DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2288900 - Last Review: November 4, 2010 - Revision: 1.0

On This Page

SUMMARY

These release notes address late-breaking issues that are related to Microsoft Forefront Unified Access Gateway (UAG) 2010. Before you install Forefront Unified Access Gateway (UAG), you must read the information that is contained in this document. This article contains the following information about this update:
  • New features and improvements that are included in this update
  • Issues that are resolved in this update
  • How to obtain this update
  • Prerequisites for installing this update
  • Known issues

Introduction

This article describes Update 2 for Forefront UAG 2010 and provides installation instructions. Update 2 for Forefront UAG 2010 provides the following features:
  • Client Components Enhancement: The Forefront UAG SSL Application Tunneling (Socket Forwarder) component is now supported on Windows Vista and Windows 7 64bit operating systems for 32bit applications. See the table below for details and issue #3 for more information.
    Collapse this tableExpand this table
    FeatureWindows XP 32-bitWindows Vista 32-bitWindows Vista 64-bitWindows 7 32-bitWindows 7 64-bitMac or Linux
    Offline installationYesYesYesYesYesNo
    Online installationYesYesYesYesYesYes
    Endpoint DetectionYesYesYesYesYesYes
    Attachment WiperYesYesYesYesYesYes
    SSL Tunneling ComponentYesYesYesYesYesYes
    Socket ForwarderYesYesYesYesYesNo
    SSL Application Tunneling (Network Connector) YesYesYesNoNoNo
    Note: For specific information about Browsers, Operating Systems, and Client Component features and compatibility, visit the following Microsoft TechNet webpage:
    Introduction to system requirements for Forefront UAG endpoints (http://technet.microsoft.com/en-us/library/dd920232.aspx)
  • Virtual Desktop Infrastructure (VDI): Forefront UAG fully supports publishing remote desktops via the personal desktop scenario of VDI.
  • Citrix Publishing Support: Forefront UAG fully supports Citrix Presentation Server 4.5 and its replacement Citrix XenApp 5.0.
  • Citrix Client Computer Support: Forefront UAG supports Windows Vista and Windows 7 computers with 64bit operating systems accessing Citrix XenApp applications where the XenApp client is 32bit. See Issue #4 below for additional details.
  • SSTP User and Group Access Control: Forefront UAG now provides a finer authorization mechanism allowing administrators to authorize individual groups for SSTP access.
  • SSL Handshake: Forefront UAG now provides more robust handling of SSL handshakes between UAG and published web servers.
  • Client Certificate Delegation: Forefront UAG now adds some limited support for applications where the application server requires client certificate credentials for negotiation.
  • Network Connector MAC address support: Forefront UAG Network Connector Server supports a wider range of network adapters with an expanded MAC address range.
For more information about new features in Update 2 for Forefront UAG 2010, refer to the "What's new in Forefront UAG" section on the following Microsoft webpage:
Introduction to product evaluation that applies to Forefront UAG (http://go.microsoft.com/fwlink/?LinkId=185250)

MORE INFORMATION

Update information

The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the Forefront Unified Access Gateway (UAG) Update 2 package now. (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9dcccebc-accb-4229-901a-792cc66791de)   

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
 Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. 

Prerequisites

This update is cumulative and can be applied to appliances, servers, or virtual machines that are running the following versions of UAG 2010:
  • UAG 2010 (RTM)
  • UAG 2010 Update 1
  • UAG 2010 Update 1 Rollup 1 Hotfix Package
For more information about UAG Update 1, click the following article number to view the article in the Microsoft Knowledge Base:
981323  (http://support.microsoft.com/kb/981323/ ) Description of Update 1 for Unified Access Gateway 2010
For more information about UAG Update 1 Rollup 1 hotfix package, click the following article number to view the article in the Microsoft Knowledge Base:
981932  (http://support.microsoft.com/kb/981932/ ) Description of the Rollup 1 hotfix package for Unified Access Gateway 2010 Update 1

Installation Notes

Order of installation when a UAG server array is in use
  1. Install Update 2 on the array manager first.
  2. Reboot.
  3. Activate UAG configuration.
  4. Wait for the configuration to synchronize.
  5. Install Update 2 on the first non-manager array member.
  6. Reboot.
  7. Repeat for all remaining array members.
Note If required, the uninstallation of Update 2 should be conducted in the reverse order.

Restart requirement

In non-array scenarios, you do not have to restart the computer after you apply this update package. You must activate the UAG configuration after you install the update package. Please note that performing the UAG activation will terminate any existing SSL Application Tunneling connections to the UAG server.

In array scenarios restart is required. The array installation steps above are required for successful deployment of the update when using an array, failure to follow these steps can cause corruption of the array and loss of the configuration.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Uninstallation information

To uninstall this update, use one of the following methods:
  • Log on as a built-in administrator, and then uninstall the update by using the Programs and Features applet in Control Panel.
  • From an elevated command prompt, type the following command, and then press ENTER:
    msiexec.exe /uninstall {31F37A8F-7454-453C-B084-9334E3EBA839} /package {9B0CE58E-C122-4CB4-80C1-514D4162C07C}

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Agent_win_helper.jarNot applicable1,286,01530-Aug-201013:12Not applicable
Clientconf.xmlNot applicable6,67515-Sep-201006:41Not applicable
Configdatacomlayer.dll4.0.1269.200192,40015-Sep-201008:13x64
Configdatalayer.dll4.0.1269.2003,871,63215-Sep-201008:06x64
Configmgrcom.exe4.0.1269.200199,56815-Sep-201008:01x64
Configmgrcomlayer.dll4.0.1269.2002,246,03215-Sep-201008:15x64
Configmgrcore.dll4.0.1269.2001,375,63215-Sep-201008:23x64
Configmgrinfra.dll4.0.1269.2001,599,88815-Sep-201008:12x64
Configmgrlayer.dll4.0.1269.200215,44015-Sep-201008:05x64
Configuration.exe4.0.1269.2008,920,97615-Sep-201008:22x64
Detection.jsNot applicable14,59115-Sep-201007:20Not applicable
Https_whlfiltappwrap_forporNot applicable60,96115-Sep-201007:19Not applicable
Http_whlfiltappwrap_forportNot applicable59,47515-Sep-201007:19Not applicable
Install.jsNot applicable11,21815-Sep-201007:20Not applicable
Installanddetect.aspNot applicable12,06715-Sep-201007:20Not applicable
Internalerror.aspNot applicable8,34415-Sep-201007:20Not applicable
Internalerror.incNot applicable24,40215-Sep-201007:20Not applicable
Login.aspNot applicable24,18315-Sep-201007:20Not applicable
Logoffmsg.aspNot applicable7,70530-Aug-201013:11Not applicable
Microsoft.uag.da.messages.d4.0.1269.20033,68015-Sep-201008:14x64
Microsoft.uag.transformer.c4.0.1269.2006,297,48815-Sep-201008:02x86
Monitormgrcom.exe4.0.1269.200151,95215-Sep-201008:01x64
Monitormgrcore.dll4.0.1269.200740,24015-Sep-201008:23x64
Monitormgrlayer.dll4.0.1269.200354,19215-Sep-201008:12x64
Policy.xmlNot applicable80,24417-Oct-201012:16Not applicable
Policydefinitions.xmlNot applicable61,51615-Sep-201007:15Not applicable
Redirecttoorigurl.aspNot applicable1,42330-Aug-201013:11Not applicable
Repairinstallation.vbsNot applicable3,04430-Aug-201013:12Not applicable
Ruleset_forinternalsite.iniNot applicable47,01930-Aug-201013:11Not applicable
Sessionmgrcom.exe4.0.1269.200233,87215-Sep-201008:24x64
Sessionmgrcomlayer.dll4.0.1269.2001,641,36015-Sep-201008:02x64
Sessionmgrcore.dll4.0.1269.200738,19215-Sep-201008:01x64
Sessionmgrinfra.dll4.0.1269.2001,197,96815-Sep-201008:22x64
Sessionmgrlayer.dll4.0.1269.200200,59215-Sep-201008:04x64
Sfhlprutil.cabNot applicable57,19415-Sep-201008:35Not applicable
Shareaccess.exe4.0.1269.200492,94415-Sep-201008:12x64
Sslbox.dll4.0.1269.20058,76815-Sep-201008:14x64
Sslvpntemplates.xmlNot applicable28,70430-Aug-201013:12Not applicable
Sslvpn_https_profiles.xmlNot applicable96817-Oct-201012:16Not applicable
Uagqec.cabNot applicable64,84215-Sep-201008:36Not applicable
Uagqessvc.exe4.0.1269.200207,76015-Sep-201008:04x64
Uagrdpsvc.exe4.0.1269.200144,27215-Sep-201008:14x64
Uninstalluagupdate.cmdNot applicable21215-Sep-201008:41Not applicable
Usermgrcom.exe4.0.1269.200119,18415-Sep-201008:01x64
Usermgrcore.dll4.0.1269.200837,00815-Sep-201008:01x64
Whlasynccomm.dll4.0.1269.200107,40815-Sep-201008:14x64
Whlcache.cabNot applicable265,76815-Sep-201008:36Not applicable
Whlclientsetup-all.msiNot applicable2,964,99215-Sep-201008:22Not applicable
Whlclientsetup-basic.msiNot applicable2,964,99215-Sep-201008:01Not applicable
Whlclientsetup-networkconneNot applicable2,965,50415-Sep-201008:04Not applicable
Whlclientsetup-networkconneNot applicable2,965,50415-Sep-201008:03Not applicable
Whlclientsetup-socketforwarNot applicable2,964,99215-Sep-201008:24Not applicable
Whlclntproxy.cabNot applicable242,71315-Sep-201008:35Not applicable
Whlcompmgr.cabNot applicable689,48315-Sep-201008:35Not applicable
Whlcppinfra.dll4.0.1269.200669,58415-Sep-201008:23x64
Whldetector.cabNot applicable263,76415-Sep-201008:36Not applicable
Whlfiltappwrap.dll4.0.1269.200315,28015-Sep-201014:02x64
Whlfiltappwrap_http.xmlNot applicable59,47515-Sep-201013:19Not applicable
Whlfiltappwrap_https.xmlNot applicable60,96115-Sep-201013:19Not applicable
Whlfiltauthorization.dll4.0.1269.200311,69615-Sep-201014:23x64
Whlfilter.dll4.0.1269.200589,20015-Sep-201014:22x64
Whlfiltsecureremote.dll4.0.1269.2001,037,20015-Sep-201014:22x64
Whlfiltsecureremote_http.xmNot applicable77,40430-Aug-201013:11Not applicable
Whlfiltsecureremote_https.xNot applicable80,30817-Oct-201012:16Not applicable
Whlfirewallinfra.dll4.0.1269.200444,81615-Sep-201008:13x64
Whlgenlib.dll4.0.1269.200511,37615-Sep-201008:04x64
Whlglobalutilities.dll4.0.1269.200106,38415-Sep-201008:05x64
Whlinstallanddetect.incNot applicable4,47630-Aug-201013:11Not applicable
Whlio.cabNot applicable167,27715-Sep-201008:35Not applicable
Whlioapi.dll4.0.1269.20076,17615-Sep-201008:04x64
Whliolic.dll4.0.1269.20015,76015-Sep-201008:22x64
Whlios.exe4.0.1269.200137,10415-Sep-201008:24x64
Whllln.cabNot applicable167,09515-Sep-201008:36Not applicable
Whlllnconf1.cabNot applicable6,52115-Sep-201008:35Not applicable
Whlllnconf2.cabNot applicable6,61015-Sep-201008:36Not applicable
Whlllnconf3.cabNot applicable6,59915-Sep-201008:35Not applicable
Whltrace.cabNot applicable254,35215-Sep-201008:36Not applicable
Whltsgauth.dll4.0.1269.200184,20815-Sep-201008:02x64
Whltsgconf.dll4.0.1269.20087,44015-Sep-201008:22x64
Whlvaw_srv.dll4.0.1269.200138,12815-Sep-201008:05x64
Wioconfig.dll4.0.1269.200496,52815-Sep-201008:01x64



Fixed issues that are included in this update

This update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article.

Issue 1


Symptom

Administrators require granular access control for their Secure Socket Tunneling Protocol (SSTP) virtual private network (VPN) clients. However, configuring SSTP on UAG creates a single access rule that gives VPN client’s access to the whole Internal Network.

According to the following text from http://technet.microsoft.com/en-us/library/ee522953.aspx, it is supported to use the Threat Management Gateway (TMG) console to create rules that enable granular access control for SSTP VPN Access:

"Creating access rules using the Forefront TMG Management console, for the purpose of limiting users, groups, and networks for granular access when deploying Forefront UAG for VPN remote network access."

However, when administrators create access rules to limit user access, these rules are removed or moved to the bottom of the access policy after UAG activation. This means that the default rule takes precedence and the configured granular control is lost.

Cause

This issues is caused by a limitation in the design of the integration between UAG and the dynamically generated rules that are deployed to TMG during UAG activation.

Resolution

Manual modification of TMG rules to support granular access control as described on TechNet is depreciated (and is no longer supported after the installation of UAG Update 2) in favor of explicit support of granular access control in the UAG Management console.

UAG administrators can now explicitly enable access to particular internal network addresses to SSTP VPN users who are members of particular Active Directory groups. UAG administrators should use the new User Groups tab of the SSL Network Tunneling Configuration dialog box to define granular IP VPN access policy which consists of a set of access rules. Every rule defines a set of internal network IP addresses and IP address ranges that members of a particular Active Directory group can access while connected to SSTP VPN.

Issue 2


Symptom

Microsoft Virtual Desktop Infrastructure (VDI) support in UAG is not fully implemented.

Cause

Because of a misleading UAG UI, problematic configurations and an inability to support multi-authorization in different resources during implementation prevent VDI from working correctly.

Resolution

We have made a design change to update the UAG UI and support the Personal Desktop scenario of VDI with a more robust implementation. The Pooled Desktop scenario of VDI was not implemented and may be implemented in a future update of UAG.

Issue 3


Symptom

The UAG Client Component for SSL Application Tunneling (Socket Forwarder) is not supported on 64-bit version of Windows 7 and 64-bit version of Windows Vista.

Cause

This is the designed behavior of the UAG client components before the release of UAG Update 2.

Resolution

We have made a design change to address the following scenario:

There are wide set of non-web applications that use UAG Socket Forwarding / Application Tunneling as a publishing method. For example, such applications are Citrix XenApps and Presentation Server 4.5, and they both run as ActiveX applications in browser. Before this update, because of technical limitations, we disallow deployment of those publishing methods on 64-bit version of client operating systems. Therefore, the same published application that uses those methods may be accessed from 32-bit version of client operating systemss instead of from 64-bit operating systems.

The change made for this scenario is to provide a method of deployment for the Socket Forwarding (SF) client components on 64-bit version of Windows client operating systems to enable opening of tunneled applications. The limitations of this implementation are as follows:
  • Support for Socket Forwarder is limited to 64-bit version of Windows Vista and 64-bit version of Windows 7, other 64-bit version of operating systems are not supported.
  • Socket Forwarder is only supported when users access UAG from the 32-bit version of Internet Explorer (running in WOW64 32 bit emulation).
  • Socket Forwarder will only interact with 32-bit applications (WOW64 applications) and will not interact with native 64-bit applications.
The following are the deployment options for the updated components:
  • Online: The standard method that performs deployment of SF components. On the very first invocation of any UAG portal application that uses SF as the tunneling publishing method, the components are downloaded and installed.
  • Offline: Administrators can also deploy the appropriate Windows Installer application (MSI) on a client by using scripted software distribution or by manual installation. After the installation of UAG Update 2 the files will be available on the UAG server in the following location:
    %UAG installation directory%\von\PortalHomePage\
Issue 4


Symptom

You cannot access Citrix XenApps 5.0 that is published with UAG from a client computer that is running a 64-bit version of Windows Vista or Window 7.

Cause

This is the designed behavior of the UAG client components before the release of UAG Update 2.

Resolution

Refer to the “Resolution” section of Issue 3 for detailed information.

Issue 5


Symptom

When you try to create or edit an endpoint policy, the “McAfee Total Protection” policy appears two times on the list. If you select the second “McAfee Total Protection” policy, you receive an error message that resembles the following:

source line could not be located

Cause

This issue occurs because the %UAG installation directory%\von\Conf\PolicyDefinitions.xml file contains two entries that have the same title and ID.

Resolution

The double entry issue is resolved by removing the second record from the PolicyDefinitions.xml file.

Issue 6

Symptom

When you access a resource that is published by UAG, clients receive an error "An unknown error occurred while processing the certificate" in the browser. Also, the UAG administrator may see in UAG server debug logs that SEC_I_CONTINUE_NEEDED is returned during the SSL negotiation step "Handshake Confirm State." Following that step the debug logs will show that the /InternalSite/InternalError.asp page is returned to the client together with error code 37. Error Code 37 is the error message "An unknown error occurred while processing the certificate."

Cause

The existing SSL mechanism does not correctly handli several scenarios when it performs SSL handshake with a back-end server published through UAG. The streaming nature of SSL creates a complicated scenario with a possibility of receiving either insufficient data or reading too much information during the handshake. In this scenario, InitializeSecurityContext reports that you have passed additional data that must be saved for use in the future (presumably after you read more data across the wire).

Resolution

The handshake algorithm is extended to support additional streaming cases and scenarios.


Issue 7

Symptom

When you access a published HTTPS application through UAG, the user receives error 37: "An unknown error occurred while processing the certificate." An administrator who is doing debug logging (that includes the SSLBOX_BASE trace ) while the user is accessing the application will see the following error message:
ERROR:Failed to initialize security context. Returned error: 0x90320.

InitializeSecurityContext return SEC_INCOMPLETE_CREDENTIALS – Schannel requires client certificate credentials
Cause

The back-end application server is configured to ask for client certificate credentials during the SSL negotiation stage. Before this update such functionality was not supported. Therefore, the negotiation failed with an error.

Resolution

There are two possible scenarios where the back-end server is asking for client certificate credentials:
  • The back-end application server is requesting a client certificate to obtain a certificate context but does not require it. For this case a fallback was implemented allowing UAG to retry the negotiation after the SEC_INCOMPLETE_CREDENTIALS return code is received. Usually the back-end server does not require the client certificate and this negotiation is successfully completed.
  • The back-end application requires client certificate authentication. The design change that was implemented does not allow for the client to supply pass through client certificates but does allow for a single valid client certificate to be supplied to the back-end web server for all users.

    For this case the UAG Administrator should supply a valid client certificate and install it on UAG server as a machine certificate.
    1. To instruct the UAG SSLBox module to retrieve and obtain the correct certificate, follow these steps:
      1. Run the MMC command to open the management console.
      2. Click File, and then click Add/Remove Snap-in.
      3. Select Certificates from the list, and then click Add.
      4. Select computer account, and then click Finish.
      5. Open the Personal certificate store.
      6. Select the required client authentication certificate from the list and double-click the certificate.Or, right-click the certificate and then click Open.
      7. Select the Details pane and scroll down.
      8. Select Thumbprint property.
      9. Select the property value in the panel bellow and copy its value by pressing CTRL+C.
      10. Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
        322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
        a. Start Registry Editor (Regedt32.exe).

        b. Locate and then click the following key in the registry:

        HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\UrlFilter\Comm\SSL
        c. On the Edit menu, click Add Value, and then add the following registry value:
        Value name: ClientCertHash
        Data type: String
        Value: {the text copied in step 9} [for example: a7 36 4b ca 87 3f 10 ac d5 4b 0f ca 83 9e 9e 74 c8 3e fa 8b]
        d. Exit Registry Editor.
        e. Run IISReset as an administrator to restart IIS.
        f. Activate the UAG Configuration.
Issue 8

Symptom

In some rare cases client computers that have UAG Client Components installed on them receive a "uagqecsvc" event ID 85 log message written to the Windows Event logs every minute when that client is communicating with a UAG Server. Although this a false alarm, this fills up the client event logs making it difficult for administrators or the helpdesk from spotting real events in the client’s Windows Event logs. These messages will always be displayed on the client every minute if that client connects to an IAG server.
Event ID: 85

Source: uagqecsvc

Type: Error

Description: The Microsoft Forefront UAG Quarantine Enforcement Client component cannot initialize the enforcement client callback HRESULT value: 0x8027000E. This issue may occur if security policies do not enable the component.

There may also be another related event in the client event logs.
Event ID: 16

Source: uagqecsvc

Log Name: Application

Description: The Microsoft Forefront UAG Quarantine Enforcement Client component cannot retrieve the status of the Network Access Protection (NAP) Agent service. System error 1115: A system shutdown is in progress. (0x45b). When the Microsoft Forefront UAG Quarantine Enforcement Client component starts, it attempts to query settings of the NAP agent service.

Although this issue is not directly related to UAG or to UAG deployments, it is possible that with some deployments users who have the UAG client components installed on them will access both IAG and UAG servers.

Cause

UAG Client Components have a component service "uagqecsvc" with a display name of "Microsoft Forefront UAG Quarantine Enforcement Client" which queries endpoint health status by using NAP and reports the status back to the NAP module on UAG. In some rare cases this issue will be seen in UAG deployments as the service re-tries repeatedly to bind to the UAG server. The bind will run in loop with a minute time-out until it can connect.

Additionally starting with IAG Service Pack 2 Update 3, the UAG Client Components were ported to IAG. Therefore the uagqecsvc service is also installed on client computers that connect to any IAG server that has Service Pack 2 Update 3 client components. Because NAP endpoint detection functionality does not exist in IAG, the client that has the UAG components installed on them will continue to try to connect to the UAG NAP service every minute, in the process generating the previously mentioned log messaged in the Windows Event logs.

Resolution

In the earlier versions of the Client Components the default time-out for retries to communicate with the UAG NAP detection agent was set to a minute, it is been changed in UAG Update 2 to one hour. For administrators who want to modify this value a way to manually define the time-out on the client is provided.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Computer users or administrators can manually define on any client computer the time-out in milliseconds. To do this, follow these steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\Client\QEC
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: InitRetryTimeout
    Data type: REG_DWORD
    Radix: Decimal
    Value: (time in Milliseconds 360000 is the default but this value must be
    set larger then 6000)
  4. Exit Registry Editor.
  5. Restart your computer.
Issue 9
Symptom

You (UAG administrator) have UAG installed on a server that is running a localized APAC language version of Windows 2008 R2. When you try to create a trunk on UAG, you receive an error message and the creating of trunk is stopped.

For example, blank windows, unexpected error messages, or frequent MMC crashes occur when you try to create a trunk on UAG.

Cause

This issue occurs because of incorrect manipulations of system resources. These incorrect manipulations lead to a failure when you run UAG on some non-Western language versions of operating systems (Korean/Japanese/Chinese).

Resolution

The code that is responsible for accessing these system resources is fixed.

Issue 10


Symptom

Endpoint Session Cleanup Component does not start to execute after a restart of an endpoint. Additionally, an explorer window opens that points to client components folder after a restart.

Cause

Before a restart, Endpoint Session Cleanup Component writes a registry value under the “Run” key. This registry value allows Windows to start Endpoint Session Cleanup Component automatically after a restart. However, this path value of registry key is an executable path that contains spaces. Therefore, a failure occurs.

Resolution

The path value that points to the Attachment Wiper executable that is written under the “Run” key is now written as a quoted string to prevent any failures.

Issue 11


Symptom

When you try to access the language setting options in Exchange Server 2007 Outlook Web Application (OWA) that are published via UAG, the following error message will be sent to the client.

You have attempted to access a restricted URL.

Cause

This issue occurs because the out of box template for Exchange Server 2007 OWA does not have a RuleSet entry for the URL"/owa/languageselection.aspx". The UAG RuleSet mechanism does not allow the access to any URL that is not in the white list.

Resolution

A new rule is added for Exchange 2007 OWA publishing to allow the access to this URL resource. In this case, the new rule " ExchangePub2007_Rule36 " allows the access to the URL "/owa/languageselection.aspx ".

Issue 12


Symptom

When an user tries to access a UAG site, or tries to access a bookmarked path within the application rather than the UAG login path, the user receives a 500 Internal Server error and is unable to access the site.

Note The UAG site uses ADFS for authentication and directly requests a published application.

Cause

When UAG is configured to use ADFS for authentication, several redirects occur between the Security Token Service (STS) and the UAG internal site. If the redirectes are not done in the expected manner, UAG returns errors. When a user tries to directly access a published resource instead of the portal site, the re-routing process is broken. Therefore, internal server error occurs.

Resolution

This issue is fixed in this update.

Issue 13

Symptom

When an administrator is configuring an ActiveDirectory type authentication repository, the administrator cannot set the group nesting value to "unlimited". According to UAG specification, the value of the group nesting field could be blank. However, when the field is blank and the configuration is saved and activated, the value is set back to "0" unexpectedly.

Note The UAG MMC needs to be closed and re-opened in order to get the value of "0" visible. As UAG specification, "0" means that there is no group nesting. Therefore, group nesting does not work as expected.

Cause

This issue occurs because the correct value for the group nesting field cannot be stored in the configuration. Therefore, the correct value cannot be applied to both the GUI and the authentication functions.

Resolution

The value in the configuration is now properly stored and updated when the group nesting value is deleted from the GUI Additionally, the value is properly applied to the authentication functions.

Note Microsoft recommends setting the value to be the lowest number that is required for the authorization in UAG. You can set the value to higher than 2 levels of nesting due to the potential delay and the required resources. If higher than 2 levels are required for a deployment, you must test the impact of these changes before the system is deployed in production. In extreme cases, these settings can cause both the UAG server and any DCs that are being used for authentication by UAG to crash because of high resource demands.

Issue 14


Symptom

When you try to close the Network connector (NC) server configuration window after you enable the NC server, you may receive the following error message:

Wrong Network Connector parameters, invalid segment address

Cause

The SSL Network Tunneling service can be used only when the physical network adapters have MAC addresses that begin with "00".

Resolution

The SSL Network Tunneling service can be used even though the physical network adapters have MAC addresses that begin with "00".

Issue 15


Symptom

UAG was released with only partial support for Citrix XenApp 5.

When you want to publish Citrix without errors, they were obligated to follow the steps that are provided in the following Microsoft website:
Introduction to how to publish Citrix XenApp 5.x with UAG 2010 (http://blogs.technet.com/edgeaccessblog/archive/2010/03/25/how-to-publish-citrix-xenapp-5-x-with-uag-2010.aspx)

Cause

This issue occurs because the support for Citrix is broken.

Resolution

The steps that are provided in the above to properly publish Citrix XenApp 5.0 are now included in this update.

Issue 16


Symptom

The AV product "Trend Micro OfficeScan Anti-Virus" or "Trend Micro PC-Cillin Anti-Virus" is selected from the GUI. In this case, when you create a policy and then apply the policy to an application, you receive the following error message during the activation:

Source Line could not be located

Cause

This issue occurs because the policy syntax validation algorithm misses dependencies that are required by these particular policies.

Resolution

The dependencies that are required by these policies are added to policy syntax validation algorithm after you install this update.

Known issues

  • After you install this update the SSL Network Tunneling network adapter becomes invisible in the Network Connections window. This behavior is by design. To make sure that the network adapter is installed open Device Manager and select ‘Show Hidden Devices’ entry on the View menu.
  • Sometimes the uninstall update operation may fail with an error message, specifying that the installation file “FirefrontUAG.msi” cannot be found or with the installation error 1269.
    1. Open Start menu and type Show hidden files and folders.
    2. In the opened window advanced settings clear the Hide protected operation system files (Recommended) option and press OK.
    3. Open an elevated Command Prompt window and type UninstallUagUpdate.
    4. Wait several minutes for the installation database repair if it is required.
      Note You might receive a message that informs you of the need for a repair.

  • Citrix XenApp support is only for version 5.0. Later versions are not supported.
  • This release only supports the Personal Desktop scenario of VDI. Pooled desktop scenario is currently not supported.
  • Socket Forwarding is available on Window 7 and Vista 64 bit clients for 32 bit applications (WOW64 applications). It is not available for native 64 bit applications.
  • Publishing OWA for Exchange 2010 Service Pack 1 by UAG requires manual modification of an AppWrap and modifications to the RuleSets. An article about the steps that are required to do this is published on the UAG Product team blog http://blogs.technet.com/b/edgeaccessblog/ (http://blogs.technet.com/b/edgeaccessblog/) . The steps that are described in the article will be integrated into a future update of UAG.
  • Microsoft Customer Support Services (CSS) cannot provide support to customers if they use beta, non-RTM, or non-generally-available (GA) products such as Internet Explorer 9 Beta. Support for IE9 will be included in a future update after IE9 is officially released.

Known issues with Arrays and Network Load Balancing (NLB)

  • When you try to join two servers to the same array at the same time, the array storage may be corrupted. If this happens, restore the settings from backup.
  • When you delete an IPv6 virtual IP address (VIP) in the Forefront UAG Management console, the address may not be removed completely. To work around this issue, manually delete address from the network adapter in the Network and Sharing Center and in the Forefront UAG Management console.
  • Forefront UAG may not detect that an array member which uses integrated NLB loses network connectivity (such as an ISP system-failure). In this scenario, Forefront UAG may continue to route traffic to the unavailable server. To avoid this issue, disable the internal and external adapters of offline array members. Enable the adapters again after connectivity issues are resolved.
  • If you have Microsoft System Center Operations Manager 2007 deployed in your organization, you can monitor the status of array member network adapters. To do this, follow these steps:
    • Make sure that the Windows Server Operating System and Windows Server 2008 NLB management packs are installed on each array member.
    • Use Operations Manager 2007 to detect disconnected network adapters on array members.
      Note Operations Manager 2007 reports issues as follows:
      • If there is a problem with the adapter that is connected to the internal network, Operations Manager 2007 reports that no heartbeat is detected.
      • If there is a problem with the adapter that is connected to the external network, Operations Manager 2007 reports a Windows NLB issue.
  • When you create a redirect trunk for an HTTPS trunk in an array that does not have load balancing enabled, you must manually assign the IP addresses of the redirect trunk for each array member. This task is described in the following article:
    Introduction to how to install Update 1 on an array using NLB (http://technet.microsoft.com/en-us/library/ff607416.aspx)



APPLIES TO
  • Microsoft Forefront Unified Access Gateway 2010
Keywords: 
kbexpertiseinter kbinfo kbsurveynew atdownload KB2288900
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support