In a previous blog post, I’ve detailed how to create a custom application template to perform a special drive-mapping. Later on, I’ve posted another one, which offers a way to use the “relay” template format to run a VBScript that can do other things.
The “relay” template is one of the most powerful features of UAG and IAG, because it’s so customizable. You can use it to run pretty much any BATCH command on the client, and using the method I suggested back-then, you can use the batch commands to generate a dynamic VBScript file, which is even more powerful. There are some limitations to this, because when using the ECHO batch command to generate the file, you can’t use the & sign (the CMD interpreter uses that to link commands, so it will think the text after the sign is a new command). This means you can’t combine variables like you’re used to if you’re a veteran VBScript writer. Instead, you can use the + sign.
Another challenge this method has is that on Vista and Windows 7 systems, the OS is protected by the UAG system against most of the really interesting modifications you may want to do. The good news is that there IS a way around that by using some tricky code:
If WScript.Arguments.length =0 Then
This little trick cause the VBScript engine to invoke the UAC confirmation dialog, and if the user approves it, it will execute your violent code.
The way to make use of this for your purposes is this:
1. You write the VBScript that does what it is you need, and test it properly on some client. You need to be sure to avoid using the & sign.
2. You convert the code to a dynamic CMD processing format, using the ECHO command to push the VB commands into a file generated in the system’s TEMP folder. For example:
@echo wscript.sleep 500 >>%temp%\DoMyBidding.vbs
Note that I use the @ sign so that the user won’t see what’s happening, because this is being processed in a visible CMD window on the client. Also, I use the >> symbol to APPEND this content to the file I’m generating. I would use just one > in the 1st line of the batch so as to make sure the file is overwritten initially (because the user may run this app multiple times). I’m also putting the file in the %temp% folder, because it’s freely writeable and so I don’t have to worry about permissions.
3. You add a line to actually RUN the file using the silent CSCRIPT interpreter:
4. You put all that into a custom SSL-VPN template based on the relay format. To do so, you create a new text file, and paste this into it, updating the relevant part with your code from steps 1-3:
***Your Code from step 1-3 comes here***
You save this file under the name SSLVPNTemplates.xml in the folder <UAG Folder>\von\conf\CustomUpdate
The <UAG Folder> is typically c:\Program Files\Microsoft Forefront Unified Access Gateway
5. You have to CLOSE the UAG console before continuing!!!
6. You create a custom Wizard template to call the new relay template you just created. To do so, you create a new text file, and paste this into it:
You save this file under the name WizardDefaultParam.ini in the folder <UAG Folder>\von\conf\WizardDefaults\CustomUpdate
7. You re-open the UAG configuration console, and you should now see the new application template appear in the Client/Server and Legacy application list container. When you create a new application based on that template, you are asked to fill in various details, but don’t worry about it – other than the applications’ name, the rest has no bearing on what the application actually does, so you can fill-in bogus data.
8. Don’t forget that you can set this app to launch automatically with the portal login, if it performs something all your users need to do.
To conclude this, here’s a sample of a complete SSL-VPN template that I created recently. It changes the DNS settings on the client to point it to a specific public DNS server, instead of the user’s default one: