Network security discovery

Microsoft.Forefront.UAG.DirectAccess.NetworkSecurityDiscovery (Discovery)

Network Security component uses IPsec policies for authentication and encryption of DirectAccess connections. Discovery of the network security component happens only if the machine is discovered as a DirectAccess server. Discovery occurs when the following event is generated: STATUS_IPSEC_DOSP_INSTALLED (Id.: 1020), Event Source: Microsoft-Windows-WFP, Event Log Channel: Microsoft-Windows-WFP/Operational.

Knowledge Base article:

Element properties:

Object Discovery Details:

Member Modules:

Source Code:

<Discovery ID="Microsoft.Forefront.UAG.DirectAccess.NetworkSecurityDiscovery" Enabled="true" Target="Microsoft.Forefront.UAG.DirectAccess" ConfirmDelivery="true" Remotable="true" Priority="Normal">

  <Category>Discovery</Category>

  <DiscoveryTypes>

    <DiscoveryClass TypeID="Network_Security_Class"/>

  </DiscoveryTypes>

  <DataSource ID="PSScript" TypeID="System!System.CommandExecuterDiscoveryDataSource">

    <IntervalSeconds>14400</IntervalSeconds>

    <ApplicationName>%windir%\system32\windowspowershell\v1.0\powershell.exe</ApplicationName>

    <WorkingDirectory/>

    <CommandLine>-Command "Set-ExecutionPolicy Unrestricted -Scope Process -Force; .\NetworkSecurityDiscoveryProvider.ps1 '$Target/Id$' '$MPElement$' '$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$'"</CommandLine>

    <SecureInput/>

    <TimeoutSeconds>300</TimeoutSeconds>

    <RequireOutput>true</RequireOutput>

    <Files>

      <File>

        <Name>NetworkSecurityDiscoveryProvider.ps1</Name>

        <Contents><Script>

$Target = $args[0]

$Element = $args[1]

$ComputerID = $args[2]



$scomapi = new-object -comObject "MOM.ScriptAPI"

$scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "PowerShell script NetworkSecurityDiscoveryProvider.ps1 executed.")

$scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "Got parameters Target=[$Target], Element=[$Element], ComputerID=[$ComputerID]")



$DiscData = $scomapi.CreateDiscoveryData(0, $Element, $Target)



try 

{

  $Events = Get-WinEvent -FilterHashtable @{LogName = "Microsoft-Windows-WFP/Operational"; ID = 1020,1021;} -MaxEvents 4

  if ($Events.Count -gt 0) 

  {

    $scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "Found [$($Events.Count)] events with ID 1020,1021.")

    if ($Events[0].Id -eq 1020)

    {

	  $scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "Most recent event is 1020. Network Security class discovered.")

      $Instance = $DiscData.CreateClassInstance("$MPElement[Name='Network_Security_Class']$")

      $Instance.AddProperty("$MPElement[Name='Windows!Microsoft.Windows.Computer']/PrincipalName$", $ComputerID)

      $Instance.AddProperty("$MPElement[Name='System!System.Entity']/DisplayName$", "Network security")

      $Instance.AddProperty("$MPElement[Name='Microsoft.Forefront.UAG.DirectAccess']/ID$", $ComputerID)

      $DiscData.AddInstance($Instance)

    }

	else

	{

	  $scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "Most recent event is 1021. Network Security class is not discovered.")

	}

  }

  else 

  {

    $scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "Could not find any events with ID 1020,1021.")

  }

} 

catch

{

  $scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 1, "Error occured at PowerShell script NetworkSecurityDiscoveryProvider.ps1. Error: $($Error[0])")

}



$scomapi.Return($DiscData)	

$scomapi.LogScriptEvent("Microsoft.Forefront.UAG", 100, 4, "PowerShell script NetworkSecurityDiscoveryProvider.ps1 ended.")

</Script></Contents>

      </File>

    </Files>

  </DataSource>

</Discovery>