Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

Although the entire ISA configuration can be exported easily to a single XML file through use of the export functionality, the method to automate this process is not intuitive and there are no built-in tools for accomplishing this functionality. Fortunately, it is relatively straightforward to script this type of export using the predefined FPC scripting object.

More information on the capabilities of the FPC object can be found at the follow ing URL:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaobj1_97lg.asp

Creating and Deploying an ISA Server Automatic Export Script

Scripting expertise and a knowledge of the FPC object make it possible to create scripts to automate the export of specific ISA functionality. This can be extremely useful for many organizations because it takes the manual effort out of ISA server backup, making it more likely that a full backup will exist for an ISA Server.

Listing 18.1 is an example of a WSF file that automates the export of the entire ISA Configuration to a local or network location.

Listing 18.1. ISA Configuration Export Job

[View full width]

<?xml version="1.0" ?> <package> <job > <runtime> <description> ************************************************************ ISA Configuration Export Job ************************************************************ </description> <named name="path" helpstring="The UNC or file path to which you want to export the configuration report to." type="string" required="1" /> <named name="silent" helpstring="Runs script in silent mode." type="simple" required="0" /> <example> Example: cscript isaexport.wsf /path:"\\remoteserver\sharename" cscript isaexport.wsf /path:"c:\isabackups" </example> </runtime> <form> </form> <script language="VBScript"> <![CDATA[ '=================================================================== ' Comments about the script '=================================================================== ' This script uses the FPC object to produce an export of an ISA ' configuration. As currently written, this script can be run only on ' the local ISA server from which the configuration is being ' exported. However, if the FPC object is used in conjunction ' with the FPCArray object, the script can be modified to produce a ' script that would allow for a centralized backup of all ISA servers ' in an organization. For more information about the FPC object, ' please see the following URL: ' ' http://msdn.microsoft.com/library/default.asp?url=/library/en-us ' /isasdk/isa/fpc_object.asp ' ' Please note that in all cases usage of the FPC object is limited ' to a server that has ISA 2004 or greater installed on it. ' '=================================================================== ' Check args '=================================================================== If WScript.Arguments.Named.Exists("path") = FALSE Then WScript.Arguments.ShowUsage() WScript.Quit End If Dim WSHNetwork, objXML Dim strPath Dim strFileName Dim dtmThisMinute, dtmThisHour Dim dtmThisDay, dtmThisMonth, dtmThisYear Set WSHNetwork = CreateObject("WScript.Network") Set objXML = CreateObject("Msxml2.DOMDocument") strPath = WScript.Arguments.Named("path") dtmThisMinute = PadDigits(Minute(Now), 2) dtmThisHour = PadDigits(Hour(Now), 2) dtmThisDay = PadDigits(Day(Now), 2) dtmThisMonth = PadDigits(Month(Now), 2) dtmThisYear = Year(Now) strFileName = WSHNetwork.ComputerName & "-" & dtmThisYear & "-" & dtmThisMonth & "-" &_ dtmThisDay & "-" & dtmThisHour & "-" & dtmThisMinute & ".xml" '=================================================================== ' Get export '=================================================================== Dim objFPC Dim objArray ' Here an instance of the FPC object is created. Set objFPC = WScript.CreateObject("FPC.Root") ' Here, the GetContainingArray method is used, thereby obtaining an instance of the ' IFPCArray interface that represents an array that contains the ' current ISA server's configuration. Set objArray = objFPC.GetContainingArray ' Here, using the Export method dumps the configuration for the ISA server ' into the XML object that was created. objArray.Export objXML, 0 objXML.Save(strPath & "\" & strFileName) If WScript.Arguments.Named.Exists("silent") = FALSE Then WScript.Echo("Finished export to " & strPath & "\" & strFileName) End If '=================================================================== ' Functions '=================================================================== ' This function is used to pad date variables that contain only one ' digit. Function PadDigits(n, totalDigits) If totalDigits > len(n) then PadDigits = String(totalDigits-len(n),"0") & n Else PadDigits = n End If End Function ]]> </script> </job> </package>

Note that the file can be modified as necessary to add additional variables, and to allow for functionality such as remote backup of servers or entire server arrays.

This particular script is run from the command line, and, after it is completed, automatically exports out the ISA configuration to the remote or local destination chosen, as shown in Figure 18.6.

NOTE

This code, as well as other snippets of code relevant to ISA Server 2004 that are referenced in this book, can be downloaded from the Sams Publishing website.

Scheduling the Automatic ISA Export Script

The biggest advantage to using a script such as the one illustrated is that it can be scheduled to run weekly, daily, or even hourly backups of the ISA configuration with little overhead to the server itself. Scheduling the script to run automatically can be done with the Windows Task Scheduler service, which can be configured to run particular programs, executables, or batch files on a regular basis.

With this particular script, the Task Scheduler can be configured to run a batch file that contains the string of commands that it needs, such as the following:

cscript isaexport.wsf /path:C:\Backup /silent

This batch file simply executes the script, telling it to run silently and instructing it to export the configuration out to the C:\Backup folder. It should reside in the same folder on the ISA server as the WSF script that was created. The last step to automating this process would be to configure the Task Scheduler service to run this batch file on a regular basis.

NOTE

The Task Scheduler service must be running for this procedure to work properly. If the service is set to Disabled, creation of the task produces errors, and the tasks fail to run. This is often the case if the Security Configuration Wizard with Windows Server 2003 Service Pack 1 has been run against the server. To enable this functionality, set the service back to Automatic and start it on the ISA server.

To use the Task Scheduler to automate the ISA Configuration backups with the batch file and script, follow this procedure:

If a simple yet effective schedule to automate ISA exports is set up, it becomes much easier to recover an ISA server from an up-to-date copy of the configuration.

Restoring an ISA Server from the ISA Export Script

One of the advantages to a model such as this is that up-to-date backups of all of the ISA-specific settings on a server are exported on a daily (or more often) basis. If a server "dies," restoring that server can involve simply importing the config file to another cold-standby server that is installed with ISA Server 2004. In addition, the XML can be ported to any other server that is installed with ISA Server 2004, so many different recovery scenarios are possible.

For specific step-by-step instructions on how to use the XML file generated by this type of script to restore the ISA config file, reference the previous section of this chapter titled "Importing Entire ISA Configs."