Tag: UAG

Forefront Unified Access Gateway 2010 Service Pack 2 is available for download

On By Ronny de JongIn Forefront UAG 2010Leave a comment

Microsoft has recently released Microsoft Forefront UAG 2010 Service Pack 2 which is available for download from the Microsoft Download Center, as an upgrade from UAG Service Pack 1 Update 1. Besides improved support for Microsoft SharePoint 2010, Active Directory Federation Services 2.0 and mobile device supoort (Windows Phone 7.5, iOS 5.x, Andriod) with this service pack 25 issues are solved in Forefront UAG 2010.

Here are some details about what is included in Service Pack 2 for UAG 2010:

  • Improved SharePoint 2010 support

    Forefront UAG 2010 SP2 enables users to authenticate to a trunk by using Microsoft Office Forms-Based Authentication (MSOFBA) when the trunk uses Active Directory Federation Services (AD FS) 2.0 for authentication.

  • Improved Active Directory Federation Services (AD FS) 2.0 support

    You can provide remote and partner employees with access to published applications that have AD FS 2.0 enabled.

    • AD FS Multi-Namespace support: Multi-namespace support with AD FS 2.0 enables you to use a single AD FS 2.0 server that has multiple Forefront UAG trunks when the FQDNs (the public host names) of the trunks are in different domains. For example, the FQDN of the first trunk is portal.contoso.com and the FQDN of the second trunk is portal.fabrikam.com. Both trunks can be configured to perform AD FS authentication by using the same AD FS 2.0 server sts.contoso.com. In this kind of deployment, the AD FS 2.0 server is published through one of the Forefront UAG trunks, or by an AD FS proxy that is parallel to Forefront UAG.
    • Use the AD FS Proxy to publish the AD FS 2.0 Server: The AD FS proxy has many benefits compared to publishing the AD FS 2.0 server through Forefront UAG; including, support for Office365 authentication and mobile devices.
    • Enable complex topologies: For example, by using Forefront UAG to publish a SharePoint website located in one site when the AD FS server is located in another site
  • Added client devices

    Forefront UAG 2010 SP2 enables users to connect with the following mobile devices:

    • Windows Phone 7.5
    • iOS 5.x on iPad and iPhone
    • Android 4.x on tablets and phones
  • Updated support for UAG’s endpoint detection capabilities
  • Fixes included in UAG SP2

Download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 2 package now, and learn more about UAG SP2 by visiting our TechNet Library.

Vulnerabilities in Microsoft Forefront Unified Access Gateway #UAG Could Cause Remote Code Execution (2544641)

On By Ronny de JongIn Forefront TMG 2010, InfrastructureLeave a comment

Today Microsoft released an important security update which applies to all versions of Microsoft Forefront Unified Access Gateway (UAG).

Executive Summary

This security update resolves five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

This security update is rated Important for all supported versions of Microsoft Forefront Unified Access Gateway 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that UAG handles specially crafted requests, modifying the MicrosoftClient.JAR file, and adding exception handling around the null value of the UAG Web server. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Continue reading “Vulnerabilities in Microsoft Forefront Unified Access Gateway #UAG Could Cause Remote Code Execution (2544641)”

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

On By Ronny de JongIn DirectAccess, Forefront UAG 2010, Infrastructure, Windows 71 Comment

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

On By Ronny de JongIn DirectAccess, Forefront TMG 2010, Forefront UAG 2010, Infrastructure, Windows 7Leave a comment

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Forefront UAG ISATAP hotfix KB977342 – ISATAP addresses not created for the VIP address

On By Ronny de JongIn DirectAccess, Forefront UAG 2010, InfrastructureLeave a comment

Recently Microsoft released a hotfix for Forefront UAG and applies to multiple Forefront UAG server scenario configured in an Array configuration.

Link Local ISATAP addresses are not created for the virtual IP address used by the Network Load Balancing (NLB) feature on a computer that is running Windows Server 2008 R2. This hinders the usage of NLB nodes as an ISATAP router.

This problem occurs because the IP Helper service does not let virtual IP address interfaces generate ISATAP tunneled addresses or 6to4 tunneled addresses as designed. For the DIP address ( Dedicated IP ) you will have an ISATAP address available but for the VIP ( Virtual IP ) there is no possibility of having Global Addresses support for the NLB VIP address ( Virtual IP) and no ISATAP addresses can be configured for a VIP.

More information can be found here

Secure Application Access by using AD FS and UAG – UAG acting as ADFS Proxy Topology (via Security and Identity in the Cloud)

On By Ronny de JongIn UncategorizedLeave a comment

In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into  such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications. Today’s demonstration shows a different UAG/ADFS topology, … Read More

via Security and Identity in the Cloud

Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag

On By Ronny de JongIn Cloud, DirectAccess, Forefront UAG 2010, Infrastructure, Windows 7Leave a comment

This week I had an issue with my DirectAccess lab environment which is based on the Test Lab Guide scenario “Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration“. In the DirectAccess Monitor Reports one of the array members was not healthy at the Network Security, Teredo Server and Teredo Relay level.

In the event log I found the following error: Event ID 10114 Source: UAG DA Management. Continue reading “Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag”

#DirectAccess support for wildcard certificates

On By Ronny de JongIn DirectAccess, Forefront UAG 2010, Windows 7Leave a comment

As you probably might know Forefront UAG DirectAccess deployment requires a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.

Certifcates used by DirectAccess can be catagorized by:

Continue reading “#DirectAccess support for wildcard certificates”

Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario

On By Ronny de JongIn DirectAccess, Forefront UAG 2010, Windows 75 Comments

 One of the considerations for DirectAccess planning is to decide which DNS names should be resolved internally, by your organization’s internal DNS servers, and which should be resolved externally, using an external (ISP) DNS server configured for your computer’s network interface. This distinction about which DNS server to send each query to is configured on a Windows 7 or Windows Server 2008 R2 computer using entries in the DNS Client resolver’s Name Resolution Policy Table (NRPT).

It’s recommended to use Edge Server role rather than VPN, IPSEC etc. protocols. There is an overhead and added latency when these protocols are used. The Audio/Video and media traffic is highly sensitive to latency and jitter. If you add additional encryption, it will cause delay, because it’s needed to process the traffic on client AND server side for encrypt and decrypt the data. If the traffic goes through DirectAccess network path, it can cause a long delay, jitter. Because the sensivity of A/V and media.

Without split-brain DNS, there is a natural dividing line between the DNS queries that DirectAccess and the NRPT should send to internal DNS and those that should stay on the internet. But beware! If you have split-brain DNS you may need to make some special allowances for DNS queries that should stay on the internet. Continue reading “Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario”

Configure #DirectAccess for Mobile Broadband

On By Ronny de JongIn DirectAccess, Forefront UAG 2010, Windows 7Leave a comment

Last week I noticed some problems with DirectAccess by using UMTS/3G broadband network of a Dutch mobile provider (KPN). A number of IPv6 translation methods don’t work by default which results DirectAccess by broadband is not always guaranteed. Table below shows a comparison of the various telecom providers and supported IPv6 translation methods.

IPv6 Translation ISP Provider support matrix

Provider 6to4 Teredo IP-HTTPS
KPN (UMTS) X(1) X(2)
Vodafone (UMTS)
FRITZ (ADSL) n/a
  1. Teredo traffic—UDP destination port 3544 inbound and UDP source port 3544 outbound.
  2. 6to4 traffic—Protocol 41 inbound and outbound

Continue reading “Configure #DirectAccess for Mobile Broadband”