Forefront Unified Access Gateway 2010 Service Pack 2 is available for download

Microsoft has recently released Microsoft Forefront UAG 2010 Service Pack 2 which is available for download from the Microsoft Download Center, as an upgrade from UAG Service Pack 1 Update 1. Besides improved support for Microsoft SharePoint 2010, Active Directory Federation Services 2.0 and mobile device supoort (Windows Phone 7.5, iOS 5.x, Andriod) with this service pack 25 issues are solved in Forefront UAG 2010.

Here are some details about what is included in Service Pack 2 for UAG 2010:

  • Improved SharePoint 2010 support

    Forefront UAG 2010 SP2 enables users to authenticate to a trunk by using Microsoft Office Forms-Based Authentication (MSOFBA) when the trunk uses Active Directory Federation Services (AD FS) 2.0 for authentication.

  • Improved Active Directory Federation Services (AD FS) 2.0 support

    You can provide remote and partner employees with access to published applications that have AD FS 2.0 enabled.

    • AD FS Multi-Namespace support: Multi-namespace support with AD FS 2.0 enables you to use a single AD FS 2.0 server that has multiple Forefront UAG trunks when the FQDNs (the public host names) of the trunks are in different domains. For example, the FQDN of the first trunk is portal.contoso.com and the FQDN of the second trunk is portal.fabrikam.com. Both trunks can be configured to perform AD FS authentication by using the same AD FS 2.0 server sts.contoso.com. In this kind of deployment, the AD FS 2.0 server is published through one of the Forefront UAG trunks, or by an AD FS proxy that is parallel to Forefront UAG.
    • Use the AD FS Proxy to publish the AD FS 2.0 Server: The AD FS proxy has many benefits compared to publishing the AD FS 2.0 server through Forefront UAG; including, support for Office365 authentication and mobile devices.
    • Enable complex topologies: For example, by using Forefront UAG to publish a SharePoint website located in one site when the AD FS server is located in another site
  • Added client devices

    Forefront UAG 2010 SP2 enables users to connect with the following mobile devices:

    • Windows Phone 7.5
    • iOS 5.x on iPad and iPhone
    • Android 4.x on tablets and phones
  • Updated support for UAG’s endpoint detection capabilities
  • Fixes included in UAG SP2

Download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 2 package now, and learn more about UAG SP2 by visiting our TechNet Library.

Advertisements

Vulnerabilities in Microsoft Forefront Unified Access Gateway #UAG Could Cause Remote Code Execution (2544641)

Today Microsoft released an important security update which applies to all versions of Microsoft Forefront Unified Access Gateway (UAG).

Executive Summary

This security update resolves five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

This security update is rated Important for all supported versions of Microsoft Forefront Unified Access Gateway 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that UAG handles specially crafted requests, modifying the MicrosoftClient.JAR file, and adding exception handling around the null value of the UAG Web server. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Continue reading “Vulnerabilities in Microsoft Forefront Unified Access Gateway #UAG Could Cause Remote Code Execution (2544641)”

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Forefront UAG ISATAP hotfix KB977342 – ISATAP addresses not created for the VIP address

Recently Microsoft released a hotfix for Forefront UAG and applies to multiple Forefront UAG server scenario configured in an Array configuration.

Link Local ISATAP addresses are not created for the virtual IP address used by the Network Load Balancing (NLB) feature on a computer that is running Windows Server 2008 R2. This hinders the usage of NLB nodes as an ISATAP router.

This problem occurs because the IP Helper service does not let virtual IP address interfaces generate ISATAP tunneled addresses or 6to4 tunneled addresses as designed. For the DIP address ( Dedicated IP ) you will have an ISATAP address available but for the VIP ( Virtual IP ) there is no possibility of having Global Addresses support for the NLB VIP address ( Virtual IP) and no ISATAP addresses can be configured for a VIP.

More information can be found here

Secure Application Access by using AD FS and UAG – UAG acting as ADFS Proxy Topology (via Security and Identity in the Cloud)

In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into  such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications. Today’s demonstration shows a different UAG/ADFS topology, … Read More

via Security and Identity in the Cloud

Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag

This week I had an issue with my DirectAccess lab environment which is based on the Test Lab Guide scenario “Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration“. In the DirectAccess Monitor Reports one of the array members was not healthy at the Network Security, Teredo Server and Teredo Relay level.

In the event log I found the following error: Event ID 10114 Source: UAG DA Management. Continue reading “Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag”