Forefront UAG registry keys

Updated: October 13, 2011

Applies To: Unified Access Gateway

There are a number of Forefront Unified Access Gateway (UAG) configuration tasks that are not available in the user interface, and can only be completed by configuring registry keys. This topic summarizes some of these tasks.

Registry location Key Exists by default Details

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\FullAuthPassthru

DWORD VALUE (1 or 0)

Yes

Set to 1 to configure Forefront UAG to pass through unmodified WWW-Authenticate HTTP response headers from published backend servers to client computers.

Note

This behavior applies only when Forefront UAG is not configured to perform single sign-on (SSO) to published backend servers.

This setting ensures that the 401 request issued by the backend application reaches the client without being modified. The client may then authenticate using NTLM, Negotiate, or Basic authentication. The registry key is global and affects all trunks regardless of whether Integrated Windows authentication is configured on the trunk. This setting ensures that browsers automatically reply to a 401 request and perform authentication directly with the backend server.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KeepClientAuthHeader

DWORD VALUE (1 or 0)

No

Set to 1 to allow client computers to send HTTP requests containing the Authorization header directly to the published backend server without any modification by Forefront UAG. For example, if you want to support Integrated Windows authentication from a client to a published backend server.

Note

Applicable only from Forefront UAG SP1 Update 1.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Common\Conf\IgnoreTMGStore

DWORD VALUE (1 or 0)

Yes

Set to 1 to use emergency file system recovery.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\ImportFromOtherVersion

DWORD VALUE (1 or 0)

Yes

Set to 1 to import or export from earlier versions of Forefront UAG.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UserMGR\TranslateUPN

DWORD VALUE (1 or 0)

Yes

Set to 1 to enable client authentication using a user principal name (UPN) in a Forefront UAG portal. Enabling UPN consists of the following steps:

  1. Configure the registry key

  2. Copy the repository_for_upn.inc CustomUpdate file  to von\InternalSite\inc\CustomUpdate folder.

  3. Rename the file to repository.inc, where repository is the name of the authentication server that is used to authenticate the user.

  4. Restart the Microsoft Forefront UAG User Manager service.

  5. Activate the configuration.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\URLFilter\KCDUseUPN

DWORD VALUE (1 or 0)

No

To perform Kerberos authentication using UPN, set to 1. To perform using the format DOMAIN\UserName, set to 0. If no value is set, DOMAIN\UserName will be used.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\URLFilter\PreLoginTimeOutSec

DWORD VALUE (seconds)

No

The default session timeout for clients that connect to a portal but have not yet logged in is four minutes. To change this default, specify an alternative value in seconds. The minimum value is 60. After modifying this value, IIS must be restarted.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\SessionMgr\MonitorFullSessionsList

DWORD VALUE (0 or 1)

Yes

Set to 1 to display RPC sessions in Web Monitor.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\MaxFileSize

DWORD VALUE (Mb)

Yes

Use to set the size of the configuration log file.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\MaxBodyBufferSize

DWORD VALUE (Bytes)

Yes

This key defines the number of bytes the URL filter can accumulate for responses. The default value is 10 Mb (1024*1000*10). All responses that needed to be accumulated and parsed and are greater than 10 Mb will be rejected, if the registry key does not define a larger size.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\PortScalabilityIPs

String - comma separated list of IP that the administrator what to use to connect to the back end servers. For example: “172.23.41.25,172.23.41.26,172.23.41.27”. White spaces are allowed

Yes

By default, Forefront UAG binds sockets to the backend server with a single local IP. With this behavior, there is a limitation of 60,000 sockets, which can be bound. When port scalability feature is enabled, round robin is used on a list of local IPs from the registry and bind socket each time with the different IP. This feature is especially useful for RPCoverHTTP setups.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL

DWORD VALUE (0 or 1)

Yes

By default Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, backend users are denied access to that given backend server. If a Forefront UAG administrator wishes to disable those validation tests, set the ValidateRwsCert and ValidateRwsCertCRL key values to 0, and then restart the IIS service on the Forefront UAG server.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Send200OKEchoResponseToRPCClient

DWORD VALUE (0 or 1)

Yes

By default Forefront UAG replies with a 200 OK echo response for RPC client if received a proxy discovery request. In order to disable this reply, set this key to '0'. In this case, Authorization WFE will continue its flow to the Filter extension, which will send the proxy discovery request to the RWS. The RWS will then answer by its own echo response back to the client. This feature (which enabled by default) was implemented for performance enhancement because a request/response from Filter to BE server is prevented.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\LogPoolStatistics

DWORD VALUE (0 or 1)

Yes

Includes the statistics for various object pools used by WhlFilter and its extensions in WhlFilter core traces. Among others, includes the statistics for CExtECBs and CExtPFCs pools.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\UrlFilter\MaxAllHeadersLen

DWORD VALUE (maximum default header length is 8192 bytes).

No

Create this key to modify the maximum default header length of all HTTP request headers accepted by the URL filter. After modifying this value, IIS must be restarted.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\WFLB\InitialNodeStateAsStopped

DWORD VALUE (0 or 1)

No

Create this key to specify that servers are added to a farm in a stopped state. This ensures that you can add servers without immediately placing them in a live state and directing traffic to them.

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\\von\MonitorMgr\MaxLogSizeMB

DWORD VALUE (megabytes)

Yes

Specifies the maximum size of the log file. The default size is 2.5 gigabytes

HKEY_LOCAL_MACHINE\Software\WhaleCom\e-Gap\Von\Configuration\NlbStickiness

DWORD VALUE (between 0 and 30 minutes)

No

In an array configuration, the IP affinity stickiness setting specifies for how long an endpoint source IP address uses the same array member, even if other array members are available. Use this key to modify the timeout and set it between 0 and 30 minutes. If this key does not exist or no number is specified a default of 30 minutes is used.

HKEY_LOCAL_MACHINE\SOFTWARE\Whalecom\e-Gap\von\Monitor\MessagesTimeout

DWORD VALUE (in milliseconds)

Yes

Defines the timeout (in milliseconds) for Web Monitor requests for event messages (from the Web Monitor Event Viewer).

HKEY_LOCAL_MACHINE\SOFTWARE\Whalecom\e-Gap\von\Monitor\NLBTimeout

DWORD VALUE (in milliseconds)

Yes

Defines the timeout (in milliseconds) for Web Monitor requests for NLB status (from the Array Monitor).

HKEY_LOCAL_MACHINE\SOFTWARE\Whalecom\e-Gap\von\Monitor\WFLBTimeout

DWORD VALUE (in milliseconds)

Yes

Defines the timeout (in milliseconds) for Web Monitor requests for changing Web farm load balanced server states (from the Web Farm Monitor).

When installing Forefront UAG SP1 on Forefront UAG servers, the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\MonitorMgr\sql-builtin-log registry key is treated as follows:

Forefront UAG RTM or Update 1 key value Forefront UAG SP1 key value

Not present

1

01

0

1

1

Note

1 If the key was set to 0 before performing the installation, this key value is preserved. In this case, the new Forefront UAG DirectAccess monitoring functionality is not available because it requires SQL logging.