Microsoft KB Archive/902348

= There are no user-defined ICMP protocols displayed in the New Access Rule Wizard in ISA Server 2004, Enterprise Edition =

Article ID: 902348

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

-





SYMPTOMS
On a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004, Enterprise Edition, you open the New Access Rule Wizard. Then, in the wizard Protocols list, you try to select user-defined Internet Control Message Protocol (ICMP) protocols. However, there are no user-defined ICMP protocols displayed in the Protocols list.

Note You may not experience this symptom if the user-defined protocols are currently used in an existing enterprise-level access rule.



CAUSE
User-defined ICMP protocols are filtered out of the Protocols list if the protocols are not currently used in an existing enterprise-level access rule.



WORKAROUND
To work around this problem, use one of the following methods.

Method 1

 * 1) Create an array-level policy rule by using enterprise rule elements.

Note For more information about how to use enterprise rule elements to create an array-level policy rule, see ISA Server Help.
 * 1) After you create an array-level policy rule and then define a new protocol, you can manually create the same policy in each array. Or, you can export and then import the same policy to all the arrays.

Note For more information about how to export and import array configurations, see ISA Server Help.

Method 2
To work around this problem by using JScript code, follow these steps:   Copy the following code, and then paste it into Notepad. /* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

This code is Copyright (c) 2005 Microsoft Corporation.

All rights reserved.

THIS CODE AND INFORMATION IS PROVIDED &quot;AS IS&quot; WITHOUT WARRANTY OF           ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO            THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A            PARTICULAR PURPOSE.

IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE           LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS CODE OR INFORMATION.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Title: AddMtuRule.js

Purpose: Adds an ICMP protocol definition and rule to all Enterprise Policies Requirements: - ISA 2004 Enterprise - Access rights to ISA for interactive account

Run as: cscript addmturule.js protocolname networkname Version: 1.0 06/15/2005 - First version

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

main;

function main {   var oISA = new ActiveXObject( &quot;FPC.Root&quot; ); var szCss = oISA.ConfigurationStorageServer; oISA.ConnectToConfigurationStorageServer( szCss ); var oEnterprisePolicies = oISA.Enterprise.Policies; var oEnterpriseRuleElements = oISA.Enterprise.RuleElements; var ProtocolName = WScript.Arguments( 0 ); var EnterpriseNet = WScript.Arguments( 1 );

if( !MakeNewProtocol( oEnterpriseRuleElements, ProtocolName ) ) {       return false; }

WScript.Echo( &quot;Protocol Definition \'&quot; + ProtocolName + &quot;\' successfully created...&quot; );

for( var inx = 1; inx <= oEnterprisePolicies.Count; inx++ ) {       switch( MakeNewRule( oEnterprisePolicies.Item( inx ), ProtocolName, EnterpriseNet ) ) {           case false: return false; case 666: continue; }       WScript.Echo( &quot;....Access Rule \'&quot; + ProtocolName + &quot;\' successfully created...&quot; ); }   WScript.Echo( &quot;\r\nAll Done...&quot; ); }

function MakeNewProtocol( oRuleElements, ProtocolName ) {   var Send = 1;            //packet direction var Code = 4;           //ICMP code for Fragmentation needed var Type = 3;            //ICMP type for Destination unreachable var oProtocol = null; var Exists = -2147024713;

try {      oProtocol = oRuleElements.ProtocolDefinitions.Add( ProtocolName ); }   catch( err ) {       if( err.number != Exists ) {           WScript.Echo( &quot;Error &quot; + err.number + &quot;; &quot; + err.description ); return false; }       err.clear; return true; }

oProtocol.Description = &quot;ICMP MTU Detection traffic&quot;; oProtocol.PrimaryConnections.AddICMP( Send, Code, Type ); oProtocol.Save; return true; }

function MakeNewRule( oPolicy, ProtocolName, EnterpriseNet ) {   var Allow = 0; var SpecifiedProtocols = 1; var EnterpriseScope = 1; var IncludeStatus = 0; var oRule = null;

WScript.Echo( &quot;...working in policy \'&quot; + oPolicy.Name + &quot;\'...&quot; ); if( oPolicy.Predefined ) {       WScript.Echo( &quot;....Can\'t create rules in \'&quot; + oPolicy.Name + &quot;\'...&quot; ); return 666;         //can't do this here }

try {       oRule = oPolicy.PolicyRules.AddAccessRule( ProtocolName ); }   catch( err ) {       if( err.number != Exists ) {           WScript.Echo( &quot;Error &quot; + err.number + &quot;; &quot; + err.description ); return false; }       err.clear; return true; }

oRule.Action = Allow; oRule.Description = &quot;ICMP MTU adjustment&quot;; oRule.SourceSelectionIPs.EnterpriseNetworks.AddScopedItem( EnterpriseScope, EnterpriseNet, IncludeStatus ); oRule.AccessProperties.DestinationSelectionIPs.EnterpriseNetworks.AddScopedItem( EnterpriseScope, &quot;Local Host&quot;, IncludeStatus ); oRule.AccessProperties.ProtocolSelectionMethod = SpecifiedProtocols; oRule.AccessProperties.SpecifiedProtocols.AddScopedItem( EnterpriseScope, ProtocolName, IncludeStatus ); oRule.AccessProperties.UserSets.AddScopedItem( EnterpriseScope, &quot;All Users&quot;, IncludeStatus ); oRule.Save( true ); return true; }  Save this Notepad file as Addmturule.js. Run the following command from the same location at which you saved the code:

cscript addmturule.js

Note is the name of the new protocol that you are creating. is the name of the enterprise network from which the ICMP traffic originates.

Keywords: kbtshoot kbprb KB902348

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.