How to add a Custom Security Check using VB / J script

Applies to: Winfrasoft VPN-Q 2009 / 2010 Enterprise Edition

Step 1 – Create a custom VB Script with security checks

Create your own custom VB Script with your own custom security checks that you wish to have performed by the client on the local system. These custom checks can include tests to ensure that a particular piece of software is installed on a VPN client PC, or to query a registry key etc. NOTE: Winfrasoft can NOT provide support for the functionality of your own custom scripts.

Step 2 – Return Exit Codes from the VB Script for Winfrasoft VPN-Q to interpret

Winfrasoft VPN-Q requires the custom VB script to return one of the following Exit codes which then can be included with the results of the security checks performed by the Winfrasoft VPN-Q client software:

Exit Code Result
100 Pass
101 Warning
0 / Other Fail

The following is an example of the syntax to issue an Exit Code from a VB Script, in this case the VB Script will be returning a Warning Code:

                WScript.Quit  101

Step 3 – Configure the Custom Security Check Script policy objects

To enable the Winfrasoft VPN-Q Client to run the custom VB script, configure the Custom Security Check Script Policy.

This policy setting enables the use of a custom Windows Scripting Host (WSH) script as an additional security check to run on the VPN client. The script can be in VB Script or J Script format and must return a valid check status result, see the Winfrasoft VPN-Q documentation for further details. If you enable this policy you must specify the full path to the custom script check script. You can also specify any arguments which may be required, as well the script’s onscreen behaviour. If you disable or do not configure this policy then no custom security checks are run. It is highly recommended that the script is digitally signed to prevent tampering, see step 4.

Step 4 – Signing the VB Script file (Optional)

Although it is an optional step in the process, it is recommended that all custom security checks are digitally signed to ensure the integrity of the custom check. Digital signing of the VB script ensures that the custom security checks, executed at the client side, perform as designed and that the script has not been modified in an attempt to circumvent it. To ensure that the VB Script executed on the client is signed and un-tampered, the Custom Security Check Script Signature policy setting must be enabled:

This policy setting instructs the VPN client to verify that the custom security check script has been digitally signed, and that the signature is valid. This protects the script from being modified or tampered with. If you enable this policy the script specified in Custom Security Check Script policy setting MUST be digitally signed and the signature MUST be valid for the security check to pass. If the signature verification fails then the Custom Security Check will fail, and the script will not be executed. If you disable or do not configure this policy then the script specified in Custom Security Check Script policy setting does not have to be digitally signed or have a valid signature in order to run.

Note: A signed script which has an invalid signature may still be blocked by the operating system, depending on its configuration or Software Restriction Policy settings.

A Winfrasoft signed sample VB Script can be downloaded here. To digitally sign a VB Script, please refer to the Microsoft published documentation on the Sign Tool utility:

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk