• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

More detailed schedule in ISA 2004

I have a customer who needs to limit their employes internetaccess during worktime but during breaks there shall be no limits at all.
They have a ISA 2004 which provide a solution for the access part but seems missing the function of a detailed schedule.
According to Microsoft:
"Schedules can be set only on an hourly basis, at the start of every hour."

Is there any possible way to create a more detailed schedule?
For example they want "the no limit time" to start 14:15 and end 14:45.

Regards
Mattias
0
BraData295
Asked:
BraData295
2 Solutions
 
Keith AlabasterEnterprise ArchitectCommented:
No, hourly is the minimum schedule. As I recall, ISA2006 has the same limitation.

Regards

Keith

0
 
Keith AlabasterEnterprise ArchitectCommented:
Just checked and ISA2006 is exactly the same. Doesn't happen often to us but sometimes the correct answer is "Nope, 'fraid not".

0
 
MarkusKolbeckCommented:
Try the following:
- Create a new (additional) access rule with unlimited access
- create two scheduled tasks (you can define to be launched on a per-minute-basis):
     1. disable the roule during the work hours (via script)
     2. enable the roule during breaks (via script)

The Script to enable / disable an access rule can be downloaded here:
http://www.isascripts.org/

Example Script Code (from Jason Fossen - www.ISAscripts.org):

'*************************************************************************************
' Script Name: ISA_Enable-Disable_Rule.vbs
'     Version: 1.0
'      Author: Jason Fossen ( www.ISAscripts.org )
'Last Updated: 16.Oct.2005
'     Purpose: Enables or disables a rule in the Firewall Policy of an ISA Server array,
'              Standard or Enterprise edition.  But cannot manage System Policy rules or
'              Enterprise Policy rules, array or single-server rules only.
'       Legal: Public Domain.  Modify and redistribute freely.  No rights reserved.
'              SCRIPT PROVIDED "AS IS" WITHOUT WARRANTIES OR GUARANTEES OF ANY KIND.
'              USE AT YOUR OWN RISK.  Test on non-production servers first.
'*************************************************************************************


If WScript.Arguments.Count <> 2 Then Call ShowHelpAndQuit()
sRuleName = WScript.Arguments.Item(0)
sAction   = WScript.Arguments.Item(1)
If (LCase(sRuleName) = "/?") Or (LCase(sRuleName) = "/h") Or (LCase(sRuleName) = "-h") Then Call ShowHelpAndQuit()


If EnableOrDisableRule(sRuleName, sAction) Then
    WScript.Echo vbCrLf & "Success! " & UCase(sRuleName) & " = " & UCase(sAction) & "D"
Else
    WScript.Echo vbCrLf & "ERROR: " & Err.Number & " " & Err.Description
End If


'*************************************************************************************
' Functions() & Procedures()
'*************************************************************************************


'
' sRuleName is the name of the rule, in doublequotes if it contains spaces.
' sAction is either "enable" or "disable" (or just "e" and "d").
'
' Function returns true if either it is successful or if sRuleName Is
' already set to sAction specified.
'
Function EnableOrDisableRule(sRuleName, sAction)
    On Error Resume Next
    If Not IsObject(oFPC) Then Set oFPC = CreateObject("FPC.Root")
    Set oPolicyRule = oFPC.GetContainingArray.ArrayPolicy.PolicyRules.Item(sRuleName)
    'If Err.Number = -2147024894 Then WScript.Echo "Cannot find the rule named " & sRuleName
    If Err.Number <> 0 Then EnableOrDisableRule = False : Exit Function
    If Left(LCase(sAction),1) = "e" Then bState = True Else bState = False
    If oPolicyRule.Enabled = bState Then EnableOrDisableRule = True : Exit Function
    oPolicyRule.Enabled = bState
    oPolicyRule.Save
    If Err.Number = 0 Then EnableOrDisableRule = True Else EnableOrDisableRule = False
    'If Err.Number <> 0 Then WScript.Echo "Problem changing rule state."
    On Error Goto 0
End Function



Sub ShowHelpAndQuit()
    Dim sUsage : sUsage = vbCrLf
    sUsage = sUsage & vbCrLf
    sUsage = sUsage & "ISA_Enable-Disable_Rule.vbs rulename action" & vbCrLf
    sUsage = sUsage & vbCrLf
    sUsage = sUsage & "Purpose: Enables or disables a rule, not including System Policy rules." & vbCrLf
    sUsage = sUsage & vbCrLf
    sUsage = sUsage & "   Args: rulename = Name of the rule, placed in doublequotes if necessary." & vbCrLf
    sUsage = sUsage & "         action   = The word ""Enable"" or ""Disable"" (not case sensitive)." & vbCrLf
    sUsage = sUsage & vbCrLf
    sUsage = sUsage & "  Legal: SCRIPT PROVIDED ""AS IS"" WITHOUT WARRANTIES OR GUARANTEES OF ANY" & vbCrLf
    sUsage = sUsage & "         KIND. USE AT YOUR OWN RISK. Public domain, no rights reserved." & vbCrLf
    sUsage = sUsage & "         ( www.ISAscripts.org )" & vbCrLf
    sUsage = sUsage & vbCrLf
    WScript.Echo sUsage
    WScript.Quit
End Sub


'EOF*******************************************************************************



The script is really easy to use and can be integrated into the scheduled tasks pretty simple.

If you have any further questions please let me know.

ATB
Markus
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
MarkusKolbeckCommented:
Hi Mattias,

you're still there? ;-)

Did you test my solution? Any feedback?

ATB
Markus
0
 
MarkusKolbeckCommented:
blubb
0
 
MarkusKolbeckCommented:
Hi Computer101,

I cannot understand your decision (that I only assisted the answer) as I provided a solution for the question.
Please comment.

Markus
0
 
Keith AlabasterEnterprise ArchitectCommented:
Markus.

Computer101 will have made the decision based upon my recommendation. The accept is automatically assigned to the first expert in the list of recipients that I have recommended.

I have given the asker 4 days to respond to my recommendation but as you can see, no response has been seen. ISA server cannot have a schedule set of less than one hoyr so I have given myself an equal split also. This is not up for debate as it is fact.

I appreciate your workaround will work which is why I gave given you an equal share of the points.

Keith

0
 
paterpanCommented:
MarkusKolbeck's solution worked for me.

Thanks.
0
 
oomranCommented:
guys did any one test this scrips
i have a rule name test and i want to change the state to disable
i have changed the names accourdingly but no result
what im doing wrong.
is it the path of the script
please give me more details.
 ISA-Enable-Disable-Rule.vbs
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now