Forefront UAG Product Team Blog

Updated Forefront UAG SP3 tracing for is now available

Forefront UAG Team — Tue, 30 Apr 2013 21:21:00 GMT

We have an updated tracing package now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols. This new trace package includes formatting for all UAG versions through Service Pack 3 Rollup 1 and includes the SP3 enhanced context tracing to more easily filter trace data per session.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1

Thank you,

The Forefront UAG Product Team

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

How to configure client certificate authentication in UAG 2010

J.C. Hornbeck — Thu, 25 Apr 2013 20:12:38 GMT

In Forefront Unified Access Gateway 2010 (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG you can configure a simple client certificate or a smart card certificate and in this TechNet Wiki article, Microsoft’s own Junaid Jan shows you how:

How to get Client certificate authentication working on UAG 2010 Portal

J.C. Hornbeck | Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Support Tip: DirectAccess clients cannot connect to corporate IPv4 resources after installing UAG SP3 – DNS64 service not running

J.C. Hornbeck — Mon, 15 Apr 2013 20:22:52 GMT

There is an issue that may arise after the installation of UAG Service Pack 3 on Forefront UAG acting as a DirectAccess server. After the installation, DirectAccess clients may not be able to connect to corporate intranet resources which are provisioned with only IPv4 addresses.

This problem occurs because the Microsoft Forefront UAG DNS64 service is not running on the DirectAccess server. This service provides DNS translation of IPv4 A records to IPv6 AAAA records required for DirectAccess client access. During the installation of UAG SP3, this service is stopped and the startup type is set to MANUAL. The service startup type should be AUTOMATIC and the service should be running when DirectAccess is enabled on the UAG server.

After installing UAG SP3 (or UAG SP3 Rollup 1) on a Forefront UAG server acting as a DirectAccess server ensure the DNS64 service is set to AUTOMATIC and started.

Using integrated NAT64 and DNS64 with Forefront UAG DirectAccess

Deep Dive Into DirectAccess – NAT64 and DNS64 In Action

J.C. Hornbeck | Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Unified Access Gateway 2010 Service Pack 3 Rollup 1 is available for download

J.C. Hornbeck — Mon, 15 Apr 2013 16:29:42 GMT

We are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 3 has been released.

UAG 2010 Service Pack 3 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 3.

This important update contains 8 new fixes for reported issues as well as enhanced context tracing to more easily filter trace data per session.

For details, please visit KB 2827350: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 package now, and learn more about UAG 2010 SP3 by visiting our TechNet Library.

J.C. Hornbeck | Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

KB: A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts

J.C. Hornbeck — Tue, 26 Mar 2013 19:38:08 GMT

Here’s a new KB article we just published on Microsoft Forefront Unified Access Gateway 2010. This article talks about an issue where a Direct Access client experiences repeated One Time Password (OTP) prompts and the steps needed to fix it. You can read all the details here:

KB2797301 - A Forefront Unified Access Gateway 2010 Direct Access client experiences repeated OTP prompts (http://support.microsoft.com/kb/2797301/en-gb)

J.C. Hornbeck | Knowledge Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Unified Access Gateway 2010 Service Pack 3 is available for download

Forefront UAG Team — Wed, 20 Feb 2013 11:00:00 GMT

We are happy to announce that Service Pack 3 for Forefront UAG 2010 is now released.

UAG 2010 Service Pack 3 is available for download from the Microsoft Download Center, as an upgrade from UAG 2010 Service Pack 2 .

Here are details about the new features included in Service Pack 3 for UAG 2010:

Added support for new client devices
- Windows 8 and Windows RT
  Forefront UAG 2010 SP3 supports Windows 8 and Windows RT client computers using Internet Explorer 10 and Internet Explorer 10 on the desktop. In addition, SP3 also supports the following client applications running on Windows 8 and Windows RT:
  - Mail: the built-in Mail application on Windows 8 / Windows RT computers can be used to connect to Exchange servers published through UAG 2010 SP3
  - Remote Desktop: UAG 2010 SP3 adds support for the Remote Desktop Connection (RDC) 8.0 client that is running on Windows 8
- Windows Phone 8
  SP3 for UAG 2010 adds support for mobile phone devices running the Windows Phone 8 Operating System
Added client applications
Forefront UAG 2010 SP3 adds support for the following client applications:
- Office 2013: Forefront UAG 2010 SP3 supports the following Office 2013 client applications:
  - Microsoft Outlook 2013
  - Microsoft Word 2013
  - Microsoft Excel 2013
  - Microsoft PowerPoint 2013
- Remote Desktop Client (RDC) 8.0: Forefront UAG 2010 SP3 supports the RDC 8.0 client that is running on Windows 7 Service Pack 1 (http://support.microsoft.com/KB/2592687)
Application publishing
Forefront UAG 2010 SP3 adds support for publishing the following server applications:
- Microsoft SharePoint 2013
- Microsoft Exchange 2013
Fixes included in UAG SP3
- Over 15 new fixes for customer reported issues. For details, please visit KB 2744025: Description of Forefront Unified Access Gateway 2010 Service Pack 3

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 package now, and learn more about UAG 2010 SP3 by visiting our TechNet Library.

Thank you,

The Forefront UAG Product Team

DirectAccess IPHTTPS client connections fail after installing December 2012 Windows Updates.

Forefront UAG Team — Fri, 08 Feb 2013 14:24:45 GMT

There were two packages available from the December 2012 Windows updates which may have an effect on IPHTTPS client connectivity if installed on the Forefront UAG 2010 DirectAccess server.

· MS12-083 (KB2765809)

· Windows Update for Root Certificates (KB931125).

Both problems will generally manifest as DirectAccess client IPHTTPS interface connection failure with status 0x103 – “no usable certificate(s) found”. You can view the IPHTTPS interface status with the following netsh command:

>netsh interface httpstunnel show interface

Interface IPHTTPSInterface (Group Policy) Parameters

------------------------------------------------------------

Role : client

URL : https://da.contoso.com:443/IPHTTPS

Last Error Code : 0x103

Interface Status : no usable certificate(s) found

The first possible issue concerns MS12-083 (KB2765809). MS12-083 is a security update for the IP Helper service (IpHlpSvc) which handles server and client IPHTTPS connectivity. This update resolves an issue where IpHlpSvc was not properly validating client certificate revocation checking. With this security patch installed on the DirectAccess server, you may see an issue with IPHTTPS client connection failures if the DirectAccess server cannot validate the client certificate revocation information.

Client certificate revocation failure may occur for reasons such as if a certificate was not properly issued with the correct revocation information (CRL or CDP) or the DirectAccess server cannot access the revocation location for validation. This may appear as a DirectAccess issue because the client certificate revocation checking was not enforced for the IPHTTPS connection prior to the update. The resolution for this issue will require isolating the actual problem blocking the CRL validation using available tools such as CERTUTIL or Network Monitor.

The second problem will occur if you updated your Third-party Root Certification Authorities on the DirectAccess server with the December 2012 KB 931125 update package. This package is the December Windows Update for Root Certificates (KB931125) and was intended only for client SKUs. However, it was also offered for Server SKUs for a short time on Windows Update and WSUS.

This package installed more than 330 Third-party Root Certificate Authorities. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certificate Authorities will exceed this limit during the client certificate authentication process for the IPHTTPS connections, and you will experience TLS/SSL communication problems.

This problem can be identified by the presence of Schannel 36885 ID events in the DirectAccess server System event log.

Schannel 36885 - When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

In order to prevent these Schannel errors, the servers trusted certificate authority list must be reduced to a manageable number. This can be done manually by removing any root certificate authorities which are not required from the DirectAccess server. There are instructions available in the KB article for this issue KB2801679

More Information

MS12-083: Vulnerability in IP-HTTPS component could allow security feature bypass: December 11, 2012

MS12-083: Addressing a missing certificate revocation check in IP-HTTPS

Windows root certificate program members

SSL/TLS communication problems after you install KB 931125

Author

Billy Price – Security Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Reviewer

Richard Barker – Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

UAG DirectAccess management ‘Apply Policy’ fails after Windows PowerShell update

Forefront UAG Team — Wed, 09 Jan 2013 20:02:22 GMT

Forefront UAG 2010 DirectAccess settings are written to Active Directory Group Policy for client and gateway provisioning. The GPO policies are created in AD via a PowerShell script from the UAG server. A recent update to Windows PowerShell affects the execution of this script and causes the policy application to fail.

In the UAG DirectAccess management console, the configuration settings are applied to Group Policy with Apply Policy then Apply Now. When successful, the DirectAccess Policy Configuration Log will display “Script run completed with no errors or warnings”. However, due to script parsing changes with the new PowerShell 3.0 update, Apply policy - Apply now may return an error similar to the following:

> Executing policy script.
At C:\Users\UAGadmin\AppData\Local\Temp\tmp12ab.tmp.ps1:98 char:46
+             ErrorPrintLine("Failed to delete $item: $error")
+                                              ~~~~~~
Variable reference is not valid. ':' was not followed by a valid variable name
character. Consider using ${} to delimit the name.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : InvalidVariableReferenceWithDrive
> aborted

The actual error in the DirectAccess policy script is line 98.

Ø ErrorPrintLine("Failed to delete $item: $error")

This line is used to print an error message if it occurs during execution of the script; printing the error text with the contents of variables $item and $error separated by a colon (“:”). This above error occurs because of how this ErrorPrintLine parameter is now parsed differently in PowerShell 3.0. The colon with the variable name is used to denote variable scope so a parameter is expected after the colon which triggers the PS3 parser error.

You can resolve this issue by removing the optional WMF 3.0 update KB2506143 from the UAG server. This will allow you to apply the DirectAccess policy settings directly from the UAG server console as previously available. Alternately, you can export the UAG DirectAccess policy script and edit the problem line to work around the parsing error. Change the problem line to explicitly delimit the item variable using {} (or you could simply add a space between the variable $item and the colon to separate the characters in the print line). You can then execute the PowerShell script to apply the GPO settings (run with PowerShell).

Change this line # 98: ErrorPrintLine("Failed to delete $item: $error") to delimit the parameter name with {}.

Change to: ErrorPrintLine("Failed to delete ${item}: $error")

[ or ErrorPrintLine("Failed to delete $item : $error") ]

More Information

Microsoft Windows Management Framework 3.0 (KB) KB2506143
http://support.microsoft.com/kb/2506143

Author

Billy Price – Security Escalation Engineer, Microsoft CTS Forefront Security Edge Team

Reviewer

Richard Barker – Security Support Escalation Engineer, Microsoft CTS Forefront Security Edge Team

UAG published website is not fully rendered

Forefront UAG Team — Tue, 27 Nov 2012 15:50:00 GMT

Consider a scenario where you are publishing one or more internal websites via UAG 2010 and UAG is configured in an array of two or more nodes. Also, you are load balancing the UAG nodes using an F5 Big-IP device.

Symptoms:

External users accessing one or more of these published web sites, via the Virtual IP of the F5, may experience one or both of the following symptoms:

· Improper page rendering where a number of page items (i.e. graphics, etc.) may not display correctly.

· IE shows “The page cannot be displayed”

Possible Cause:

The F5 Big-IP LTM may have the “OneConnect” feature enabled.

More Information:

The OneConnect feature is a system that is meant to improve web application performance. OneConnect reuses TCP connections to each load balanced server (UAG) for multiple clients. Please go to www.f5.com for more information on the OneConnect feature of the F5 Big-IP device.

Resolution:

As a test, try disabling the OneConnect feature. If, after disabling the OneConnect feature, your published web sites start rendering correctly, please contact F5 support for assistance with the OneConnect feature.

Author

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

UAG 2010 Service Pack 3 is in the works

Ran [MSFT] — Mon, 26 Nov 2012 19:57:00 GMT

The Forefront Unified Access Gateway (UAG) Product Team is excited to let you know that we are currently developing Service Pack 3 for UAG 2010, and we expect to make it available during the first quarter of calendar year 2013 (Q1 CY2013).

Service Pack 3 will provide support for:

Windows 8 with Internet Explorer 10 clients, including DirectAccess
Office 2013 clients (e.g. Outlook, Word, Excel, PowerPoint)
Publishing Exchange 2013
Publishing SharePoint 2013
RDP 8.0 client for Windows 7 SP1 (KB 2592687)

Thank you,

The UAG Product Team