Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. There are no user-defined ICMP protocols displayed in the New Access Rule Wizard in ISA Server 2004, Enterprise Edition

There are no user-defined ICMP protocols displayed in the New Access Rule Wizard in ISA Server 2004, Enterprise Edition

View products that this article applies to.

Symptoms

On a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004, Enterprise Edition, you open the New Access Rule Wizard. Then, in the wizard Protocols list, you try to select user-defined Internet Control Message Protocol (ICMP) protocols. However, there are no user-defined ICMP protocols displayed in the Protocols list.

Note You may not experience this symptom if the user-defined protocols are currently used in an existing enterprise-level access rule.

↑ Back to the top

Cause

User-defined ICMP protocols are filtered out of the Protocols list if the protocols are not currently used in an existing enterprise-level access rule.

↑ Back to the top

Workaround

To work around this problem, use one of the following methods.

Method 1

1.Create an array-level policy rule by using enterprise rule elements.

Note For more information about how to use enterprise rule elements to create an array-level policy rule, see ISA Server Help.
2.After you create an array-level policy rule and then define a new protocol, you can manually create the same policy in each array. Or, you can export and then import the same policy to all the arrays.

Note For more information about how to export and import array configurations, see ISA Server Help.

Method 2

To work around this problem by using JScript code, follow these steps:
1. Copy the following code, and then paste it into Notepad.
/*
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            This code is Copyright (c) 2005 Microsoft Corporation.  

            All rights reserved.

            THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
            ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
            THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
            PARTICULAR PURPOSE.

            IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
            LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
            DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
            WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
            ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
            OF THIS CODE OR INFORMATION.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Title: AddMtuRule.js

   Purpose: Adds an ICMP protocol definition and rule to all Enterprise Policies
            
   Requirements: 
                        - ISA 2004 Enterprise
                        - Access rights to ISA for interactive account

   Run as: cscript addmturule.js protocolname networkname
  
   Version:
                        1.0 06/15/2005 - First version

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/

main();

function main()
{
    var oISA = new ActiveXObject( "FPC.Root" );
    var szCss = oISA.ConfigurationStorageServer;
    oISA.ConnectToConfigurationStorageServer( szCss );
    var oEnterprisePolicies = oISA.Enterprise.Policies;
    var oEnterpriseRuleElements = oISA.Enterprise.RuleElements;
    var ProtocolName = WScript.Arguments( 0 );
    var EnterpriseNet = WScript.Arguments( 1 ); 

    if( !MakeNewProtocol( oEnterpriseRuleElements, ProtocolName ) )
    {
        return false;
    }

    WScript.Echo( "Protocol Definition \'" + ProtocolName + "\' successfully created..." );

    for( var inx = 1; inx <= oEnterprisePolicies.Count; inx++ )
    {
        switch( MakeNewRule( oEnterprisePolicies.Item( inx ), ProtocolName, EnterpriseNet ) )
        {
            case false: return false;
            case 666: continue;
        }
        WScript.Echo( "....Access Rule \'" + ProtocolName + "\' successfully created..." );
    }
    WScript.Echo( "\r\nAll Done..." );
}

function MakeNewProtocol( oRuleElements, ProtocolName )
{
    var Send = 1;            //packet direction
    var Code = 4;            //ICMP code for Fragmentation needed
    var Type = 3;             //ICMP type for Destination unreachable
    var oProtocol = null;
    var Exists = -2147024713;

    try
    {
       oProtocol = oRuleElements.ProtocolDefinitions.Add( ProtocolName );
    }
    catch( err )
    {
        if( err.number != Exists )
        {
            WScript.Echo( "Error " + err.number + "; " + err.description );
            return false;
        }
        err.clear;
        return true;
    }

    oProtocol.Description = "ICMP MTU Detection traffic";
    oProtocol.PrimaryConnections.AddICMP( Send, Code, Type );
    oProtocol.Save( );
    return true;
}

function MakeNewRule( oPolicy, ProtocolName, EnterpriseNet )
{
    var Allow = 0;
    var SpecifiedProtocols = 1;
    var EnterpriseScope = 1;
    var IncludeStatus = 0;
    var oRule = null;

    WScript.Echo( "...working in policy \'" + oPolicy.Name + "\'..." );
    if( oPolicy.Predefined )
    {
        WScript.Echo( "....Can\'t create rules in \'" + oPolicy.Name + "\'..." );
        return 666;          //can't do this here
    }

    try
    {
        oRule = oPolicy.PolicyRules.AddAccessRule( ProtocolName );
    }
    catch( err )
    {
        if( err.number != Exists )
        {
            WScript.Echo( "Error " + err.number + "; " + err.description );
            return false;
        }
        err.clear;
        return true;
    }

    oRule.Action = Allow;
    oRule.Description = "ICMP MTU adjustment";
    oRule.SourceSelectionIPs.EnterpriseNetworks.AddScopedItem( EnterpriseScope, EnterpriseNet, IncludeStatus );
    oRule.AccessProperties.DestinationSelectionIPs.EnterpriseNetworks.AddScopedItem( EnterpriseScope, "Local Host", IncludeStatus );
    oRule.AccessProperties.ProtocolSelectionMethod = SpecifiedProtocols;
    oRule.AccessProperties.SpecifiedProtocols.AddScopedItem( EnterpriseScope, ProtocolName, IncludeStatus );
    oRule.AccessProperties.UserSets.AddScopedItem( EnterpriseScope, "All Users", IncludeStatus );
    oRule.Save( true );
    return true;
}
2. Save this Notepad file as Addmturule.js.
3.Run the following command from the same location at which you saved the code:
cscript addmturule.js ProtocolName NetworkName
Note ProtocolName is the name of the new protocol that you are creating. NetworkName is the name of the enterprise network from which the ICMP traffic originates.

↑ Back to the top

Keywords: KB902348, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 902348
Revision : 3
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 324