Recently, I was engaged to dig up connectivity info on some legacy TMG services. I needed to quickly pull back activity monitor information, so at first I tried logged onto the console, thinking there would be the standard “export to text file” type option available in the console.
I soon realised that there actually is no export function, well – at least not in the way I was expecting. I then started looking for other ways to extract the information without success – I did not want to rely on just a screenshot (…besides there were pages and pages of connections!)
I thought: surely I can’t be the first person to want to do this, so I went looking for a scripting interface; no luck.. After a while searching, I wasn’t able to find any TMG specific scripts. Given that Microsoft’s Threat Management Gateway (TMG) technically spawned from ISA server, I started searching for ISA related scripts – maybe they might help for my basic requirements?
Finally, I came across a few threads that discussed a mythical link to isascripts.org – hosting a whole treasure trove of ISA scripts………. Except the site is no-longer available and appears to be owned by a domain squatter.
I have some good news for you – we have the scripts available for download!
I was able to get in touch with Jason Fossen – the author of these scripts – he has agreed to let me host the zip file here on my site. If you too are looking for some of Jason’s awesome oldschool TMG/ISA scripts, look no further than right here to download!
Incidentally, I’m looking forward to taking one of Jason Fossen’s courses over at SANS – SEC505: Securing Windows and PowerShell Automation – This guy really knows his stuff.
Here’s a relevant page extract From Jason Fossen’s old isascripts.org site from a number of years ago (Links have been updated / removed where dead):
All the scripts and files described below are in Jasons-ISA-TMG-scripts file. In the file, look in the \ISA_Server folder for the ISA Server scripts. The comment headers in the scripts provide more information and most scripts have a “/?” switch for help too.
A firewall array sizing spreadsheet based on Microsoft’s Best Practices for Performance whitepaper, but you can plug in your own traffic requirements and it’ll calculate the estimates for you. (BETA)
- HTTP_Header_Descriptions.xls (Spreadsheet)
Spreadsheet of all the RFC 2616 HTTP request, response, entity and general headers and their descriptions to assist in editing HTTP application-layer filters and interpreting log data.
Create or update a Domain Name Set with domains obtained from a local file or from an HTTP URL, such as for the blacklisted domains of spammers, advertisers, hate groups, etc.
Create or update a URL Set with URLs obtained from a local file or from an HTTP URL, such as for the blacklisted URLs of spammers, advertisers, pornographers, hate groups, etc.
Create or update a Computer Set with subnets obtained from a local file or from an HTTP URL, such as for bogon routes, unallocated routes, known attackers, unwanted countries, etc.
Create or update a Computer Set with computer objects obtained from a text file containing hostnames and their IP addresses.
Copies the HTTP application-layer filter settings from one rule to another in the firewall policy so that you only have to create the filter once. Can display the raw XML of the filter for analysis or backup too.
Enable/disable firewall rules from the command line.
Variety of functions for viewing, creating, deleting and modifying Domain Name Set objects. For VBScript coders.
Variety of functions for viewing, creating, deleting and modifying Subnet objects. For VBScript coders.
Variety of functions for viewing, creating, deleting and modifying URL Set objects. For VBScript coders.
Logging and Error Codes
- ISA_Server_Error_Codes.xls (Spreadsheet)
Spreadsheet of names, descriptions and hex numbers of ISA Server error, cache and response codes. Handy for troubleshooting. You might also want to get Microsoft’s event log messages help file for ISA Server.
Copy a line of log data on the Logging tab to the clipboard using the Tasks pane, run the script, and a WHOIS query of the client’s IP address pops up. Copy the script to the Start menu or associate a keyboard shortcut with it if you need to do it often.
Displays or edits the maximum amount of memory the MSDE service (sqlservr.exe) is permitted to use, since database logging can sometimes cause a memory leak (KB909636).
Gracefully detach one or all MSDE logging database files so that they can be deleted, copied or moved from the ISA Server.
Demonstrates over 20 queries against ISA Server and IIS log files using the free Microsoft Log Parser tool to show, for example, which rules are the most frequently used, which IP addresses are sending the most denied packets, which users are consuming the most bandwidth, who is sending Ping of Death packets, etc.
Uses the command-line version of the free Wireshark sniffer to analyze the raw hex fields of offending packets in firewall logs.
Lists all alert definitions and their detailed properties.
Script to e-mail the output of any chosen command, such as “ipconfig /all”, when the script is executed by an ISA Server alert action, scheduled job, EventTriggers.exe, Performance Monitor alert, etc. Unlike ISA Server e-mail alerts, you can specify a username and password, and use SSL for SMTPS. Especially nice for being alerted when DHCP-assigned IP addresses change.
View, reset and acknowledge triggered alerts by severity level.
A batch script to run when you really need to go into lockdown mode.
Cache – RRAS – DNS – Misc.
To be used on VPN clients, the script changes the order in which DNS servers are queried so that the DNS servers associated with the VPN connection are always used first. This helps to solve a known name resolution problem for Windows VPN and dial-up clients (KB311218).
Manages how the names or IP addresses of CARP array members in an Enterprise Edition array are represented in the cache array script download by Web Proxy clients. Useful when the array has multiple network objects which have Web Proxy clients on each network.
Add/remove individual files to or from the Web Proxy cache, such as for pre-loading files into the cache from URL or local drive sources.
Dump current sessions into a comma-delimited format (imports to Excel); functions for disconnecting sessions based on IP address, user name or client process name; and a function to disconnect VPNs by IP address.
View and edit permitted outbound HTTPS/SSL ports, since ISA Server only permits TCP 443 and 563 out by default (KB283284).
Adds, removes and lists “blackholed” routes in ISA Server’s route table; these are routes to IP’s or subnets that drops packets without editing firewall rules or disrupting other communications. If you blackhole an internal machine’s IP address, for example, it will not be able to maintain a Firewall Client channel or Web Proxy connection to the ISA Server, but its other internal communications won’t be affected. Similar in purpose to the “rathole script” Microsoft uses on its own ISA Server arrays.
Manages the RRAS user lockout feature on local or remote ISA Server VPN gateways to thwart password-guessing attacks.
Security template for ISA Server firewalls for use with SECEDIT.EXE or the Security Configuration & Analysis snap-in. This disables unneeded services and can break things, so make sure to make a backup first and test the template on a non-production server!
The following are REGEDIT.EXE exports for registry values that frequently need to be changed on an ISA Server. They are also in the download zip file.
Other Useful Scripts
The following scripts and files are also in the zip file, but they are not specifically for ISA Server. Most are in the \Day6 folder in the zip file.
Uses SC.EXE to set service failure response actions for the Windows services listed in an input file; for example, configure your critical services to send an alert e-mail to admins when any one fails.
Dump and clear local or remote Event Logs to local comma-delimited CSV file which can be cleanly opened in Excel, imported into a database, or easily searched (with sample searches).
Imports a one- or two-dimensional array into a new Excel spreadsheet. Useful when sifting through large amounts of tabular data, such as log entries or a list of sessions.
Script for sending e-mail without an e-mail client or the SMTP service locally installed. Supports authentication and SMTPS.
Create an auditing baseline snapshot of a server to be used later to analyze changes to the box, such as after a compromise or failure.
Pass in IP address of XP or later machine, script configures remote machine to only support NTLM Telnet authentication, enables Telnet service, opens Telnet session, then stops and disables Telnet service afterwards. Use with an IPSec policy to encrypt Telnet traffic.
Searches a text log from ISA, IIS or whatever source for matches from a file of regular expression patterns that indicate malware or hacking, then prints a report of the number of signature matches found. Includes a file (signatures.txt) of 35 potential hacking signatures in ISA Web Proxy or IIS logs.
- IPSecPol_* and NetShell_*
Example scripts for managing IPSec and networking settings, such as configuring a NIC with static settings or creating an IPSec policy.
A bunch of scripts for the Windows Firewall (not ISA Server).
A bunch of scripts for database queries and manipulation, such as for managing imported log data.
A bunch of scripts for Active Directory and user account management, including one for brute-force password guessing attacks over LDAP with a dictionary file.
Some scripts for PKI and cryptography, including a script for Group Policy to remove unwanted trusted root CA certificates.
A bunch of scripts for system management with Windows Management Instrumentation, such as for remote execution, process termination, listing of processes/drivers/patches/packages, forcing logoff/shutdown/reboots, starting and stopping services in dependency sets, setting registry values, etc.