Collapse this tableExpand this table
|Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2)||IAG3.7-SP2Update-3.exe (IAG v3.7 SP2 Update 3)||47|
This update can be applied to the appliances that are running IAG 2007 SP2 or Update 2 for IAG 2007 SP2, and it can be applied to the virtual machines that are running IAG 2007 SP2 or Update 2 for IAG 2007 SP2.
For more information about IAG 2007 SP2, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Description of Intelligent Application Gateway (IAG) 2007 Service Pack 2
Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2
Description of Update 2 for Intelligent Application Gateway 2007 Service Pack 2
New features and improvements that are included in this update
We made some improvements to the IAG client components in this Update 3 for IAG 2007 SP2. We made these improvements by integrating the Microsoft Forefront Unified Access Gateway (UAG) client components into the IAG product. These improvements include support for the 32-bit and 64-bit versions of Windows 7 and for the 64-bit version of Windows Vista.
Details of the improvements
Starting with this update for IAG, the new client components that are included with UAG have been integrated into IAG. The new client components offer better compatibility with Windows 7, and other improvements. The new client components, although designed for UAG, do have a backward compatibility mode that enables clients that are running them to connect seamlessly with both UAG and IAG. This includes version of IAG that have not updated to Update 3 for IAG 2007 SP2 yet.
You should be aware that other than the client components, no other UAG functionality was incorporated into Update 3 for IAG 2007 SP2, and the new client components offer only client-side improvements.
This new feature is backward compatible. For example, assume that you download the client components from an IAG server that is running
Update 3 for IAG 2007 SP2, and then you install them on an endpoint computer. In this scenario, the client components are compatible with a server that is running the latest Update 2 for IAG 2007 SP2. The backward compatibility feature is implemented by a special backward compatibility mode for the UAG client components when the client components access a pre-Update 3 for IAG 2007 SP2-based server.
Client computer update
When a client that has the legacy IAG client components accesses a server that is running Update 3 for IAG 2007 SP2, the client is upgraded by the following process:
The Network Connector feature is not implemented for Windows 7, because of this; full remote network connectivity is not available for Windows 7 with IAG. Customers who require full network connectivity for Windows 7 clients have to upgrade from Intelligent Application Gateway (IAG) 2007 to Forefront Unified Access Gateway (UAG) 2010 to use support for SSTP and or Direct Access for Windows 7 that provide full network connectivity.
Client OS compatibility with Update 3 for IAG 2007 SP2
Collapse this tableExpand this table
| Feature|| Windows XP 32-bit || Windows Vista 32-bit || Windows Vista 64-bit ||Windows 7 32-bit|| Windows 7 64-bit || Mac or Linux |
|Offline installation|| Yes || Yes || Yes || Yes || Yes || No |
| Online installation|| Yes || Yes || Yes || Yes || Yes || Yes |
| EndPoint Detection|| Yes || Yes || Yes || Yes || Yes || Yes |
|AttachmentWiper|| Yes || Yes || Yes || Yes || Yes || Yes |
| SSL Wrapper || Yes || Yes || Yes || Yes || Yes || Yes |
|Socket Forwarding|| Yes || Yes || No || Yes || No || No |
| Network Connector (NC)|| Yes || Yes || Yes|| No || No || No |
For more information about Browser, Operation System and Client Component features and compatibility, visit the following Microsoft Tech Web site:
Fixed issues that are included in this update
This update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:
When you view the weekly report, the monthly report, the quarterly report, or the annual report on the server by using the IAG Web Monitor, Web Monitor cannot generate reports, and you receive the following error message:Note
You can view the daily reports successfully.
Additionally, you receive the following error message when you try to view quarterly report:
Too many results. Displaying only first records.
This error message appears only one time.
When you access a basic trunk by using the defined Server Name Translation (SNT) rules, an error occurs in the version 188.8.131.52 of the Whlglobalultilies.dll module. This error causes the W3wp.exe application to crash.
This issue occurs because of an access violation when the SNT module is accessed multiple times at the same time.
A crash occurs in the WhlHttpParser.dll module. This crash causes instability of the IAG server if under a heavy load situation.
This issue occurs because IAG parses the chunked responses incorrectly.
The IAG Secure Remote Access (SRA) engine of Update 2 for IAG 2007 SP2 cannot recognize the links that have the "HTTPS" characters in uppercase at the beginning of the URL. Additionally, the engine misses these links in the signing process. This behavior causes some applications not to work correctly.
This problem does not occur when the "HTTP" links are used. The IAG SRA engine interprets any uppercase and lowercase combination of the "HTTP" links.
An error occurs in the WhlServerProxy.dll module when you publish and start a Network Connector. This error causes the W3wp.exe application to crash.
When you try to use Web Monitor to view a report that is more than 65535 rows and that contains data from one month or more, the report is not generated. Note
The maximum size limit of a report that you can configure is 65535 rows in IAG.
After you apply this update, you can increase the number of rows to a value that is beyond 65536. To do this, add the following nonzero DWORD registry value:
Name: UseReportResultHighLimit Note
The new maximum size limit is 1,000,000 rows.
If the UseReportResultHighLimit registry value is zero or does not exist, the old limit of 65536 rows is used.
Update 2 for IAG 2007 SP2 introduces a new rule set for Microsoft Office SharePoint Server 2007 Alternative Access Mapping (AAM). This new rule set has a bug in it that blocks the usage of files that have a hyphen (-
), a comma (,
), or an apostrophe (‘
) in the file name. This issue occurs because of the rule number 55 that includes the following permitted regular expression:
However, the rule should be the following regular expression that includes the valid characters:
This bug was resolved in Office SharePoint Server 2007 by using the same update.
On a Windows Vista-based client computer that has F-Prot Antivirus 184.108.40.206 and the engine version 4.5.1 installed, you set the policy to accept any Windows Management Instrumentation (WMI) antivirus that effectively works on the computer. However, WMI translation of legacy values does not work for F-Prot Antivirus. WMI prevents policies that WMI requires. You notice that WMI detects F-Prot Antivirus successfully
by using the following parameters:
AV_WMI_Company_1 Policy X
AV_WMI_Count Policy 1
AV_WMI_Installed_1 Policy TRUE
AV_WMI_Name_1 Policy F-PROT ANTIVIRUS FOR WINDOWS
AV_WMI_Running_1 Policy TRUE
AV_WMI_Version_Product_1 Policy 6.0
However, WMI cannot identify the parameters correctly. Therefore, the following parameters that are dedicated to F-Prot Antivirus show all false, and an endpoint policy cannot detect F-Prot Antivirus:
AV_FProt_Installed Policy False
AV_FProt_LastUpdate Policy 0
AV_FProt_Running Policy False
This update adds F-Prot Antivirus support for a translation from WMI. After you apply this update, the following parameters are changed and a new parameter is added:
AV_FProt_Installed Policy TRUE
AV_FProt_UptoDate Policy TRUE
AV_FProt_Running Policy TRUE
You publish various applications that are Multiple Kerberos Constrained Delegation (KCD)-enabled by using multiple trunks. When you disable or enable any trunk in IAG, IAG prevents correct operation of all KCD-enabled applications that were published by using multiple trunks. Additionally, IAG cannot identify the authentication provider and generates the following error message:
HTTPAuth::CLSAServerConnection::GetAuthenticationPackage - ERROR: Cannot find the authentication package. WinErr: 6
Consider the following scenario:
- You use the duplicate command to copy an existing basic trunk.
- You specify the name and IP address for the new trunk.
- You change the configuration of the new trunk.
- You start this trunk in IAG.
In this scenario, you cannot access the Web site for this trunk by using Windows Internet Explorer, and you receive the following error message:
Microsoft Internet Information Services (IIS) Manager shows that the Web site is in an ON state. However, the Whlfilter is in a DOWN state.
If you active the trunk in IAG and reset the IIS service, you may be able to access the Web site. If the Web site is still inaccessible, and
if IIS Manager shows that the Web site is present, you can reset the IIS service again. Otherwise, you have to active the trunk in IAG and reset the IIS service again.Note
Sometimes, a reset of IIS causes the newly created Web sites not to appear in IIS Manager, and the production server may encounter other issues and interruptions.
Apply this update to resolve the basic trunk duplication bug. After a trunk is duplicated, the user can define the port assignment of a new trunk by using the Trunk Duplicate wizard.
When you use a password that includes a Unicode character, the filter cannot reply to the NTLM authentication request. Therefore, the NTLM authentication request fails.
Apply this update to resolve this bug. A regression from Update 1 for IAG 2007 SP2 was reverted.
Consider the following scenario:
- You publish some very large HTML files that are generated by SharePoint SQL Reporting Services (SRSS).
- Because each report file is around 12 MB, you set the MaxBodyBufferSize flag that allows for files that are up to 15 MB to be parsed.
- You access the HTML page, and then you click the file from a client computer.
In this scenario, you receive the following error message:
This page contains both secure and non-secure items
Additionally, you experience the following symptoms:
- The files that are from 10-20 MB cannot be parsed.
- The links that are in these files cannot be signed.
- Some scripts on the page do not work.
You download an optimized Windows
Internet Explorer 8 for MSN from an MSN branded Web site. However, you cannot use this browser to access IAG correctly. The Endpoint Detection component does not work, and the portal user interface (UI) does not display in the browser correctly.
This issue occurs because IAG incorrectly identifies the browser as an unsupported browser when MSN is in the User-Agent header.
Apply this update to resolve this issue. After you apply this update, the Endpoint Detection component works correctly for the client computers that have an optimize Windows Internet Explorer 8 for MSN installed.
When you try to request a Web page, or when you try to download a file that exceeds the default parsing buffer limit of 10 MB, the body buffer of IAG is exhausted. Additionally, you receive the following error message:
HTTP 500 - Internal Server Error
This error message contains no information that helps the users or IAG administrators identify the issue. Additionally, this behavior also occurs when a buffer exceeds a limit that is defined by the MaxBodyBufferSize registry key.
For more information about how to configure the maximum size of downloadable files, click the following article number to view the article in the Microsoft Knowledge Base:
Description of Update 3 for e-Gap Appliance 3.6 and Update 4 for Intelligent Application Gateway 2007
After you apply this update, a notification message is sent to IAG Web Monitor if the downloaded file size exceeds the default limit of 10 MB, or if the downloaded file size exceeds the limit defined in the MaxBodyBufferSize registry key. To view this message, you can open the Web Monitor, and then you select the Event Viewer
The following is an example of this message: You can either edit the buffer size limit by using the registry key or configure the file to be skipped during the parsing process. For more information about how to edit the buffer size limit by using the registry key or about how to configure the file to be skipped during the parsing process, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Description of Update 5 for Intelligent Application Gateway 2007 Service Pack 1
Description of Update 3 for e-Gap Appliance 3.6 and Update 4 for Intelligent Application Gateway 2007
After you install the security update 971726 for Active Directory Federation Services (ADFS) on an IAG server, the logon process fails. Web Monitor shows an incorrect parameter value for the wctx
parameter in the Portal_Rule1
Security update 971726 is documented in security bulletin MS09-070.
After you apply this update, the rule set parameter is set to the ".*
A supported update is now available from Microsoft. However, it is intended to correct only the problems that this article describes. Apply it only to systems that are experiencing these specific problems.
To resolve these problems, contact Microsoft Customer Support Services to obtain the update. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note
In special cases, the charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Before you install this update, make sure that you have Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2) installed either on an appliance or on a virtual machine.
For more information about the IAG client endpoint system requirements, visit the following Microsoft TechNet Web site:
You do not have to restart the computer after you apply this hotfix.
To remove this update, follow these steps:
- On the IAG 2007-based appliance, open the following folder:
- Double-click the Uninstall-last.bat file.
The uninstall process runs automatically. This process may take several minutes to finish. When the uninstall process is complete, you are notified that the process completed successfully.
Hotfix replacement information
This hotfix does not replace any other hotfix.
- IAG 2007 provides many customization settings that have the following support guidelines:
- Microsoft Customer Support Services (CSS) provides a commercially reasonable effort to customers in making custom changes to SRA, AppWrap, and FormLogin.xml, to resolve problems in publishing out-of-the box supported applications. For more information about which products and versions are supported by e-Gap and IAG, view the list of applications that are supported by e-Gap and IAG
- CSS provides a commercially reasonable effort to deliver samples to customers for SRA, AppWrap and or FormLogin.xml for applications not on the list of applications that are supported by e-Gap and IAG
- CSS provides a commercially reasonable effort to provide samples for general IAG 2007 product functionality that is documented in IAG 2007 Microsoft TechNet Library
. This functionality includes some features such as the features for access policy detection, for language.xml customization, for custom reporting events, for portal page customization, and for logon page user interface customization.
- Not all other customizations are supported by CSS.
- If you uninstall Update 3 for IAG 2007 SP2, all the configuration changes that were made after you had upgraded to Update 3 for IAG 2007 SP2 are discarded. Therefore, we recommend that you back up the active configuration before you uninstall Update 3 for IAG 2007 SP2.
- Applying or removing an update on the IAG appliance causes all IAG services to be restarted. This restart of services causes all open user sessions to be reset and forces all logged-in users to re-login.
- The following applies only if you upgrade from IAG 2007 SP2 or from Update 1 for IAG 2007 SP2.
- Because there is a bug in the UAG client components that are part of Update 3 for IAG 2007 SP2, the clients that are running a 64-bit version of Windows 7 do not receive a message that shows the unsupported applications.
The Outlook Web Access (OWA) 2003 Service Pack 1 (SP1) template causes the calendar items for the year 2010 and for onward not to appear. The default template for OWA 2003 SP1 has multiple rules that specify the "200[0-9]" parameter value. This value is used in various OWA calendar functions to refer to dates and to limit the dates to the years 2000-2009. Therefore, this template blocks access to the calendar requests that are for the year 2010 and onward.
WorkaroundYou can edit the rule set to another value manually. To resolve this issue, use the "20[0-9]+" value.
- The clients that have the former IAG client components installed might encounter the following issue when you try an online upgrade of the clients to Update 3 for IAG 2007 SP2.
IssueThe implementation of IAG requires that the certificate is present in the root certificate store. A newly obtained certificate that is issued by Globalsign works and validates a Windows Installer package against a DLL file on a new computer that does not have an Internet connection.
How to add a Globalsign certificate to the root certificate storeGenerally, Windows Update does not update the root certificate store. There is an .exe file that forces a root update of all the roots from all certification authorities (CAs). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
As soon as the computer tries to resolve a certificate to a trusted root, the computer downloads the root if the computer is connected to the Internet. This explains why all the computers we verified included Globalsign in the root certificate store. This behavior is included for secure socket layer (SSL), for code signing, for documents, and for e-mail signing.
Eventually, most of the connected computers are fairly full of roots after many people who have signed by using different vendors interact with the computer.
Windows root certificate program members
To add a Globalsign certificate to the root certificate store, use one of the following methods. Use the method that is appropriate for your situation.
- If the device is connected to the Internet, you can visit the https://2028.globalsign.com
Web site, and then you can have the root installed.
- If the device is not connected to the Internet, you must use another computer to download the root from the http://secure.globalsign.net/cacert/Root-R1.crt
URL, and then you can install the root on the device. To install the root, import the root by using the Certificate Microsoft Management Console (MMC) snap-in window (Certmgr.msc), and then as an administrator install it.
- The IAG “Local Drive Mapping” application is not supported on Windows Vista-based client computers.
- The IAG “Local Drive Mapping” application is not supported on Windows 7-based client computers.
- Use of the IAG “Local Drive Mapping” application to connect to a Windows Server 2008 server file share is not supported.
Supported products notes
- Not all the products that are supported in Forefront Unified Access Gateway (UAG) 2010 are supported in Intelligent Access Gateway (IAG) 2007. Exchange 2010, Windows Server 2008 Remote Desktop Protocol (RDP), and Windows Server 2008 Remote Desktop Gateway (RDG) are not supported in IAG 2007.
- Microsoft Customer Support Services (CSS) cannot provide a commercially reasonable effort to customers in the support of publishing the beta, non-RTM, and non-generally-available (GA) products such as Microsoft Office SharePoint Server 2010 Beta.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
|File name||File version||Date||Time||File size|
| Agent_lin_helper.jar||Not applicable||20-Jan-10||17:17||1,919,007|
| Agent_mac_helper.jar||Not applicable||20-Jan-10||17:17||2,693,648|
| Agent_win_helper.jar||Not applicable||20-Jan-10||17:17||1,290,190|
|Agentdetection.inc ||Not applicable||20-Jan-10||17:17||3,355|
| Awconf.cab||Not applicable||20-Jan-10||17:17||6,852|
|Cacheclean.js ||Not applicable||20-Jan-10||17:17||7,394|
| Clientconf.cab||Not applicable||20-Jan-10||17:17||7,970|
| Clientconf.xml||Not applicable||20-Jan-10||17:17||6,661|