TMGByPass

From AFP548 Wiki
Jump to: navigation, search

Work In Progress:

On our campus, we have a Microsoft Threat Management Gateway (TMG, the new ISA Server, iirc) that is used for single-sign on for non-domain computers. Basically in DNS, it points to the TMG server for our different services. For domain computers, this isn't needed, so the (*nix) /etc/hosts file gets modified to point directly to the services server (i.e. the sharepoint web cluster instead of the TMG address). The solution I've come up with seems to work fine moving from any connection, to any connection, include VPN. The only known issue at this time is when disconnecting from the VPN, it doesn't retrigger and pull the entries from the hosts file. I think it does trigger, but the VPN hasn't disconnected by the time the script runs, so when it pings, it succeeds. I probably just need to add a timeout in there, but I haven't tried it yet.

Oh, and there is basic logging to /var/log/tmgbypass

LaunchD gets put in /Library/LaunchDaemons

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.pct.tmgbypass</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/tmgbypass.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>WatchPaths</key>
	<array>
		<string>/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist</string>
	</array>
</dict>
</plist>

The LaunchD monitors the SMB Server, as I found it likes to modify that between .local, .domain.com, etc.

Wrapper Script goes in /usr/local/bin:

#!/bin/sh
# If we're off network presult is 0
PRESULT=`ping -c1 -i1 internalserver.pct.edu 2>/dev/null | grep -c "1 packets received"`
if [ ${PRESULT} -eq 0 ]; then {
	# If we're off network, check to see if we have on-network entries
	if [ `grep -c "#pct" /etc/hosts` > 0 ]; then
		echo "Removing Entries" >> /var/log/tmgbypass
		# Remove on-network entries when off-network
		#echo "Remove PCT Entries"
		sed /#pct/d /etc/hosts > /etc/hosts.new
		rm /etc/hosts
		mv /etc/hosts.new /etc/hosts
		chmod 644 /etc/hosts
	fi
	# Exit, as nothing more to do
	echo "Nothing to do" >> /var/log/tmgbypass
	exit
} else {
	# PRESULT is 1, meaning we're on network
	# Check to see if the entries exist, if they don't, then run commands
	if [  `grep -c "#pct" /etc/hosts` -eq 0  ]; then
		# sed 's/$/ #pct/' hosts.pct # Saving for future use
		echo "Adding Entries" >> /var/log/tmgbypass
		cat /etc/hosts.pct >> /etc/hosts
	else
		echo "Entries Exist" >> /var/log/tmgbypass
	fi
}
fi

You're going to want to change the address thats used to ping to something thats only available internally on your network.

10.133.1.1	server1.pct.edu server1 #pct
10.133.1.2	server2.pct.edu server2 #pct
10.133.1.3	server3.pct.edu server3 #pct

The key to all of this, is that #pct on the end of the hosts file. If you look through the script, it does a match on that, and uses that match to remove the entires. You can change that to be whatever you want, but make sure to change all instances of it in the wrapper script, and the updated hosts file.