This is a unique kind of configuration which I worked on with one of our cuistomers wherein they wanted to authorize the users to only access applications in the portal if they were coming in from a valid IP range. I thought it would be good to have it published so people out there can use the script and extend the capabilities. Note that the script i am publishing is in its ra state, so tweaking maybe required when using it in production.
To implement this scenario, we need the following;
1. A repository of kind “Other” in the UAG and name it IPAUTH
2. Copy the repository.inc from C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate and change the name to IPAUTH.inc
3. Copy the following script in the notepad and save it as PostPostValidate.inc under the C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder
<%
dim ip, x, classs
dim Sub1, compare_results
ip = GetSessionParam(g_cookie,SOURCE_IP_PARAM)
Public Function ip2num(ip)
Dim i, a, N
a = Split(ip, “.”)
N = CDbl(0)
For i = 0 To UBound(a)
N = N * 256 + a(i)
Next
ip2num = N
End Function
IPFinal = ip2num(ip)
RangeA = “010.000.000.000”
RangeAA = “010.255.255.255”
RangeB = “172.016.000.000”
RangeBB = “172.031.255.255”
RangeC = “192.168.097.000”
RangeCC = “192.168.255.255”
if IPFinal >= ip2num(RangeA) AND IPFinal <= ip2num(RangeAA) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
if IPFinal >= ip2num(RangeB) AND IPFinal <= ip2num(RangeBB) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
if IPFinal >= ip2num(RangeC) AND IPFinal <= ip2num(RangeCC) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
%>
4. Add the IPAUTH repository in every application under the Authorization, which you want the UAG to check for the IP Authentication
How it works?
When user logs into the UAG portal, the PostPostValidate.inc file retrieves the value of the SOURCE_IP_PARAM which is the source IP address of the user’s computer and then matches with the IP ranges defined in the script. You might want to change them to the IP ranges specific to your scenario. When the IP address matches, it will add the user’s authenticated session to the IPAUTH repository as authenticated. When a user clicks on the application and if the user session is added to the IPAUTH repository, the user is granted permission to access the application. Else, will be denied access.
Hope this helps
Cheers !!
Inderjeet 