• Forefront UAG can only be installed on computers running Windows Server 2008 R2 Standard (RTM release) or Windows Server 2008 R2 Enterprise (RTM release) operating systems. For more information, see Evaluating Windows Server 2008 R2.
  
  
• If the Forefront UAG server is a member of a workgroup, ensure that a DNS suffix is defined for the workgroup; otherwise, Forefront UAG might not operate as expected.
  
  
• Forefront UAG cannot be installed on a localized operating system.
  
  
• Forefront TMG is installed automatically during Forefront UAG Setup, and removed automatically if Forefront UAG is uninstalled. Installing and uninstalling only Forefront TMG is not supported.
  
  
• To deploy multiple Forefront UAG servers in an array, all the servers must be domain members.
  
  

• Array configuration changes should be performed using the Forefront UAG Management console running on the array manager server. On array members, only the Array Management Wizard can be accessed in the console.
  
  
• When completing an action in the Array Management Wizard that requires credentials, ensure that you are logged on to the Forefront UAG server with the same credentials.
  
  
• Removing an IPv6 virtual IP address (VIP) in the Forefront UAG Management console may not work as required. As a workaround, remove the address in the console, and then remove it in the operating system properties.
  
  
• When you configure a different array member to become the array manager, the array status changes may not display correctly in the Activation Monitor.
  
  

When running Forefront UAG RC0 you may experience the following performance issues:

• Joining a server to an array may take several minutes.
  
  
• When restarting a Forefront UAG server that acts as the array manager, it might take several minutes for the Forefront UAG Management console to load.
  
  
• Activating the Forefront UAG configuration to apply changes might take several minutes.
  
  

• The following applications were tested for publishing with Forefront UAG RC0:
  
  
  • Microsoft Exchange 2007
    
    
  • Microsoft Exchange 2010
    
    
  • Microsoft SharePoint 2007
    
    
• Publishing other applications using RC0 might not work as expected.
  
  
• Note the following when publishing Exchange services:
  
  
  • When publishing Outlook Web Access with client components disabled and the setting Apply an Outlook Web Access look and feel enabled, clients connecting to Outlook Web Access cannot select the setting This is a private computer. In addition, the Outlook Web Access Light Option does not work as expected.
    
    
  • When publishing Outlook Web Access 2010, ensure that the setting Open in a new window is selected in the Portal Link tab of the application properties. Otherwise Outlook Web Access might not operate as expected.
    
    
  • When publishing Outlook Anywhere using the Add Application Wizard, the default authentication method is Basic. After completing the wizard, you can modify authentication settings on the Authentication tab of the application properties.
    
    
• Windows NT domain authentication is not supported for this release.
  
  
• ADFS deployment is not supported for this release.
  
  
• The following limitations apply when publishing Remote Desktop Services (RDS) Forefront UAG:
  
  
  • RDS publishing requires the Forefront UAG server to be a domain member.
    
    
  • Forefront UAG provides Remote Desktop Services (RDS) access for client endpoints that support Remote Desktop Protocol (RDP) 7.0. RDP 7.0 is supported only on endpoints running Windows 7.
    
    
• When you publish RemoteApps on a Forefront UAG server running DirectAccess or SSL Network Tunneling using SSTP, the Remote Desktop (RD) Gateway certificate might be deleted when the configuration is activated in the Forefront UAG Management console. Client access might not work as expected. If this occurs, reconfigure the RD Gateway certificate from the RD Gateway Management console.
  
  
• After running the Add Application Wizard to publish Office Communications Server (OCS) 2007 R2, add the following values to the Manual URL Replacement list in the Portal tab of the trunk settings:
  
  

  URL	To URL	Type	ServerName	UseSSL	Port	BeforeValidation
  .*/CWA/AsyncDataChannel\.ashx.*		Rerouting	Name of published OCS server	Yes	443	No. If clients do not authenticate, set to Yes.
  .*/Cwa/AuthMainCommandHandler\.ashx.*		Rerouting	Name of published OCS server	Yes	443	Yes
  .*/Cwa/AuthMainCommandHandler\.ashx.*		Rerouting	Name of published OCS server	Yes	443	Yes

  
  
  

• For this release, dial-in RRAS VPN connections are not supported. PPTP and L2TP/IPsec are not supported.
  
  
• When Forefront UAG is configured in an array, VPN client connections using SSL network tunneling (SSTP) are not supported.
  
  

• Forefront TMG system policy rules enable or disable traffic to the Forefront UAG server. By default, system policy rules drop IPv6 traffic destined for Forefront UAG from backend servers. To allow access to the Forefront UAG server for IPv6 monitoring servers and other services, modify system policy rules. To enable IPv6 traffic on a specific system policy rule, do the following:
  
  
  1. From the Start menu, open the Forefront TMG Management console.
     
     
  2. In the console tree, click the Firewall Policy node.
     
     
  3. On the Tasks tab, click Edit System Policy.
     
     
  4. In System Policy Editor, in the Configuration Groups tree, click the group containing the rule for which you want to allow IPv6 traffic.
     
     
  5. On the To tab, click Add, and select Anywhere (IPv6). Click Close, and then click OK.
     
     
• When using DirectAccess, protocols that do not support NAT traversal may not work as expected if the published backend server supports IPv4 only; for example, the Real Time Streaming Protocol (RTSP).
  
  
• Single-label names (for example, http://internal) that are not part of the primary DNS suffix (and are normally resolved inside the corporate network by using WINS), cannot be resolved when connecting remotely:
  
  
  • If WINS is not deployed in your organization, resolve this with either of the following:
    
    
    • Use the FQDN.
      
      
    • Add the domain-specific DNS suffix (for example zone1.corp.contoso.com) to the default domain group policy object (GPO).
      
      
  • If WINS is deployed, do the following:
    
    
    1. Deploy a WINS forward lookup zone in the DNS. When trying to resolve computername.dns.zone1.corp.contoso.com, the request is directed to the WINS server that is only using computername. To the client it seems that a regular DNS A RR request is issued, but it is actually a NetBIOS request.
       
       
    2. Add a DNS suffix, for example dns.zone1.corp.contoso.com, to the default domain policy GPO.
       
       
• When you apply settings in the Forefront UAG DirectAccess Wizard, the GPOs that are created define what main mode setting should be used when creating IPsec tunnels between the DirectAccess client and the Forefront UAG DirectAccess server. This main mode setting applies to all IPsec rules on client computers or servers. If other GPOs in an organization define different main modes, this might cause a conflict that results in communication problems between two computers with different main mode methods assigned in Windows Firewall. To resolve this issue, ensure that all GPOs use the same main mode method as that configured for DirectAccess (ECDHP256:AES128:SHA256).
  
  

• The Forefront UAG Endpoint Detection component cannot be installed and run on client endpoints running Windows Server 2008 R2.
  
  
• On endpoints running Windows 7 (32-bit or 64-bit), or Internet Explorer 8, the browser may not restart automatically after the initial installation of Forefront UAG client components. As a workaround, clients should restart the browser manually.
  
  
• The following issues may occur during endpoint access:
  
  
  • After you change settings in the Forefront UAG console and activate the configuration, the first time that an endpoint accesses a Forefront UAG site following the activation, some endpoint components might not be installed. Components are installed when the endpoint subsequently accesses the site.
    
    
  • Custom endpoint access policies may not be completely applied for Mac endpoints.
    
    
  • For clients running a MAC Leopard operating system, the SSL Wrapper client component is not supported. In addition, Telnet is not supported for these clients.
    
    
  • For this release, users may encounter a restricted URL message during a scheduled logoff.
    
    
• Users logging on to a Forefront UAG site with a user principal name (UPN) might experience access issues, including the inability to change a user password. To solve this issue, do the following:
  
  
  1. Copy the file Microsoft Forefront Unified Access Gateway\von\InternalSite\sample\repository_for_upn.inc to the Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder.
     
     
  2. Rename the file to repository.inc, whereby repository is the name of the authentication server used to authenticate the user.
     
     
  3. Activate the configuration. On the Activate Configuration dialog box, apply the changes to the external configuration settings.
     
     
  4. Restart the Microsoft Forefront UAG User Manager service.
     
     
• When authenticating using Basic authentication, client endpoints using languages that require the double-byte character set (DBCS), require the following:
  
  
  1. The endpoint must be configured with a DBCS locale.
     
     
  2. The Forefront UAG server, and any backend servers to which the endpoint makes requests, must be configured with the same DBCS locale.
     
     

• Help pages in the Forefront UAG consoles may not be displayed as expected. Some links may be broken.
  
  
• Web Monitor must be accessed via the Forefront UAG Management console.