Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Portal trunk redirection

Answered Portal trunk redirection

  • Wednesday, November 24, 2010 7:53 AM
     
     
    Sign In to Vote
    0

    I'm looking at deploying and endpint policy that checks to see the IP address the endpoint is coming in on. If the endpoint meets the criteria of the check they will go to the portal page if they don't I would like the client to be directed to a different portal page. I beliebe in theory this is possible but can;t think were the redirection would occur, would it be in the prevalidate scripts ?

    Any pointers gratefully received

     

All Replies

  • Wednesday, November 24, 2010 9:25 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Darren,

    You could place your code in a [portalname]1login.inc file in the %Program Files%\Microsoft Forefront Unified Access Gateway\von\InternalSite\CustomUpdate folder.

    This is not an endpoint policy approach, but it may we worth looking at if you simply want to check the source IP. I had to do something similar recently, so shout if you want some example code using this approach.

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Wednesday, November 24, 2010 11:29 AM
     
     
    Sign In to Vote
    0

    Example code please if you don't mind.

    Basically if the client IP is comeiong from the corporate network then the wish to have a trunk with just username and Password.

    If they come from any other device they will be redirected to the trunk with 2FA requirements.

     
  • Wednesday, November 24, 2010 2:52 PM
    Moderator
     
     Proposed Answer Has Code
    Sign In to Vote
    0

    Example code please if you don't mind.

    Basically if the client IP is comeiong from the corporate network then the wish to have a trunk with just username and Password.

    If they come from any other device they will be redirected to the trunk with 2FA requirements.

    Hi Darren,

    You should like my code then, as it does exactly that! Actually, it differs slightly, as it uses a single portal and modifies the available repositories accordingly rather than using two different portals. Modify the AD and 2FA repository names in the code to match your own names.

    [portalname]1login.inc file:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
<%

'Check for trunk authentication not SSO
If g_login_type = RESOURCE_OPERATION_LOGIN then
    
 g_Source_IP=getsessionparam(g_cookie,"SourceIP")

    For each i in IP
        If inStr(i,"*")>0 then
            ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
            SourceIP = "b" + g_Source_IP
        else
            ListIP = "b" + i + "e"
            SourceIP = "b" + g_Source_IP + "e"
        End if

'If IP address match is found, set repository to AD
    If inStr(SourceIP,ListIP)=1 then
        repositories.NameVec = Array("AD") 
        trustedip=true 
    end if
    Next

'If IP address match is not found, set repository to 2FA only
If trustedip<>true then repositories.NameVec = Array("2FA") 

End if

%>

    trustedip.inc file:

    <%
'Enter the IP(#) value below which matches your last row
Dim IP(3)
'Enter a list of trusted IP addresses; wildcards can be used like 10.10.*.* but not /24 (cidr) notation
IP(0)="1.1.1.1"
IP(1)="2.2.2.2"
IP(2)="3.3.3.3"
IP(3)="4.4.4.4"
%>

    Hope this helps!

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Wednesday, November 24, 2010 3:38 PM
     
     
    Sign In to Vote
    0
    that looks brill thank you. On the trunk though what repositories would I set up for authentication or do you let the script manage that ? can I also have it so that it could be AD and 2FA
     
  • Wednesday, November 24, 2010 3:52 PM
    Moderator
     
     Answered Has Code
    Sign In to Vote
    0

    You will need to create an AD repository and replace the "AD" entry in the script with your new repository name. If you want an internal user to see both repositories you can amend the code as follows:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
<%

'Check for trunk authentication not SSO
If g_login_type = RESOURCE_OPERATION_LOGIN then
 
 g_Source_IP=getsessionparam(g_cookie,"SourceIP")

 For each i in IP
  If inStr(i,"*")>0 then
   ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
   SourceIP = "b" + g_Source_IP
  else
   ListIP = "b" + i + "e"
   SourceIP = "b" + g_Source_IP + "e"
  End if

'If IP address match is found, set repository to AD or 2FA
 If inStr(SourceIP,ListIP)=1 then
  repositories.NameVec = Array("AD", "2FA") 
  trustedip=true 
 end if
 Next

'If IP address match is not found, set repository to 2FA only
If trustedip<>true then repositories.NameVec = Array("2FA") 

End if

%>

    You will also need to create a 2FA repository for your 2FA needs (RADIUS or RSA SecurID probably) and replace the "2FA" entry in the script with you repository name...

    So, in the real world, maybe AD = Internal Users, 2FA = RSA SecurID and the code would be:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
<%

'Check for trunk authentication not SSO
If g_login_type = RESOURCE_OPERATION_LOGIN then
 
 g_Source_IP=getsessionparam(g_cookie,"SourceIP")

 For each i in IP
  If inStr(i,"*")>0 then
   ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
   SourceIP = "b" + g_Source_IP
  else
   ListIP = "b" + i + "e"
   SourceIP = "b" + g_Source_IP + "e"
  End if

'If IP address match is found, set repository to Internal Users or RSA SecurID
 If inStr(SourceIP,ListIP)=1 then
  repositories.NameVec = Array("Internal Users", "RSA SecurID") 
  trustedip=true 
 end if
 Next

'If IP address match is not found, set repository to RSA SecurID only
If trustedip<>true then repositories.NameVec = Array("RSA SecurID") 

End if

%>

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Wednesday, November 24, 2010 9:17 PM
     
      Has Code
    Sign In to Vote
    0

    I don't seem to be able to get this running. In the trunk authentication what do you have to have set as the repositories ?

     

    Probably being really stupid here so I apologise in advance.

     

    trustedip.inc file:

    <%
'Enter the IP(#) value below which matches your last row
Dim IP(3)
'Enter a list of trusted IP addresses; wildcards can be used like 10.10.*.* but not /24 (cidr) notation
IP(0)="1.1.1.1"
IP(1)="2.2.2.2"
IP(2)="3.3.3.3"
IP(3)="192.168.10.51"
%>
     
  • Wednesday, November 24, 2010 11:26 PM
    Moderator
     
     
    Sign In to Vote
    0

    Have you got a working system before trying to do any of the customisations? What have you called your respositories? How is the trunk configured for authentication?

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Thursday, November 25, 2010 10:01 AM
     
     
    Sign In to Vote
    0

    Yes the system is working without these customisations. I will have to change your code to do reduirection due to having Swivel PINsafe as the 2FA product which changes the default login page. So on the trunk where I have 2FA I have "Telstar AD" and "PINsafe" showing under the authentication.

    I can do a straight redirect but the code for getting and matching the sourceIP and trusted IP doesn't seem to be functioning. How are you getting the SourceIP I don't think that is working :(

     
  • Thursday, November 25, 2010 11:00 AM
    Moderator
     
     
    Sign In to Vote
    0

    I have that code in production and working with a customer, so it should function ok...the code was also validated by a friend @ MS before going into production.

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Thursday, November 25, 2010 12:56 PM
     
     
    Sign In to Vote
    0
    I'll keep trying. Thanks for your help though so far
     
  • Thursday, November 25, 2010 12:58 PM
    Moderator
     
     
    Sign In to Vote
    0

    No probs, always good to share :)

    Let us know what (in detail) you're trying and we can make sure you are looking good...

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Friday, November 26, 2010 4:06 PM
     
     
    Sign In to Vote
    0

    I did get it woriking in the end I found an End if missing, I got it to redirect to a different portal if you connected with a trusted iP etc,

     

    Thanks for your help on this

     
  • Friday, November 26, 2010 4:24 PM
    Moderator
     
     
    Sign In to Vote
    0

    Happy to share your code then?

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
     
  • Tuesday, April 26, 2011 6:48 AM
     
     
    Sign In to Vote
    0

    Apologies for the late reply quite busy and the Forum alerts don't seem to be working.

     

    Here is teh code I used:

     

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%

    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")

     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if

     

    'If IP address match is found, set repository to AD or 2FA
     If inStr(SourceIP,ListIP)=1 then
     Response.Redirect("<UAG URL>")
      trustedip=true
     end if
     Next
    End if

     


    %>