Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) is released! #sysctr

Today (February 20th, 2013) SP3 for Forefront UAG 2010 has been released. Besides bug fixes Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) provides a number of new features, including support for Windows 8 devices with Internet Explorer 10, and support for publishing Exchange Server 2013 and SharePoint Server 2013.

  • Windows 8 as a client as a client platform
  • Windows 8 RT (Surface) as a client platform
  • Windows 8 Enterprise as a client for DirectAccess
  • Support for IE10 as a client using both the Modern UI version and the desktop version
  • Support for Windows Mail (on Windows 8) as a client for Exchange Mail (“Outlook Anywhere” or RPC-Over-HTTP)
  • Support for RDC 8, the new protocol for Remote Desktop Connections, which is part of Windows 8. This also enables older clients which installed Update KB2592687 to connect to RDG-based applications published by UAG.
  • Support for Windows Phone 8 as a client platform (*this support level is comparable to other mobile platforms support)
  • Support for Office 2013 clients as client platforms for access to SharePoint (Word, Excel, PowerPoint)
  • Support for Outlook 2013 as a client for Exchange Mail (Outlook Anywhere or RPC-Over-HTTP)
  • Support for publishing Exchange 2013 for OWA, ActiveSync and Outlook-Anywhere
  • Support for publishing SharePoint 2013
  • Improvements to KCD that allows the administrator to enable ticket caching for improved performance
  • Improvements to the Relaying-party configuration mechanism (FedUtil) to improve stability Continue reading “Forefront Unified Access Gateway (UAG) Service Pack 3 (SP3) is released! #sysctr”

Off Premise Client Provisioning with DirectAccess

With Windows Server 2012 Microsoft introduced an server OS with an incredible number of great features, like data deduplication, ReFS, SMB 3.0, Hyper-V replica and many more. In this post I want to expose another great feature: Remote Access!


DirectAccess. Windows Server 2008 R2 introduced DirectAccess, a new remote access feature that allows connectivity to corporate network resources without the need for traditional Virtual Private Network (VPN) connections. DirectAccess provides support only for domain-joined Windows 7 Enterprise and Ultimate edition clients. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients, non-domain joined clients, and third party VPN clients. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess.

Continue reading “Off Premise Client Provisioning with DirectAccess”

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Forefront UAG ISATAP hotfix KB977342 – ISATAP addresses not created for the VIP address

Recently Microsoft released a hotfix for Forefront UAG and applies to multiple Forefront UAG server scenario configured in an Array configuration.

Link Local ISATAP addresses are not created for the virtual IP address used by the Network Load Balancing (NLB) feature on a computer that is running Windows Server 2008 R2. This hinders the usage of NLB nodes as an ISATAP router.

This problem occurs because the IP Helper service does not let virtual IP address interfaces generate ISATAP tunneled addresses or 6to4 tunneled addresses as designed. For the DIP address ( Dedicated IP ) you will have an ISATAP address available but for the VIP ( Virtual IP ) there is no possibility of having Global Addresses support for the NLB VIP address ( Virtual IP) and no ISATAP addresses can be configured for a VIP.

More information can be found here

Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag

This week I had an issue with my DirectAccess lab environment which is based on the Test Lab Guide scenario “Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration“. In the DirectAccess Monitor Reports one of the array members was not healthy at the Network Security, Teredo Server and Teredo Relay level.

In the event log I found the following error: Event ID 10114 Source: UAG DA Management. Continue reading “Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag”

How #Microsoft secures its data in a worldwide environment

This Microsoft IT Showcase slide gives you an overview how Microsoft secures its data. Maybe little bit outdated but still informative to get a picture of the high-level basics how to secure your corporate data.

Corrupted Name Resolution Table (NRPT) #DirectAccess

Last week I had some issue’s with connecting to corporate network by DirectAccess. The System Log pointed me tot the following: Event ID: 1023 Source: DNS Client Events. Name resolution policy table has been corrupted.

For some reason, the rules that come from DA GPOs had been duplicated. The originals from GPOs were named as “UAGDA Rule1” to “UAGDA Rule3” and the duplicates were named simply “Rule 1” to “Rule 3”  (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig). Continue reading “Corrupted Name Resolution Table (NRPT) #DirectAccess”

#DirectAccess support for wildcard certificates

As you probably might know Forefront UAG DirectAccess deployment requires a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.

Certifcates used by DirectAccess can be catagorized by:

Continue reading “#DirectAccess support for wildcard certificates”

Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario

 One of the considerations for DirectAccess planning is to decide which DNS names should be resolved internally, by your organization’s internal DNS servers, and which should be resolved externally, using an external (ISP) DNS server configured for your computer’s network interface. This distinction about which DNS server to send each query to is configured on a Windows 7 or Windows Server 2008 R2 computer using entries in the DNS Client resolver’s Name Resolution Policy Table (NRPT).

It’s recommended to use Edge Server role rather than VPN, IPSEC etc. protocols. There is an overhead and added latency when these protocols are used. The Audio/Video and media traffic is highly sensitive to latency and jitter. If you add additional encryption, it will cause delay, because it’s needed to process the traffic on client AND server side for encrypt and decrypt the data. If the traffic goes through DirectAccess network path, it can cause a long delay, jitter. Because the sensivity of A/V and media.

Without split-brain DNS, there is a natural dividing line between the DNS queries that DirectAccess and the NRPT should send to internal DNS and those that should stay on the internet. But beware! If you have split-brain DNS you may need to make some special allowances for DNS queries that should stay on the internet. Continue reading “Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario”