Export (0) Print
Expand All

FPCPolicyRule object

Applies to: desktop apps only

The FPCPolicyRule object represents an access rule, a server publishing rule, a Web publishing rule, or a system policy rule.

An access rule defines the action that will be taken when specific users attempt to access specific sites or content by using Forefront TMG. Forefront TMG access rules allow you to define exactly which sites and content can be accessed by clients behind the Forefront TMG computer and which protocols can be used by the clients to gain access. You can specify when an access rule is in effect by applying a schedule to it.

Server publishing processes incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests are forwarded downstream to an internal server, located behind the Forefront TMG computer. Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the Forefront TMG computer.

Server publishing rules can be used when there is a network address translation (NAT) relationship defined by a network rule (FPCNetworkRule) between the network on which the clients sending requests to the published server are located (the source network) and the network on which the published server is located (the destination network). A server publishing rule uses secure network address translation (SecureNAT), which allows requests that are sent to an IP address that is valid on the source network to reach an IP address on a protected network behind the Forefront TMG computer. The server publishing rule maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG computer that listens for requests from the clients to a port number and an IP address on the published server. Requests that are sent to the IP address of the Forefront TMG computer and meet the conditions specified by the rule are then redirected to the IP address of the published server. However, only requests that are identified as part of the designated protocol are processed by the server publishing rule and redirected to the published server. Note that the published server must be configured to use the Forefront TMG computer as its default gateway.

If the network rule between the client network and the network where the server is located defines a routing relationship, server publishing rules can be used, but the clients must send requests directly to the IP address of the published server. With a routing relationship, an access rule can also allow the clients to send requests directly to the IP address of a server located on a network behind the Forefront TMG computer.

The definitions of the protocol (or protocols) associated with a server publishing rule or an access rule specify the application filters that are invoked for deeper inspection when the rule allows traffic. In general, application filters can process traffic allowed by a server publishing rule or an access rule, but some application filters process traffic allowed by these types of rules differently. Note that server publishing rules must use protocols defined with inbound primary connections, while access rules usually use protocols defined with outbound primary connections.

A Web publishing rule maps public DNS names and IP addresses to the name or IP address of a Web server located behind the Forefront TMG computer and maps external paths that can be used by users in incoming requests to internal paths of directories on the published Web server. A Web publishing rule also determines how Forefront TMG should handle incoming requests for HTTP objects on the internal Web server and how Forefront TMG should respond on behalf of the internal Web server. Requests are forwarded downstream to the internal Web server. If possible, the requests are serviced from the Forefront TMG cache.

A Web publishing rule defines the response to attempts by outside users to access an internal site. Possible responses include:

  • Denying the request.
  • Delegating the request to a different internal server.

A system policy rule is a predefined rule that allows specific types of requests from the Local Host network (the Forefront TMG computer) to reach specified destinations, or allows specific types of requests from specified sources to reach the Local Host network. For more information about system policy rules, see System Policy Rules.

In an enterprise policy (an FPCPolicy object), the FPCPolicyRule object can represent only an access rule or a placeholder that specifies the ordinal position (Order) of the set of array policy rules within the set of enterprise policy rules when the enterprise policy is applied to an array. Server publishing rules and Web publishing rules cannot be created on the enterprise level. For more information about enterprise policies, see Enterprise Policies.

When an enterprise with central array management is deployed, the following restrictions apply to an array policy (an FPCArrayPolicy object).

  • Access rules that allow traffic may not be created if the enterprise administrator sets the EnableAllowRules property of the FPCPolicyAssignment object for the array to False.
  • Access rules that deny traffic may not be created if the enterprise administrator sets the EnableDenyRules property of the FPCPolicyAssignment object for the array to False.
  • Server publishing rules and Web publishing rules may not be created if the enterprise administrator sets the EnablePublishingRules property of the FPCPolicyAssignment object for the array to False.

Note  A computer running Forefront TMG Standard Edition cannot be joined to a centrally managed array.

The FPCPolicyRule object is an element of an FPCPolicyRules collection. A new FPCPolicyRule object representing an access rule can be created by calling the AddAccessRule method of this collection, a new object representing a server publishing rule can be created by calling the AddServerPublishingRule or AddServerPublishingRuleWithScopedProtocol method, and a new object representing a Web publishing rule can be created by calling the AddWebPublishingRule method.

Ff825755.bkbutton(en-us,VS.85).png Click here to see the Forefront TMG object hierarchy.

Inheritance

This object inherits from the FPCPersist object, which contains methods and properties related to the persistent storage of an object's data. They include methods for exporting the object's data to and importing it from an XML document.

Members

The FPCPolicyRule object has these types of members:

Methods

The FPCPolicyRule object has these methods.

MethodDescription
FindMatchedElements

Finds matched elements.

SetAppliesAlways

Sets the rule to apply at all times regardless of the ScheduleUsed property.

SetLimitSourcePortRange

Sets the lower and upper limits of the range of source port numbers to which the rule applies.

SetPolicyGroup

Assigns the policy rule to a policy group.

SetSchedule

Sets the schedule for the rule.

SetScopedSchedule

Sets the scope and name of the schedule to be used by the rule.

 

Properties

The FPCPolicyRule object has these properties.

PropertyAccess typeDescription

AccessProperties

Read-only

Gets an FPCAccessProperties object that specifies a set of properties of the policy rule when the rule is configured as an access rule.

Action

Read/write

Gets or sets a value from the FpcPolicyRuleActions enumerated type that specifies whether the rule allows or denies requests.

AppliesAlways

Read-only

Gets a Boolean value that indicates whether the rule applies at all times.

Description

Read/write

Gets or sets the description of the rule.

Enabled

Read/write

Gets or sets a Boolean value that indicates whether the rule is enabled.

EnableLogging

Read/write

Gets or sets a Boolean value that indicates whether the rule is enabled for logging.

Group

Read/write

Gets or sets a value from the FpcPolicyRuleGroups enumerated type that specifies the group to which the policy rule belongs.

IsDefault

Read-only

Gets a Boolean value that indicates whether the rule is preinstalled, and cannot be deleted or have its position changed in the rule order.

LimitSourcePortHigh

Read-only

Gets the upper limit of the range of source port numbers to which the rule applies.

LimitSourcePortLow

Read-only

Gets the lower limit of the range of source port numbers to which the rule applies.

MalwareInspectionProperties

Read-only

Gets an FPCMalwareInspectionProperties object that contains the malware inspection settings for the rule.

Name

Read/write

Gets or sets the name of the rule.

Order

Read-only

Gets the rule's position in the list of policy rules, which corresponds to their order of application.

PolicyGroupUsed

Read-only

Gets an FPCRef object that references the FPCPolicyGroup object representing the policy group to which the rule belongs.

ScheduleUsed

Read-only

Gets an FPCRef object that references the FPCSchedule object used to define the actual times when the rule applies.

ServerPublishingProperties

Read-only

Gets an FPCServerPublishingProperties object that specifies a set of properties of the policy rule when the rule is configured as a server publishing rule.

SourceSelectionIPs

Read-only

Gets an FPCSelectionIPs object that specifies the complete set of source IP addresses to which the rule applies.

System

Read-only

Gets a Boolean value that indicates whether the rule is a system policy rule.

SystemPolicyGroupId

Read-only

Gets a value from the FpcSystemPolicyConfigGroupEnum enumerated type that identifies the system policy configuration group to which the rule belongs.

Type

Read-only

Gets a value from the FpcPolicyRuleTypes enumerated type that indicates whether the policy rule is an access rule, a server publishing rule, or a Web publishing rule.

VendorSystemPolicyRule

Read-only

Gets a Boolean value that indicates whether the rule is a system policy rule that was added by a vendor or a third-party filter.

WebPublishingProperties

Read-only

Gets an FPCWebPublishingProperties object that specifies a set of properties of the policy rule when the rule is configured as a Web publishing rule.

 

Methods Inherited from FPCPersist

NameDescription
CancelWaitForChanges Cancels the registration established by the WaitForChanges method (for use in C and C++ programming only).
CanImport Returns a Boolean value that indicates whether the object's properties can be imported from the specified XML document.
Export Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML document.
ExportToFile Recursively writes the stored values of all the properties of the object and its subobjects to the specified XML file.
GetServiceRestartMask Retrieves a 32-bit bitmask of the FpcServices enumerated type that specifies which services need to be restarted for currently unsaved changes to take effect.
Import Recursively copies the values of all the properties of the object and of its subobjects from the specified XML document to persistent storage.
ImportFromFile Recursively copies the values of all the properties of the object and of its subobjects from the specified XML file to persistent storage.
LoadDocProperties Provides the XML document's properties so that you can know what information can be imported from the document.
Refresh Recursively reads the values of all the properties of the object and of its subobjects from persistent storage, overwriting any changes that have not been saved.
Save Recursively writes the current values of all the properties of the object and its subobjects to persistent storage.
WaitForChanges Registers to wait for an event indicating that the contents of the object have changed (for use in C and C++ programming only).

 

Properties Inherited from FPCPersist

NameDescription
PersistentName Gets the persistent name of the object. The persistent name of an object is a name that is unique for the object at the respective level of the COM object hierarchy.
VendorParameterSets Gets an FPCVendorParametersSets collection that can hold sets of custom data for extending the object.

 

Interfaces for C++ Programming

This object implements the IFPCPolicyRule, IFPCEEPolicyRule, IFPCPolicyRule2, IFPCPolicyRule3, and IFPCPolicyRule4 interfaces.

Requirements

Minimum supported client

Windows Vista, None supported

Minimum supported server

Windows Server 2008 R2, Windows Server 2008 with SP2 (64-bit only)

Version

Forefront Threat Management Gateway (TMG) 2010

IDL

Msfpccom.idl

See also

COM Objects

 

 

Build date: 7/12/2010

Community Additions

ADD
Show:
© 2014 Microsoft