objects under the FPC.Root
Figure 7: Query Forefront TMG objects under the FPC.Root


Figure 8: Display properties of FPC.Root
Figure 8: Display properties of FPC.Root

Determine the Forefront TMG Enterprise and Array configuration with Export

Our last example how to use the PowerShell with Forefront TMG is the script example from the following source. This script determines the Forefront TMG Enterprise and associated arrays and exports this configuration to an XML file.


In this article I gave you a quick introduction how to administer Forefront TMG with VBscript and the Microsoft PowerShell. There are a lot of downloadable Script examples on the Internet and with a little bit of experience in programming techniques it should be possible to create your own scripts to ease the daily administration of Forefront TMG. I hope that the next version of Forefront TMG will come with full, not read only PowerShell support.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top