Rollup 1 for Forefront Unified Access Gateway (UAG) 2010 Service Pack 3

February this year Microsoft has released Service Pack 3 for Forefront UAG 2010. Today Microsoft Forefront Unified Access Gateway (UAG) product team has released Rollup 1 for Forefront UAG 2010 Service Pack 3.

Issues that are fixed in Rollup 1

The issues that are fixed in Rollup 1 are listed in the following articles. To view the issues, click the article number to view the article in the Microsoft Knowledge Base.

  • 2810229 FIX: You cannot redirect local computer resources in an RDS session after you disable the client endpoint components in Forefront Unified Access Gateway 2010
  • 2831570 FIX: "The URL you requested cannot be accessed" error message may be returned when a client sends an HTTP POST request to a portal in Forefront Unified Access Gateway 2010
  • 2831573 FIX: Traffic is not forwarded or you receive an error message about ADVAPI32.dll when you use a Windows XP client to start an application from a Forefront Unified Access Gateway 2010 Service Pack 3 portal
  • 2831865 FIX: The endpoint policy expression "Any Personal Firewall (Windows)" is incorrect for Windows 7 and Windows 8 in Service Pack 3 for Forefront Unified Access Gateway (UAG) 2010
  • 2831868 FIX: Endpoint policies for existing trunks are not updated after you install Forefront Unified Access Gateway 2010 Service Pack 3
  • 2832679 FIX: You receive a 500 Internal Server error when you run the File Access application from the Forefront Unified Access Gateway 2010 Service Pack 3 portal trunk
  • 2832681 FIX: You receive a script error that prevents file access configuration in the Management Console in Forefront Unified Access Gateway 2010
  • 2832685 FIX: The Forefront Unified Access Gateway 2010 portal may intermittently become unresponsive to clients after Service Pack 2 is installed

Rollup 1 for Forefront UAG 2010 Service Pack 3 can be requested here

Forefront UAG 2010 Service Pack 3 is available for download from the Microsoft Download Center, as an upgrade from UAG 2010 Service Pack 2.


Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) is released! #sysctr

Today (February 20th, 2013) SP3 for Forefront UAG 2010 has been released. Besides bug fixes Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) provides a number of new features, including support for Windows 8 devices with Internet Explorer 10, and support for publishing Exchange Server 2013 and SharePoint Server 2013.

  • Windows 8 as a client as a client platform
  • Windows 8 RT (Surface) as a client platform
  • Windows 8 Enterprise as a client for DirectAccess
  • Support for IE10 as a client using both the Modern UI version and the desktop version
  • Support for Windows Mail (on Windows 8) as a client for Exchange Mail (“Outlook Anywhere” or RPC-Over-HTTP)
  • Support for RDC 8, the new protocol for Remote Desktop Connections, which is part of Windows 8. This also enables older clients which installed Update KB2592687 to connect to RDG-based applications published by UAG.
  • Support for Windows Phone 8 as a client platform (*this support level is comparable to other mobile platforms support)
  • Support for Office 2013 clients as client platforms for access to SharePoint (Word, Excel, PowerPoint)
  • Support for Outlook 2013 as a client for Exchange Mail (Outlook Anywhere or RPC-Over-HTTP)
  • Support for publishing Exchange 2013 for OWA, ActiveSync and Outlook-Anywhere
  • Support for publishing SharePoint 2013
  • Improvements to KCD that allows the administrator to enable ticket caching for improved performance
  • Improvements to the Relaying-party configuration mechanism (FedUtil) to improve stability Continue reading “Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) is released! #sysctr”

Off Premise Client Provisioning with DirectAccess

With Windows Server 2012 Microsoft introduced an server OS with an incredible number of great features, like data deduplication, ReFS, SMB 3.0, Hyper-V replica and many more. In this post I want to expose another great feature: Remote Access!


DirectAccess. Windows Server 2008 R2 introduced DirectAccess, a new remote access feature that allows connectivity to corporate network resources without the need for traditional Virtual Private Network (VPN) connections. DirectAccess provides support only for domain-joined Windows 7 Enterprise and Ultimate edition clients. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients, non-domain joined clients, and third party VPN clients. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess.

Continue reading “Off Premise Client Provisioning with DirectAccess”

Forefront Unified Access Gateway 2010 Service Pack 2 is available for download

Microsoft has recently released Microsoft Forefront UAG 2010 Service Pack 2 which is available for download from the Microsoft Download Center, as an upgrade from UAG Service Pack 1 Update 1. Besides improved support for Microsoft SharePoint 2010, Active Directory Federation Services 2.0 and mobile device supoort (Windows Phone 7.5, iOS 5.x, Andriod) with this service pack 25 issues are solved in Forefront UAG 2010.

Here are some details about what is included in Service Pack 2 for UAG 2010:

  • Improved SharePoint 2010 support

    Forefront UAG 2010 SP2 enables users to authenticate to a trunk by using Microsoft Office Forms-Based Authentication (MSOFBA) when the trunk uses Active Directory Federation Services (AD FS) 2.0 for authentication.

  • Improved Active Directory Federation Services (AD FS) 2.0 support

    You can provide remote and partner employees with access to published applications that have AD FS 2.0 enabled.

    • AD FS Multi-Namespace support: Multi-namespace support with AD FS 2.0 enables you to use a single AD FS 2.0 server that has multiple Forefront UAG trunks when the FQDNs (the public host names) of the trunks are in different domains. For example, the FQDN of the first trunk is and the FQDN of the second trunk is Both trunks can be configured to perform AD FS authentication by using the same AD FS 2.0 server In this kind of deployment, the AD FS 2.0 server is published through one of the Forefront UAG trunks, or by an AD FS proxy that is parallel to Forefront UAG.
    • Use the AD FS Proxy to publish the AD FS 2.0 Server: The AD FS proxy has many benefits compared to publishing the AD FS 2.0 server through Forefront UAG; including, support for Office365 authentication and mobile devices.
    • Enable complex topologies: For example, by using Forefront UAG to publish a SharePoint website located in one site when the AD FS server is located in another site
  • Added client devices

    Forefront UAG 2010 SP2 enables users to connect with the following mobile devices:

    • Windows Phone 7.5
    • iOS 5.x on iPad and iPhone
    • Android 4.x on tablets and phones
  • Updated support for UAG’s endpoint detection capabilities
  • Fixes included in UAG SP2

Download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 2 package now, and learn more about UAG SP2 by visiting our TechNet Library.

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Forefront UAG ISATAP hotfix KB977342 – ISATAP addresses not created for the VIP address

Recently Microsoft released a hotfix for Forefront UAG and applies to multiple Forefront UAG server scenario configured in an Array configuration.

Link Local ISATAP addresses are not created for the virtual IP address used by the Network Load Balancing (NLB) feature on a computer that is running Windows Server 2008 R2. This hinders the usage of NLB nodes as an ISATAP router.

This problem occurs because the IP Helper service does not let virtual IP address interfaces generate ISATAP tunneled addresses or 6to4 tunneled addresses as designed. For the DIP address ( Dedicated IP ) you will have an ISATAP address available but for the VIP ( Virtual IP ) there is no possibility of having Global Addresses support for the NLB VIP address ( Virtual IP) and no ISATAP addresses can be configured for a VIP.

More information can be found here

Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag

This week I had an issue with my DirectAccess lab environment which is based on the Test Lab Guide scenario “Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration“. In the DirectAccess Monitor Reports one of the array members was not healthy at the Network Security, Teredo Server and Teredo Relay level.

In the event log I found the following error: Event ID 10114 Source: UAG DA Management. Continue reading “Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag”

How #Microsoft secures its data in a worldwide environment

This Microsoft IT Showcase slide gives you an overview how Microsoft secures its data. Maybe little bit outdated but still informative to get a picture of the high-level basics how to secure your corporate data.

Corrupted Name Resolution Table (NRPT) #DirectAccess

Last week I had some issue’s with connecting to corporate network by DirectAccess. The System Log pointed me tot the following: Event ID: 1023 Source: DNS Client Events. Name resolution policy table has been corrupted.

For some reason, the rules that come from DA GPOs had been duplicated. The originals from GPOs were named as “UAGDA Rule1” to “UAGDA Rule3” and the duplicates were named simply “Rule 1” to “Rule 3”  (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig). Continue reading “Corrupted Name Resolution Table (NRPT) #DirectAccess”