locked
Portal trunk redirection RRS feed

  • Question

  • I'm looking at deploying and endpint policy that checks to see the IP address the endpoint is coming in on. If the endpoint meets the criteria of the check they will go to the portal page if they don't I would like the client to be directed to a different portal page. I beliebe in theory this is possible but can;t think were the redirection would occur, would it be in the prevalidate scripts ?

    Any pointers gratefully received

    Wednesday, November 24, 2010 7:53 AM

Answers

  • You will need to create an AD repository and replace the "AD" entry in the script with your new repository name. If you want an internal user to see both repositories you can amend the code as follows:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%
    
    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")
    
     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if
    
    'If IP address match is found, set repository to AD or 2FA
     If inStr(SourceIP,ListIP)=1 then
      repositories.NameVec = Array("AD", "2FA") 
      trustedip=true 
     end if
     Next
    
    'If IP address match is not found, set repository to 2FA only
    If trustedip<>true then repositories.NameVec = Array("2FA") 
    
    End if
    
    %>

    You will also need to create a 2FA repository for your 2FA needs (RADIUS or RSA SecurID probably) and replace the "2FA" entry in the script with you repository name...

    So, in the real world, maybe AD = Internal Users, 2FA = RSA SecurID and the code would be:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%
    
    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")
    
     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if
    
    'If IP address match is found, set repository to Internal Users or RSA SecurID
     If inStr(SourceIP,ListIP)=1 then
      repositories.NameVec = Array("Internal Users", "RSA SecurID") 
      trustedip=true 
     end if
     Next
    
    'If IP address match is not found, set repository to RSA SecurID only
    If trustedip<>true then repositories.NameVec = Array("RSA SecurID") 
    
    End if
    
    %>

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 5:49 PM
    Wednesday, November 24, 2010 3:52 PM

All replies

  • Hi Darren,

    You could place your code in a [portalname]1login.inc file in the %Program Files%\Microsoft Forefront Unified Access Gateway\von\InternalSite\CustomUpdate folder.

    This is not an endpoint policy approach, but it may we worth looking at if you simply want to check the source IP. I had to do something similar recently, so shout if you want some example code using this approach.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, November 24, 2010 9:25 AM
  • Example code please if you don't mind.

    Basically if the client IP is comeiong from the corporate network then the wish to have a trunk with just username and Password.

    If they come from any other device they will be redirected to the trunk with 2FA requirements.

    Wednesday, November 24, 2010 11:29 AM
  • Example code please if you don't mind.

    Basically if the client IP is comeiong from the corporate network then the wish to have a trunk with just username and Password.

    If they come from any other device they will be redirected to the trunk with 2FA requirements.

    Hi Darren,

    You should like my code then, as it does exactly that! Actually, it differs slightly, as it uses a single portal and modifies the available repositories accordingly rather than using two different portals. Modify the AD and 2FA repository names in the code to match your own names.

    [portalname]1login.inc file:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%
    
    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
        
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")
    
        For each i in IP
            If inStr(i,"*")>0 then
                ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
                SourceIP = "b" + g_Source_IP
            else
                ListIP = "b" + i + "e"
                SourceIP = "b" + g_Source_IP + "e"
            End if
    
    'If IP address match is found, set repository to AD
        If inStr(SourceIP,ListIP)=1 then
            repositories.NameVec = Array("AD") 
            trustedip=true 
        end if
        Next
    
    'If IP address match is not found, set repository to 2FA only
    If trustedip<>true then repositories.NameVec = Array("2FA") 
    
    End if
    
    %>

    trustedip.inc file:

    <%
    'Enter the IP(#) value below which matches your last row
    Dim IP(3)
    'Enter a list of trusted IP addresses; wildcards can be used like 10.10.*.* but not /24 (cidr) notation
    IP(0)="1.1.1.1"
    IP(1)="2.2.2.2"
    IP(2)="3.3.3.3"
    IP(3)="4.4.4.4"
    %>
    

    Hope this helps!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by Ran [MSFT] Wednesday, November 24, 2010 3:14 PM
    Wednesday, November 24, 2010 2:52 PM
  • that looks brill thank you. On the trunk though what repositories would I set up for authentication or do you let the script manage that ? can I also have it so that it could be AD and 2FA
    Wednesday, November 24, 2010 3:38 PM
  • You will need to create an AD repository and replace the "AD" entry in the script with your new repository name. If you want an internal user to see both repositories you can amend the code as follows:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%
    
    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")
    
     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if
    
    'If IP address match is found, set repository to AD or 2FA
     If inStr(SourceIP,ListIP)=1 then
      repositories.NameVec = Array("AD", "2FA") 
      trustedip=true 
     end if
     Next
    
    'If IP address match is not found, set repository to 2FA only
    If trustedip<>true then repositories.NameVec = Array("2FA") 
    
    End if
    
    %>

    You will also need to create a 2FA repository for your 2FA needs (RADIUS or RSA SecurID probably) and replace the "2FA" entry in the script with you repository name...

    So, in the real world, maybe AD = Internal Users, 2FA = RSA SecurID and the code would be:

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%
    
    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")
    
     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if
    
    'If IP address match is found, set repository to Internal Users or RSA SecurID
     If inStr(SourceIP,ListIP)=1 then
      repositories.NameVec = Array("Internal Users", "RSA SecurID") 
      trustedip=true 
     end if
     Next
    
    'If IP address match is not found, set repository to RSA SecurID only
    If trustedip<>true then repositories.NameVec = Array("RSA SecurID") 
    
    End if
    
    %>

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 5:49 PM
    Wednesday, November 24, 2010 3:52 PM
  • I don't seem to be able to get this running. In the trunk authentication what do you have to have set as the repositories ?

     

    Probably being really stupid here so I apologise in advance.

     

    trustedip.inc file:

    <%
    'Enter the IP(#) value below which matches your last row
    Dim IP(3)
    'Enter a list of trusted IP addresses; wildcards can be used like 10.10.*.* but not /24 (cidr) notation
    IP(0)="1.1.1.1"
    IP(1)="2.2.2.2"
    IP(2)="3.3.3.3"
    IP(3)="192.168.10.51"
    %>
    
    Wednesday, November 24, 2010 9:17 PM
  • Have you got a working system before trying to do any of the customisations? What have you called your respositories? How is the trunk configured for authentication?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, November 24, 2010 11:26 PM
  • Yes the system is working without these customisations. I will have to change your code to do reduirection due to having Swivel PINsafe as the 2FA product which changes the default login page. So on the trunk where I have 2FA I have "Telstar AD" and "PINsafe" showing under the authentication.

    I can do a straight redirect but the code for getting and matching the sourceIP and trusted IP doesn't seem to be functioning. How are you getting the SourceIP I don't think that is working :(

    Thursday, November 25, 2010 10:01 AM
  • I have that code in production and working with a customer, so it should function ok...the code was also validated by a friend @ MS before going into production.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, November 25, 2010 11:00 AM
  • I'll keep trying. Thanks for your help though so far
    Thursday, November 25, 2010 12:56 PM
  • No probs, always good to share :)

    Let us know what (in detail) you're trying and we can make sure you are looking good...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, November 25, 2010 12:58 PM
  • I did get it woriking in the end I found an End if missing, I got it to redirect to a different portal if you connected with a trusted iP etc,

     

    Thanks for your help on this

    Friday, November 26, 2010 4:06 PM
  • Happy to share your code then?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, November 26, 2010 4:24 PM
  • Apologies for the late reply quite busy and the Forum alerts don't seem to be working.

     

    Here is teh code I used:

     

    <!-- #include virtual="/internalsite/inc/customupdate/trustedip.inc" -->
    <%

    'Check for trunk authentication not SSO
    If g_login_type = RESOURCE_OPERATION_LOGIN then
     
     g_Source_IP=getsessionparam(g_cookie,"SourceIP")

     For each i in IP
      If inStr(i,"*")>0 then
       ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
       SourceIP = "b" + g_Source_IP
      else
       ListIP = "b" + i + "e"
       SourceIP = "b" + g_Source_IP + "e"
      End if

     

    'If IP address match is found, set repository to AD or 2FA
     If inStr(SourceIP,ListIP)=1 then
     Response.Redirect("<UAG URL>")
      trustedip=true
     end if
     Next
    End if

     


    %>

     

    Tuesday, April 26, 2011 6:48 AM