locked
Custom endpoint detection (Revisited) RRS feed

  • Question

  • Hi,

    Still a bit confused on the actual steps to do a custom endpoint detection (e.g. Microsoft Update status on a computer).

    From http://technet.microsoft.com/en-us/library/ff607423.aspx, we have the initial steps:

    • Copy the ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples\Detect.inc file to the ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder, and rename it as required.

    • For each new detection script that you want to define, add the following line to your new Detect.inc file:                                                                           g_scriptList("/InternalSite/CustomUpdate/<YourScriptFilename.vbs") = false

    • YourScriptFilename.vbs contains the code from thsi website for Microsoft Updates: http://iag.elear.net/index.php/tag/endpoint-detection/
    • Place your detection scripts in the ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\CustomUpdate folder.

    The Technet article then stops.

    However, based on http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/39ff1347-78fa-4894-afb2-0d9edd88b8b8 there are extra steps one needs to do:

    1.     Click on the Configure button next to Configure trunk settings

    2.     Go to the URL Set tab

    3.     Click on the Add Primary button, under the URL list

    4.     Create the new rule as follows:

    a.     Give the new rule a name with the prefix “InternalRule_”, for example “InternalRule_CustomDetection”

    b.     Action: Accept

    c.     URL regex: /internalsite/scripts/customupdate/[a-z0-9]+\.vbs

    d.     Parameters: Reject

    e.     Methods: GET

    5.     Click OK to close the Advanced Trunk Configuration

    6.     Activate

     

    After you’re done with this, you need to also create a custom PolicyTemplate.xml, as per the instructions on www.ssl-vpn.de which you mentioned above, in order for the variable(s) used in your custom detection scripts to be displayed in the UAG Policy Editor.

     

    The PolicyTemplate.xml file is as follows:

    <Policies>		
    	<Policy>
    		<Name>This is the name that shows up in the editor</Name>
    		<ID>This_is_the_variable_name_you_used_in_the_script</ID>
    		<Type>0</Type>
    		<Value>DefaultValueGoesHere</Value>
    		<Description></Description>
    		<Section>Variables\Where\ItShould\Show\Up\In\The\Editor</Section>
    	</Policy>
    </Policies>
    
    So my questions are:
    1. Which process must we follow - the short version on Technet, or the longer one on these Forums? Both? Is there an updated article somewhere instead?
    2. Could someone please give us a clear example of what the PolicyTemplate.xml should look like when finished, cause the 'help' above, does not help us one bit.

    Thank you

    Thursday, May 6, 2010 9:30 AM

Answers

All replies

  • This is pretty granular example from Idan, that you should be able to extrapolate to UAG: http://www.forefrontsecurity.org/?ctype=Articles&id=A00000033&rootid=27&name=How-to-configure-IAG-End-Point-Security-to-check-Registry-Value

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:42 PM
    Thursday, May 6, 2010 10:57 AM
  • My script background is almost 0...

    What would the PolicyTemplate.xml details be, based on the Windows Update Script then?

    <Policies>
    <Policy>
    <Name>MUDetection</Name>
    <ID>This_is_the_variable_name_you_used_in_the_script</ID>                  **** what variabvle name must I use here?
    <Type>0</Type>                                                                                    **** 0 ?
      <Value>DefaultValueGoesHere</Value>                                   **** what value here?
    <Description></Description>
    <Section>Variables\Where\ItShould\Show\Up\In\The\Editor</Section>        **** another grey area?
    </Policy>
    </Policies>

    Here is the script:

    Whale.DebugEcho("Starting patch detection...")
     
    'declare ojbects
    set objSession = CreateObject("Microsoft.Update.Session")
    set objSearcher = objSession.CreateUpdateSearcher
     
    'query for software updates that are NOT installed
    set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")
    set colUpdates = objResults.Updates
     
    'set variables
    criticalCount = 0
    forWindows = False
     
    'this is the variable that will pass or fail the user for endpoint detection
    Results("Has_Required_Patches") = False
     
    'loop through the list of updates
    For i = 0 To colUpdates.Count - 1
     
     'check to see if the severity is "critical"
     If (InStr(UCase(colUpdates.Item(i).MsrcSeverity), "CRITICAL")) Then
     
      'get the category i.e. windows, office, etc... if it's not windows, we dont care
      set objCategories = colUpdates.Item(i).Categories
     
      'loop through the categories array to see if "WINDOWS" is mentioned
      For j = 0 To objCategories.Count - 1
       If (InStr(UCase(objCategories.Item(j).Name), "WINDOWS")) Then
        'if we are here, then this patch is critial AND for windows
        forWindows = True
        Exit For
       End If
      Next
     
      'final checking, if forWindows, that means its critical AND for windows
      If forWindows Then
       criticalCount = criticalCount + 1
       'Whale.DebugEcho("Title: " &amp; colUpdates.Item(i).Title)
       'Whale.DebugEcho("Description: " &amp; colUpdates.Item(i).Description)
      End If
     End If
     
     'reset the "forWindows" flag so that we can search the next update
     forWindows = False
    Next
     
    If criticalCount &gt; 0 Then
     'there are critical patches available for the OS to install... we cannot let them proceed
     Results("Has_Required_Patches") = False
     Whale.DebugEcho("There were [" &amp; criticalCount &amp; "] critical updates available for Windows to install.")
    Else
     'there are no critical patches available to install for the OS...good to go
     Results("Has_Required_Patches") = True
     Whale.DebugEcho("There were no critical updates for Windows available to install.")
    End If
     
    Whale.DebugEcho("Finished patch detection...")

    Thursday, May 6, 2010 1:36 PM
  • Attention Moderators:

    Please close this post as it is being discussed here: http://social.technet.microsoft.com/Forums/en-ZA/forefrontedgeiag/thread/39ff1347-78fa-4894-afb2-0d9edd88b8b8

    Kind regards.

    Tuesday, May 18, 2010 9:56 AM
  • The link pointed-to in the original question has moved to:

    http://tech.familyofgoldsteins.com/?p=10


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    Tuesday, March 22, 2011 7:31 PM