Export (0) Print
Expand All

Forefront UAG Event Messages

Published: April 8, 2010

Updated: June 1, 2010

Applies To: Unified Access Gateway

Use this topic to reference events that are reported to the Web Monitor, according to the number and message that is displayed when the event occurs. Resolutions are provided for the Error and Warning messages where possible.

A Windows service that is running on Forefront UAG was stopped.

Cause: A Windows service that is required in order to run Forefront UAG is not started.

Resolution: Start the relevant service on Forefront UAG:

  1. In the Windows Control Panel double-click Administrative Tools, and then double-click Services.

  2. Select and right-click the applicable service, and then select Start.

This is a warning that the threshold of the number of sessions that can be open through the site at the same time was reached.

Cause: When the threshold is reached, this message is logged whenever a new session is established, until the number is below the threshold again. When the maximum number of sessions that can be open through the site at the same time is reached, new sessions can no longer be established.

Resolution: If this event occurs regularly, increase the number of sessions that can be open through the site, and raise the threshold accordingly in the Forefront UAG Management console, as follows:

  1. Open the Advanced Trunk Configuration window of the relevant trunk, and access the Session tab.

  2. Modify the required.

This is a warning that the threshold of the number of unauthenticated sessions that can be open through the site at the same time was reached.

Cause: When the threshold is reached, this message is logged whenever a new session is established, until the number is below the threshold again. When the maximum number of unauthenticated sessions that can be open through the site at the same time is reached, new sessions can no longer be established.

Resolution: If this event occurs regularly, increase the number of unauthenticated sessions that can be open through the site, and raise the threshold accordingly in the Forefront UAG Management console, as follows:

  1. Open the Advanced Trunk Configuration window of the relevant trunk, and access the Session tab.

  2. Modify the required settings.

A remote user attempts to access the site. Access is denied, and the following message is displayed in the browser window: "Failed to authenticate".

Cause: The failure can be caused by:

  • Wrong credentials that are entered by the remote user, such as wrong user name or password, the user selecting the wrong Directory (authentication server) in the login page, and so on.

  • The authentication server is not configured correctly. For example:

    • Invalid IP/host value or invalid port.

    • Server access credentials are not strong enough.

    • Groups/users search in the authentication server is defined inaccurately, therefore Forefront UAG cannot find a unique instance of the user name.

  • Authentication server is not running.

  • Authentication server is not reachable from Forefront UAG.

The cause of the login failure is reported in the message, in the "Error" field.

Resolution: Depending on the type of error, do one or more of the following:

  1. Verify the configuration of the authentication server on Forefront UAG:

    1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.

    2. In the Authentication and Authorization Servers dialog box, select the relevant server, and click Edit.... Verify each of the parameters in the Edit Authorization Server dialog box.

  2. Verify that the authentication server is running.

  3. Verify that the authentication server is reachable from Forefront UAG. If it is not reachable, check the network connections.

  4. Verify the configuration of the Forefront TMG firewall rule that enables the connection from Forefront UAG to the application server. For details, examine the Forefront TMG logs and alerts.

A remote user attempts to log in to the site. Access is denied, and the following message is displayed in the browser window: "There are too many users on the web site at the moment. Please try to access the site again in a few minutes."

Cause: The maximum number of authenticated sessions that can be open through the site at the same time was reached.

Resolution: If this event occurs on a regular basis, increase the number of sessions that can be open through the site:

  1. In the Forefront UAG Management console, open the Advanced Trunk Configuration window of the relevant trunk, and access the Session tab.

  2. In the "Maximum concurrent sessions" field, increase the number of sessions that can be open through the site simultaneously.

A remote user attempts to access the site. Access is denied, and the following message is displayed in the browser window: "There are too many users on the web site at the moment. Please try to access the site again in a few minutes."

Cause: The maximum number of unauthenticated sessions that can be open through the site at the same time was reached.

Resolution: If this event occurs on a regular basis, increase the number of sessions that can be open through the site:

  1. In the Forefront UAG Management console, open the Advanced Trunk Configuration window of the relevant trunk, and access the Session tab.

  2. In the "Maximum unauthenticated concurrent sessions" field, increase the number of sessions that can be open through the site simultaneously.

A remote user requests a page. The request is denied, and a message is displayed in the browser window, informing the user what part of the request is too long: URL, method, HTTP version, or Header section.

Cause: The request is invalid since part of it is too long, as indicated in the message. The allowed length is:

  • URL: 2,083 bytes

  • Method: 32 bytes

  • HTTP version: 16 bytes

  • Header section: 2,048 bytes

Resolution: Check the browser that was used to request the page.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "Invalid HTTP request version"

Cause: The browser on the remote computer sent the request using an invalid HTTP protocol version.

Resolution: Verify that the browser that was used to request the page is configured to use HTTP version 1.1 or 1.0. For example, in Internet Explorer 8.0, do the following:

  1. On the Tools menu, click Internet Options....

  2. In the Internet Options dialog box, select the Advanced tab. Under HTTP 1.1. Settings, verify that the Use HTTP 1.1 check box is selected.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak source IP was detected".

Cause: The request contains a header or parameter that is identical to the header or parameter that is configured as the "Source IP address key" header or parameter for this application. This could be an attempt to sneak data to the application server, using this header or parameter.

Resolution: To avoid a situation where the header or parameter is used in "legal" requests, make sure that you assign it a unique name that will not be used for any other purpose. If the header or parameter name is unique, when it is used in a request, it indicates that this is a malicious request that should be blocked.

To define the "Source IP address key" header or parameter for this application, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application and access the Web Settings tab.

  2. Select the "Source IP address key" check box, and in the text box assign a unique header or parameter name.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak authorization info was detected".

Cause: The request contains a "negotiate" authorization header. A "negotiate" authorization header sent by clients may contain malformed code, which could cause denial of service and browser crashes.

Resolution: If you want to cancel the blocking of "negotiate" authorization headers, do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window of the relevant trunk, and access the URL Inspection tab.

  2. Clear the Block Negotiate authorization headers check box.

A remote user attempts to add authentication credentials on-the-fly, for example, in order to access an application that requires different credentials than those used to access the site. The attempt fails, and the following message is displayed in the browser window: "Failed to authenticate".

Cause: The failure can be caused by:

  • Wrong credentials entered by the remote user, such as a wrong user name or password, the user selecting the wrong directory (authentication server) in the login page, and more.

  • The authentication server is not configured correctly. For example:

    • Invalid IP/host value or invalid port.

    • Server access credentials are not strong enough.

    • Groups/users search in the authentication server is defined inaccurately, therefore Forefront UAG cannot find a unique instance of the user name.

  • Authentication server is not running.

  • Authentication server is not reachable from Forefront UAG.

The cause of the login failure is reported in the message, in the "Error" field.

Resolution: Depending on the type of error, do one or more of the following:

  1. Verify the configuration of the authentication server on Forefront UAG:

    1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.

    2. In the Authentication and Authorization Servers dialog box, select the relevant server and click Edit.... Verify each of the parameters in the Edit Authorization Server dialog box.

  2. Verify that the authentication server is running.

  3. Verify that the authentication server is reachable from Forefront UAG. If it is not reachable, check the Network connections.

  4. Verify the configuration of the Forefront TMG firewall rule that enables the connection from Forefront UAG to the application server. For details, examine the Forefront TMG logs and alerts.

A remote user attempts to access an application. The attempt fails.

Cause: Despite the fact that the application is configured to automatically reply to the application server’s authentication request (HTML form), the login attempt failed. This can be caused by one of the following reasons:

  1. The credentials that were used for the authentication were not accepted by the application. This can be due to one of the following reasons:

    1. The authentication server used for the login does not contain the user credentials that are required by the application.

    2. The incorrect configuration of the Form Authentication Engine for this application.

  2. The browser used by the remote user is not supported by Forefront UAG.

Resolution: Do the following:

  • Verify that the correct authentication server is used to reply to the login request:

    1. In the Forefront UAG Management console, access the application and open the Application Properties dialog box.

    2. Access the Web Settings tab, and verify that the authentication server that is selected under the "Automatically Reply to Application-Specific Authentication Requests" check box contains the user credentials that are required by the application.

  • Verify the configuration of the Form Authentication Engine for this application.

A remote user attempts to access an application. The attempt fails, and the following message is displayed: "You do not have permissions to view this Directory or page using the credentials you supplied."

Cause: The application is configured to automatically reply to the application’s authentication requests; the credentials are not accepted by the application.

Resolution: In the Forefront UAG Management console, verify the configuration of the option "Automatically Reply to Application-Specific Authentication Requests" for this application:

  1. Open the Application Properties dialog box and access the Web Settings tab.

  2. The steps you need to take depend on the configuration of the option "Automatically Reply to Application-Specific Authentication Requests":

    • If the option Use Kerberos Constrained Delegation is selected, do the following:

      1. In the Web Settings tab, verify that the application service principle name (SPN) is a valid SPN that is registered in the Active Directory Domain Services on the domain controller.

      2. On the domain controller, verify that the delegation is configured correctly.

    • If the option 401 Request, HTML Form, or both is selected, verify that the selected authentication server is valid for this application.

The Forefront UAG Event Logging mechanism failed to send a message to a reporter, even though, in the Message Definitions file, the message is configured to be sent to this reporter, and the reporter is activated in the Forefront UAG Management console.

Cause:

  • Reporter is not configured correctly in the Forefront UAG Management console.

  • Reporter’s server is not running.

  • Reporter’s server is not reachable from Forefront UAG.

Resolution:

  • Verify configuration of the reporter. In the Forefront UAG Management console, on the Admin menu, click Event Logging, and then, on the relevant tab, check the values of the reporter’s parameters, such as the server’s address or user credentials.

  • Verify that the reporter’s server is running.

  • Verify that the reporter’s server is reachable from Forefront UAG. If it is not reachable, check the network connections.

  • Verify the configuration of the Forefront TMG firewall rule that enables the connection from Forefront UAG to the application server. For details, examine the Forefront TMG logs and alerts.

During URL verification, the Forefront UAG filter changes the URL. The remote user’s experience is not affected.

Cause: The requested URL contains an illegal sequence of characters. For example: multiple slashes.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab.

  2. In the Out-Of-The-Box Security Configuration area, edit the application’s Legal Characters list to include the character that caused the error, as reported in the message, in the "Reason" field.

The message is logged after you activate Forefront UAG. Forefront UAG is not functioning as expected, or is not functioning at all. Remote users might experience problems while working with the site, or might not be able to access the site at all.

Cause: Problems with the configuration files of the module that failed. This might be caused by one or more of the following:

  • Files were not modified through CustomUpdate folders.

  • Files were modified through CustomUpdate folders, but the configuration settings are wrong.

  • File incompatibility during system upgrade.

Resolution: Verify that all modifications to the module’s default settings are performed according to the instructions provided in the Forefront UAG documentation set.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL is blocked by the application’s Out-Of-The-Box Security Rules."

Cause: The requested URL contains an illegal character, according to the definition of the trunk’s global out-of-the-box security configuration.

Resolution: If you want to cancel the enforcement of global out-of-the-box security rules for this trunk, in the Forefront UAG Management console, do the following:

  1. Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab.

  2. In the "Out-Of-The-Box Security Configuration" area, clear the Check Global Out-Of-The-Box Rules check box.

noteNote:
This parameter is global, and affects all the applications in the trunk.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed".

Cause: The request is invalid, possibly since it contains too many headers. This could be caused by an IIS bug on the requesting client.

Resolution: Check the browser used to request the page.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since the size of the transfer data renders it a download, and the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want responses of this size to be considered regular responses for this application, and not downloads, increase the size of data above which a response is considered a download, as follows:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, increase the size defined in "Identify by Size".

  • If you want to cancel the identification of downloads by size for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the Identify by Size check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since its extension renders it a download, and the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want responses with this extension to be considered regular responses for this application, and not downloads, edit the application downloads Extension List, as follows:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, edit the Extension List accordingly.

  • If you want to cancel the identification of downloads by extensions for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the Identify by Extensions check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy.

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response header does not contain a content-type. Responses without content-type are rendered as downloads, and the application’s Download policy denies downloads to the requesting endpoint.

Resolution: On the Forefront UAG, do one of the following:

  • If you want downloads without content-type to be considered regular responses, and not downloads, create the following Registry key:

    • Location: …\Whale-Com\e-Gap\Von\UrlFilter

    • DWORD Value name: AllowResponseWithoutContentType

    • DWORD Value data: 1

    After you create the key, access the Forefront UAG Management console, activate the configuration, and select the Apply changes made to external configuration settings check box.

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since its content-type and extension render it a download, and the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: On Forefront UAG, do one of the following:

  • If you want responses with this content-type to be considered regular responses, and not downloads, do the following:

    1. Access the file that holds the definitions of file name extensions and the associated content-types:
      …\Whale-Com\e-Gap\von\conf\content-types.ini

    2. In this file, identify the extension associated with this content-type. If the file does not contain this content-type, add the appropriate extension/content-type pair to the file.

  • If you want responses with this extension to be considered regular responses, and not downloads, edit the application downloads Extension List, as follows:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, edit the Extension List accordingly.

  • If you want to cancel the identification of downloads by extensions for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the Identify by Extensions check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since its content-type renders it a download, and the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: On Forefront UAG, do one of the following:

  • If you want responses with this content-type to be considered regular responses, and not downloads, do the following:

    1. Access the file that holds the definitions of file name extensions and the associated content-types:
      …\Whale-Com\e-Gap\von\conf\content-types.ini

    2. In this file, identify the extension associated with this content-type. If the file does not contain this content-type, add the appropriate extension/content-type pair to the file.

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since its content-type does not match the file name extension. This was discovered while checking whether the response is a download according to its file name extension, since the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: Do one of the following:

  • If you want this extension/content-type pair to be considered a match, do the following:

    1. On Forefront UAG, access the file that holds the definitions of file name extensions and the associated content-types:
      …\Whale-Com\e-Gap\von\conf\content-types.ini

    2. On the application server, access the file that holds the extension/content-type definitions.

    3. Verify that the association of extensions and content-types is consistent for both files. If you find discrepancies between the files, edit the file on Forefront UAG to match the application server’s file.

  • If you want to cancel the identification of downloads by extensions for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the Identify by Extensions check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Download policy, the requested download is not allowed."

Cause: The response failed since this URL is defined as a download URL for this application-type, and the application’s Download policy forbids downloads to the requesting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want requests with this application -type to be considered regular requests, and not downloads, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. In the "URL Settings" area, click Configure next to "Download URLs".

    3. In the Download URLs Settings dialog box, remove the corresponding rule.

  • If you want to cancel the identification of downloads by URLs for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the "Identify by URLs" check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Upload policy, the requested upload is not allowed."

Cause: The request failed since this URL is defined as an upload URL for this application-type, and the application’s Upload policy forbids uploads from the submitting endpoint.

TipTip:
The portion of the URL that caused the failure is indicated in the message, in the "URL" parameter.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want requests with this application -type to be considered regular requests, and not uploads, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. In the Upload URLs list, access the corresponding rule, and do one of the following:

      • If required, click Edit..., and use the Edit Upload URLs dialog box to change the URL or the method, as applicable.

      • If you want this URL to be considered an upload only if it contains attachments, in the Edit Upload URLs dialog box, select the Check for Attachments in Content check box.

      • If the URL failed on parameters, in the Edit Upload URLs dialog box, either configure the rule so that parameters are not checked, or change the method that is used to check parameters, as applicable.

      • If you want the URL to always be considered a regular request, and not an upload, remove it from the "Upload URLs" list.

  • If you want to cancel the identification of downloads by URLs for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Downloads" area, clear the Identify by URLs check box.

      noteNote:
      If none of the options in the "Downloads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable downloads from the application to the requesting endpoint, edit the application’s Download policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Upload policy, the requested upload is not allowed."

Cause: The request failed since the size of the transfer data renders it an upload, and the application’s Upload policy forbids uploads from the submitting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want responses of this size to be considered regular responses for this application, and not uploads, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Uploads" area, increase the size defined in Identify by Size.

  • If you want to cancel the identification of uploads by size for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Uploads" area, clear the Identify by Size check box.

      noteNote:
      If none of the options in the "Uploads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • Changes to the Identify by Size check box cannot take effect if either of the following is true:

    1. A URL rule is applied to the request body.

    2. The request is larger than the default limit of 1 MB (controlled by a registry key)

    3. Ensure that changes take effect by doing either of the following:

      1. Modify URL rules and upload rules so that they are not applied to the request.

      2. Or modify the registry key as follows:

        1. Click Start, and in the Search for programs and files dialog box, type regedit to open the Registry Editor.

        2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter.

        3. Increase the size limitation in the MaxProcessingSize DWORD value.

  • If you want to enable uploads from the application to the requesting endpoint, edit the application’s Upload policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Upload policy, the requested upload is not allowed."

Cause: The request failed since its extension renders it an upload, and the application’s Upload policy forbids uploads from the submitting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want responses with this extension to be considered regular responses for this application, and not uploads, increase the size of data above which a response is considered an upload, as follows:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Uploads" area, edit the Extension List accordingly.

  • If you want to cancel the identification of uploads by extensions for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Uploads" area, clear the Identify by Extensions check box.

      noteNote:
      If none of the options in the "Uploads" area are selected, no downloads from the application are blocked, regardless of the settings of the application’s Download policy

  • If you want to enable uploads from the application to the requesting endpoint, edit the application’s Upload policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal parameter."

Cause: The URL query string or the POST data parameters of the requested URL are illegal, due to one of the following reasons:

  • They contain an illegal character, according to the definition of the application’s Out-Of-The-Box Security Configuration.

  • The Forefront UAG filter failed to construct a legal parameter list from the URL query string or from POST data parameters. For example: a parameter that contains only a value with no name.

Resolution: Use the Forefront UAG Management console to determine whether the failure was caused by an illegal character or by an illegal parameter list:

  1. Open the Application Properties dialog box, and access the Web Settings tab.

  2. Clear the Check Out-Of-The-Box Rules check box.

  3. Request the URL again, and observe whether the request is accepted or not:

    • If the request does not fail this time, it is an indication that the failure was caused by an illegal character. Reselect the Check Out-Of-The-Box Rules check box on the Web Settings tab so that the feature is activated again, and then do the following:

      1. On Forefront UAG, activate a trace that will record the Forefront UAG filter activities:

        1. Access the following file: …\Whale-Com\e-Gap\common\conf\trace.ini

        2. Add the following section to the file:
          [Trace\WhlFilter\WHLFILTRULESET]
          *=xheavy

        3. Save the file.

      2. Use a browser to request the URL again.

      3. Locate the log file of the trace you activated, in the following location: …\Whale-Com\e-Gap\logs

        The log file is named as follows: WhlFilter.default.<Time_Stamp>.log

      4. In the trace log file, find the following warning message:
        WARN: CanonicalizeEscapeChar(): Check allowed characters after escape list in Param. String=<FailedString> failed

        Where <FailedString> is a parameter that contains one or more illegal characters, which caused the failure.

      5. In the Forefront UAG Management console, open the Advanced Trunk Configuration window and access the URL Inspection tab.

      6. In the "Out-Of-The-Box Security Configuration" area, edit the application’s rule so that the list of Legal Characters includes all the characters found in the parameter that caused the error.

      7. When you have finished with the tracing, deactivate the trace you activated in trace.ini in the first step of this procedure, by deleting or commenting-out the trace definition.

    • If the request fails again, it is an indication that the failure is caused by the filter failing to construct a legal parameter list from the URL query string or from POST data parameters. Reselect the Check Out-Of-The-Box Rules check box on the Web Settings tab so that the feature is activated again, and then do the following:

      1. In the Web Monitor, look at the description of the Warning message. In the Parameter List field, check that all parameters are "legal", that is, each parameter consists of a parameter name or parameter value pair.

      2. If one or more of the parameters are "illegal", check the requesting browser.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal parameter."

Cause: The requested URL was rejected by a URL Inspection rule because one of its parameters renders the request invalid.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

  2. In the URL List, select the rule that caused the failure, according to the details provided in the message.

  3. In the Parameter List, edit the rule of the parameter that caused the error.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal parameter."

Cause: The requested URL was rejected by a URL Inspection rule since a mandatory parameter is missing from the URL.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

  2. In the URL List, select the rule that caused the failure, according to the details provided in the message.

  3. In the Parameter List, edit the rule of the parameter that caused the error. In the Existence column, select Optional so that the missing parameter is optional, not mandatory.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The upload is blocked since the request does not contain a Content-Type header."

Cause: The request does not contain a Content-Type header, and the method used in the request is POST. According to the configuration of Forefront UAG, POST without a Content-Type header is not allowed.

Resolution: To allow POST requests without a Content-Type header for this application, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application, and select the Web Settings tab.

  2. Select the Allow POST without Content-Type check box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL is blocked by the application’s Out-Of-The-Box Security Rules."

Cause: The requested URL contains an illegal character, according to the definition of the application’s out-of-the-box security configuration.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want the character that caused the error to be considered a legal character for this application, do the following:

    1. Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab.

    2. In the "Out-Of-The-Box Security Configuration" area, edit the application’s Legal Characters list to include the character that caused the error, as reported in the message in the "Reason" field.

  • If you want to cancel out-of-the-box security checks for this application, do the following:

    1. Open the Application Properties dialog box, and access the Web Settings tab.

    2. Clear the Check Out-Of-The-Box Rules check box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You are not authorized to access this application. For assistance, please contact your system administrator."

Cause: Wrong configuration of the application.

Resolution: Do the following in the Forefront UAG Management console:

  1. Use the Application Properties dialog box to locate the application, according to the server configuration in the Web Servers tab.

  2. Verify the configuration of the server’s addresses, paths, and ports for this application.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed. Ruleset configuration invalid."

Cause: The URL Inspection rule defined for this URL does not specify a method.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and access the URL Set tab.

  2. In the URL List, access the rule that caused the request to fail, and, in the Methods column, assign a method or methods for this URL.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. You are trying to access the URL using an illegal method."

Cause: According to the configuration of the application’s URL Inspection ruleset, the method used to send the request is not valid for the requested URL.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and access the URL Set tab.

  2. In the URL List, access the rule that caused the request to fail, and, in the Methods column, assign the appropriate method for this URL.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. WebDAV methods are not allowed."

Cause: The request uses a WebDAV method, while attempting to send data to the application. According to the configuration of the application, such requests are not allowed.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application, and select the Web Settings tab.

  2. Select the Allow WebDAV Methods check box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Upload policy, the requested upload is not allowed."

Cause: The request failed since it contains attachments and is therefore considered an upload URL, and the application’s Upload policy forbids uploads from the submitting endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • If you want requests with this application -type to be considered regular requests, and not uploads, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. In the "URL Settings" area, click Configure next to "Upload URLs".

    3. In the Upload URLs Settings dialog box, remove the corresponding rule.

  • If you want to cancel the identification of downloads by URLs for this application, do the following:

    1. Open the Application Properties dialog box and access the Download/Upload tab.

    2. In the "Uploads" area, clear the "Identify by URLs" check box.

      noteNote:
      If none of the options in the "Uploads" area are selected, no uploads to the application are blocked, regardless of the settings of the application’s Upload policy

  • If you want to enable uploads from the application to the requesting endpoint, edit the application’s Upload policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed. The request failed the XML Integrity verification."

Cause: The request failed the inspection of XML integrity in HTTP data.

Resolution: If you want to cancel the inspection of XML integrity in HTTP date for this application, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application, and select the Web Settings tab.

  2. Clear the Check XML Integrity check box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal parameter."

Cause: According to the configuration of the application’s ruleset, the requested URL is not allowed to contain parameters.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

  2. In the URL List, access the rule that caused the failure according to the details provided in the message. In the Parameters column select either "Handle" or "Ignore", so that parameters are not rejected.

    noteNote:
    If you set the value of Parameters to "Handle", you also have to define the parameters for this URL.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You are not authorized to access this application. For assistance, please contact your system administrator."

Cause: Wrong configuration of the application in the Forefront UAG Management console.

Resolution: Do the following in the Forefront UAG Management console:

  1. Use the Application Properties dialog box to locate the application, according to the server configuration in the Web Servers tab.

  2. Verify the configuration of the server’s addresses, paths, and ports for this application.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The requested URL is not associated with any configured application."

Cause: The requested URL contains a signature that cannot be resolved to identify the requested application server.

Resolution: Contact technical support.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The requested URL is not associated with any configured application."

Cause: The URL that the user requested was rerouted according to a "Manual URL Replacement" rule, and the destination server is not recognized by the Forefront UAG filter.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and select the Application Access Portal tab.

  2. In the "Manual URL Replacement" area, edit the applicable rule.

A remote user attempts to access an application from the portal home page. The request is denied, and the following message is displayed in the browser window: "You are not authorized to access the application."

Cause: The user is not authorized to view or access the requested application.

Resolution:

  • Change the authorization settings for this application.

  • If you are using the default portal home page that is supplied with Forefront UAG, you can customize the home page so that the link to the application is not displayed for users that are not authorized to access the application.

Authorization and personalization of an application are defined in the Forefront UAG Management console, in the Authorization tab of the Application Properties dialog box.

A remote user attempts to access an application. The request is denied, and the following message is displayed in the browser window: "Your computer does not meet the security policy requirements of this application."

Cause: The requesting endpoint does not comply with the requirements of the application’s Access policy.

Resolution: Instruct the user what steps have to be taken in order for the endpoint to comply with the policy. You can view the definitions of the policy in the Forefront UAG Management console, in the Policy Editors.

To access the Policy Editors, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box, and select the General tab.

  2. In the "Endpoint Policies" area click Manage Policies....

  3. In the Policies dialog box, select the applicable policy and click Edit....

A remote user attempts to access the portal home page or site. The request is denied, and the following message is displayed in the browser window: "Your computer does not meet the security policy requirements of this site."

Cause: The requesting endpoint does not comply with the requirements of the trunk’s Session Access Policy.

Resolution: Instruct the user what steps have to be taken in order for the endpoint to comply with the policy. You can view the definitions of the policy in the Forefront UAG Management console, in the Policy Editors.

To access the Policy Editors, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box, and select the General tab.

  2. In the "Endpoint Policies" area click Manage Policies....

  3. In the Policies dialog box, select the applicable policy and click Edit....

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak authorization info was detected."

Cause: The request contains a header or parameter that is identical to the header or parameter that is configured as the "Authorization key" header or parameter for this application. This could be an attempt to sneak data to the application server, using this header or parameter.

Resolution: To avoid a situation in which the header or parameter is used in "legal" requests, make sure that you assign it a unique name that will not be used for any other purpose. If the header or parameter name is unique, when it is used in a request, it indicates that this is a malicious request that should be blocked.

To define the "Authorization key" header or parameter for this application, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application and access the Web Settings tab.

  2. Select the Authorization key check box, and assign a unique header or parameter name in the text box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal path."

Cause: The path of the requested URL was rejected by the URL Inspection engine.

Resolution: Do the following in the Forefront UAG Management console:

  1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

  2. Do one of the following, depending on the rule that caused the failure, as specified in the "Description" filed of the message:

    • If the rule that caused the failure is a "Default rule", use the URL List to add a new rule, or edit one of the existing rules, so that the requested URL is allowed.

    • If the failure was caused by an existing rule, and the name of the rule is specified in the message’s "Description" field, access the rule in the URL List. In the URL column, edit the path of the URL.

A remote user attempts to launch an SSL Wrapper application, either via the portal home page, or by logging into a site that automatically launches the application. The application is launched, but fails to connect to the server.

Cause: Forefront UAG cannot establish a connection with the application server. The failure can be caused by one of the following:

  • Application server is not configured correctly. For example: an invalid IP address, port, or path.

  • Application server is not running.

  • Application server is not reachable from Forefront UAG.

The cause of the login failure is reported in the message, in the "Error" field.

Resolution:

  • Verify the configuration of the application server in the Forefront UAG Management console:

  • Verify that the application server is running.

  • Verify that the application server is reachable from Forefront UAG. If not:

    • Check the Network connections.

    • Verify the configuration of the Forefront TMG firewall rule that enables the connection from Forefront UAG to the application server. For details, examine the Forefront TMG logs and alerts.

A remote user attempts to launch an SSL Wrapper application, either via the portal home page, or by logging into a site that automatically launches the application. The request is denied, and a message is displayed, informing the user that the server failed to execute the application.

Cause: Forefront UAG failed to load and initialize the application profile. The cause for the error is reported in the message, in the "Error" field. It can be due to incorrect configuration of the application server. For example: an invalid IP address, port, or path.

Resolution: Verify the configuration of the application server.

A remote user attempts to launch an SSL Wrapper application, either via the portal home page, or by logging into a site that automatically launches the application. The request is denied, and the following message is displayed: "Access to the requested resource denied".

Cause: The requested server is not defined as an application, or the client executable is not authorized to access the server.

Resolution: The resolution depends on the error that is displayed in the long description of the message, in the "Error" field:

  • The message "Access denied (unknown server)" indicates that the user requested a server that is not defined as an application server. In this case, do one of the following:

    • In the Forefront UAG Management console, verify the configuration of the application servers in the Application Properties dialog box, in the Server Settings tab:

    • If the user attempted to connect to the application by manually entering the server address, verify that the user tried to connect to the correct server.

    • On the endpoint computer, verify the configuration of the server settings in the client application.

  • The message "Invalid application process..." is applicable for Portal trunks only. It indicates that the executable that runs the application on the client, and attempted to access the application server, is not authorized to access this application. Do the following in the Forefront UAG Management console:

    1. Open the Application Properties dialog box and select the Client Settings tab.

    2. Verify the status of the Bind Tunnel to Client Executable check box, and the parameters in the Client Executable and Signature columns in the table below this check box.

A remote user attempts to access an application. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed".

Cause: Forefront UAG cannot establish a connection with the application server. The failure can be caused by one of the following:

  • The application server is not configured correctly. For example: an invalid IP address, port, or path.

  • The application server is not running.

  • The application server is not reachable from Forefront UAG.

Resolution:

  • Verify the configuration of the application server in the Forefront UAG Management console:

  • Verify that the application server is running.

  • Verify that the application server is reachable from Forefront UAG. If it is not reachable:

    • Check the network connections.

    • Verify the configuration of the Forefront TMG firewall rule that enables the connection from Forefront UAG to the application server. For details, examine the Forefront TMG logs and alerts.

A remote user attempts to change the password. The attempt fails, and one of the following messages is displayed in the browser window:

"Failed to change password"
     OR
"The new password you entered cannot be used because it does not comply with the password policy set by your administrator."

Cause:

  • The message "Failed to change password" indicates one of the following:

    • The user entered the wrong password in the "Old password" field.

    • The settings of Forefront UAG or the authentication server, both of which are required in order to enable users to change their passwords, are not configured correctly.

  • The message "The new password you entered cannot be used, since it does not comply with the password policy set by your administrator" indicates that the user attempted to use a password that does not comply with the authentication server’s password policy, such as password length, complexity, or history.

Resolution: Depending on the message the user receives, and the error indicated in the message, do one of the following:

  • Take the steps required to enable users to change their passwords. For more information, see the Enable users to change passwords section in the Trunk properties help topic.

  • Advise the user of the relevant password policy.

A remote user attempts to launch an SSL Wrapper application, either via the portal home page, or by logging into a site that automatically launches the application. The request is denied, and the following message is displayed: "Access to the requested resource denied".

Cause: Internal error.

Resolution: If this event occurs on a regular basis, contact technical support.

A remote user attempts to access an application. The attempt might fail.

Cause: The application is configured so that the Form Authentication Engine automatically replies to the application’s authentication requests. The evaluation of the login attempt result failed.

Resolution: Verify the configuration of the Form Authentication evaluator for this application. The evaluator is defined in the <LOGIN_EVALUATOR> element. The failure is most likely caused by the <HEADER> sub-element.

When attempting to log in to the Service Policy Manager program, the login fails and the following message is displayed: "Incorrect Password".

Cause: Incorrect password used.

Resolution: Log in using the correct password. If you forgot the password, you can assign a new password for the Service Policy Manager program as follows:

  1. In Forefront UAG, delete the following file: …\Whale-Com\e-Gap\common\conf\auth.sec

  2. When you next access the Service Policy Manager, you are prompted to assign a new password.

noteNote:
  • The password must contain at least six digits.

  • Changing the password in this manner is global, and affects the Service Policy Manager as well as the Forefront UAG Management console.

The Forefront UAG administrator is prompted to enter a passphrase while working with Forefront UAG, for example, when activating the configuration. After submitting the passphrase, a message informs the administrator that the passphrase is incorrect.

Cause: Incorrect passphrase used.

Resolution: Enter the correct passphrase.

A remote user attempts to access an application. The request is denied, and the following message is displayed in the browser window: "HTTP Request Smuggling (HRS) attempt detected"

Cause: The request is suspected as being an HRS attack, as indicated by its method, content-type, and length.

Resolution: To define this request as "legal" for this application, do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application and access the Web Server Security tab.

  2. If the Activate Smuggling Protection check box is not already selected, select it.

    CautionCaution:
    Activate this option only for servers that are vulnerable to HRS attacks, such as IIS 5.0 based servers. Activating this option unnecessarily or configuring it inaccurately might result in application malfunction.

  3. Configure the option to enable the request by doing one or both of the following:

    • Add the request’s content-type to the "Content-Types" list.

    • In the Max HTTP Body Size box, enter a figure that is equal to or larger than the size of the request.

A remote user requests a page. The request is processed and the user experience is unaffected. However, a "Cookie" header in the request is blocked, and is not forwarded to the server.

Cause: A cookie encryption violation was detected. The cookie name is not encrypted, and is not listed in the cookie encryption exclude lists.

Resolution: To enable the browser to send this cookie in an unencrypted form, you must add it to the list of cookies that are excluded from the cookie encryption process. Do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application and access the Cookie Encryption tab.

  2. Add the cookie that was blocked to the Cookies list. The name of the cookie is provided in the "Description" field of the event in the Web Monitor’s Event Viewer.

A remote user requests a page. The request is processed and the user experience is unaffected. However, the cookie name could not be decrypted, and is not forwarded to the server.

Cause: A cookie encryption violation was detected. An encrypted cookie name could not be decrypted since it contains an invalid security digest.

Resolution: In the browser that was used to request the page, delete the cookie that was blocked. The name of the cookie is provided in the "Description" field of the event in the Web Monitor’s Event Viewer.

A remote user requests a page. The request is processed and the user experience is unaffected.

Cause: A cookie encryption violation was detected. The cookie name is encrypted, although it is listed in one or more of the cookie encryption Exclude lists.

Resolution: In order to enable the browser to send this cookie in an encrypted from, you need to remove it from the list of cookies that are excluded from the cookie encryption process, as follows:

  1. Use the Forefront UAG trace mechanism to resolve the original name of the encrypted cookie:

    1. On the Forefront UAG, access the trace configuration file:
      …\Whale-Com\e-Gap\Common\Conf\trace.ini

    2. Add the following lines to the file:
      [Trace\WhlFilter\WHLFILTSECUREREMOTE]
      *=xheavy

    3. Save the file.

    4. Use a browser to request the URL that caused the Warning message, as detailed in the "Description" field of the event in the Web Monitor’s Event Viewer.

    5. On the Forefront UAG, access the trace log file in the following location:
      …\Whale-Com\e-Gap\logs
      The file is named: <Server_Name>.WhlFilter.default.<Time_Stamp>.log

      Resolve the original name of the cookie that was blocked using the "EncryptedName" and "OrigName" parameters in the log file; the encrypted cookie name is indicated in the "Description" field of the event in the Event Viewer.

  2. In order to exclude the cookie from the cookie encryption process, remove it from the exclude list where it is defined. Two lists define the exclusion of cookies from the process; both are configured on the Forefront UAG:

    • Per-application list: The cookies that are listed here are excluded from the process for this application only. To edit this list, in the Forefront UAG Management console, open the Application Properties dialog box for this application, access the Cookie Encryption tab, and remove the cookie from the Cookies list.

    • Global list: The cookies that are listed here are excluded from the process for all applications. To edit this list:

      1. Access the following file:
        …\Whale-Com\e-Gap\Von\Conf\WhlExcludeCookie.xml

      2. Copy the file into a CustomUpdate subfolder, and remove the cookie from the list under the tag <EXCLUDE_COOKIE_LIST>. Note that cookie names are defined using regular expressions.

A remote user requests a page. The request is processed and the user experience is unaffected.

Cause: A cookie encryption violation was detected. The cookie name is encrypted, while the cookie value is unencrypted.

Resolution: In the browser that was used to request the page, delete the cookie that was blocked. The name of the cookie is provided in the "Description" field of the event in the Web Monitor’s Event Viewer.

A remote user requests a page. The request is processed and the user experience is unaffected.

Cause: A cookie encryption violation was detected. An encrypted cookie value could not be decrypted since it contains an invalid security digest.

Resolution: In the browser that was used to request the page, delete the cookie that was blocked. The name of the cookie is provided in the "Description" field of the event in the Web Monitor’s Event Viewer.

A remote user requests a page. The request is processed and the user experience is unaffected.

Cause: A cookie encryption violation was detected. The cookie name is not encrypted, although it is listed in the cookie encryption include list.

Resolution: In order to enable the browser to send this cookie in an unencrypted from, you need to remove it from the list of cookies that are included in the cookie encryption process. Do the following in the Forefront UAG Management console:

  1. Open the Application Properties dialog box for this application and access the Cookie Encryption tab.

  2. Remove the cookie that was blocked from the Cookies list. The name of the cookie is provided in the "Description" field of the event in the Web Monitor’s Event Viewer.

A remote user requests a page. The request is processed and the user experience is unaffected.

Cause: A cookie encryption violation was detected. The cookie name is encrypted, but is not listed in the cookie encryption include list.

Resolution: In order to enable the browser to send this cookie in an encrypted from, you need to add it to the list of cookies that are included in the cookie encryption process, as follows:

  1. Use the Forefront UAG trace mechanism to resolve the original name of the encrypted cookie:

    1. On the Forefront UAG, access the trace configuration file:
      …\Whale-Com\e-Gap\Common\Conf\trace.ini

    2. Add the following lines to the file:
      [Trace\WhlFilter\WHLFILTSECUREREMOTE]
      *=xheavy

    3. Save the file.

    4. Use a browser to request the URL that caused the Warning message, as detailed in the "Description" field of the event in the Web Monitor’s Event Viewer.

    5. On the Forefront UAG, access the trace log file in the following location:
      …\Whale-Com\e-Gap\logs
      The file is named: <Server_Name>.WhlFilter.default.<Time_Stamp>.log

      Resolve the original name of the cookie that was blocked using the "EncryptedName" and "OrigName" parameters in the log file; the encrypted cookie name is indicated in the "Description" field of the event in the Event Viewer.

  2. In the Forefront UAG Management console, open the Application Properties dialog box for this application, and access the Cookie Encryption tab.

  3. Add the cookie that was blocked to the Cookies list.

A cookie encryption violation was detected.

Cause: The size of the encrypted "Set-Cookie" header exceeds the 4 KB limit.

Resolution: To exclude this cookie from the cookie encryption process, do the following:

  1. Use the Forefront UAG trace mechanism to resolve the original name of the encrypted cookie:

    1. On the Forefront UAG, access the trace configuration file:
      …\Whale-Com\e-Gap\Common\Conf\trace.ini

    2. Add the following lines to the file:
      [Trace\WhlFilter\WHLFILTSECUREREMOTE]
      *=xheavy

    3. Save the file.

    4. Use a browser to request the URL that caused the Warning message, as detailed in the "Description" field of the event in the Web Monitor’s Event Viewer.

    5. On the Forefront UAG, access the trace log file in the following location:
      …\Whale-Com\e-Gap\logs
      The file is named: <Server_Name>.WhlFilter.default.<Time_Stamp>.log

      Resolve the original name of the cookie that was blocked using the "EncryptedName" and "OrigName" parameters in the log file; the encrypted cookie name is indicated in the "Description" field of the event in the Event Viewer.

  2. In the Forefront UAG Management console, open the Application Properties dialog box for this application and access the Cookie Encryption tab.

  3. Add the cookie that was blocked to the Cookies list.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Restricted Zone policy, the requested URL is not allowed."

Cause: The request failed since this URL is defined as a restricted zone URL for this application-type, and the application’s Restricted Zone policy forbids access to the zone from this endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • In order to remove this URL from the restricted zone for this application-type, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. In the Restricted Zone URLs list, select the corresponding rule, and do one of the following:

      • Click Edit... and use the Edit Restricted Zone URLs dialog box to change the URL or the method, as applicable.

      • If you do not want the URL to be part of the restricted zone, remove it from the Restricted Zone URLs list.

  • If you want to disable the Restricted Zone feature for this application, do the following:

    1. Open the Application Properties dialog box and access the Web Settings tab.

    2. Clear the Activate Restricted Zone check box.

  • If you want to enable access to the restricted zone from the submitting endpoint, edit the application’s Restricted Zone policy:

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Restricted Zone policy, the requested URL is not allowed."

Cause: The request failed since one of its parameters renders the request invalid.

Resolution: In the Forefront UAG Management console, do one of the following:

  • In order to remove this URL from the restricted zone for this application-type, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. In the Restricted Zone URLs list, select the corresponding rule, and do one of the following:

      • Click Edit..., and, in the Edit Restricted Zone URLs dialog box, either configure the rule so that parameters are not checked, or change the method that is used to check parameters, as applicable.

      • If you do not want the URL to be part of the restricted zone, remove it from the Restricted Zone URLs list.

  • If you want to disable the Restricted Zone feature for this application, do the following:

    1. Open the Application Properties dialog box and access the Web Settings tab.

    2. Clear the Activate Restricted Zone check box.

  • If you want to enable access to the restricted zone from the submitting endpoint, edit the application’s Restricted Zone policy:

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: "According to your organization’s Restricted Zone policy, the requested URL is not allowed."

Cause: The request failed since this URL is defined as a restricted zone URL for this application-type, and the application’s Restricted Zone policy forbids access to the zone from this endpoint.

Resolution: In the Forefront UAG Management console, do one of the following:

  • In order to remove this URL from the restricted zone for this application-type, do the following:

    1. Open the Advanced Trunk Configuration window and access the Global URL Settings tab.

    2. Click Configure next to Restricted Zone URLs, to open the Restricted Zone URLs list.

    3. Select the corresponding rule, and do one of the following:

      • If you want this URL to be considered a restricted zone only if it contains attachments, click Edit..., and, in the Edit Restricted Zone URL dialog box, select the Check for Attachments in Content check box.

      • If you want the URL not to be part of the restricted zone, remove it from the "Restricted Zone URLs" list.

  • If you want to disable the Restricted Zone feature for this application, do the following:

    1. Open the Application Properties dialog box and access the Web Settings tab.

    2. Clear the Activate Restricted Zone check box.

  • If you want to enable access to the restricted zone from the submitting endpoint, edit the application’s Restricted Zone policy.

    • The application’s policies are selected in the Application Properties dialog box, in the General tab.

    • Configuration of the endpoint policies is via the Policy Editors, which you can access via the General tab of the Application Properties dialog box.

A remote user logs in to the site. The login process is slower than usual.

Cause: The site-to-site VPN is not configured in Forefront TMG on Forefront UAG, therefore the Forefront TMG blocks traffic from the remote LDAP server.

Resolution: On Forefront UAG, do the following:

  1. Add all remote sites to Forefront TMG’s Internal Networks.

  2. Add routing entries to the Route Table, to route all traffic that is sent to the remote sites to the appropriate gateway.

A remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

Cause: Forefront UAG is configured to bind each source IP to a specific session IP; this is determined by the option "Bind Source IP to Session" in the Session tab of the Advanced Trunk Configuration window. There was a failure in binding the IP address of the requesting endpoint to a valid IP address.

Resolution: On Forefront UAG, do the following:

  1. Verify that the following file exists:<Trunk_Name><Secure(0=no/1=yes)>PostPostValidate.inc

    For example, for an HTTPS trunk named "MyPortal", access the file called MyPortal1PostPostValidate.inc

  2. Verify that PostPostValidate.inc is configured correctly.

A remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

Cause: Forefront UAG is configured to bind each source IP to a specific session IP; this is determined by the option "Bind Source IP to Session", in the Session tab of the Advanced Trunk Configuration window. There was a failure in validating the IP address of the requesting endpoint to the target session IP address, because the session IP address is invalid.

Resolution: On Forefront UAG, do the following:

  1. Access the following file:
    <Trunk_Name><Secure(0=no/1=yes)>PostPostValidate.inc

    For example: for an HTTPS trunk named "MyPortal", access the file called MyPortal1PostPostValidate.inc

  2. In the file, verify that the value of SessionSourceIP for the requesting endpoint is a valid IP address.

A remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

Cause: Forefront UAG is configured to bind each source IP to a specific session IP; this is determined by the option "Bind Source IP to Session", in the Session tab of the Advanced Trunk Configuration window. There was a failure in binding the IP address of the requesting endpoint to a valid IP address, due to network problems. The cause of the failure is reported in the Web Monitor message, in the "Description" column, in the "Error" field.

Resolution: Resolution of the problem depends on the cause of the failure, as reported in the "Error" field of the message. For example, the following error indicates that the target session IP address is not configured on Forefront UAG:
Error: 10049 (The requested address is not valid in its context).

A remote user successfully logs on to the site. However, access to the portal is terminated in the middle of the session.

Cause: The client endpoint no longer complies with the access policy that is configured for sessions on the trunk. This is most likely because some personal antivirus or firewall has been disabled on the user’s computer.

Resolution: The remote user must comply with the access policy in order to access the portal.

All Network Policy Servers (NPS) are unavailable.

Cause: This could be the result of the Network Policy Servers going down or no network connectivity to the servers.

Resolution: Make sure that the Network Policy Servers are available and can be reached from Forefront UAG.

All Network Policy Servers (NPS) are unavailable on a specific trunk.

Cause: This could be the result of the Network Policy Servers going down or no network connectivity to the servers.

Resolution: Make sure that the Network Policy Servers are available and can be reached from Forefront UAG.

The Kerberos token for a specific user cannot be retrieved. Protocol transition failed.

Cause: The most likely cause of this error is that Forefront UAG is not trusted for delegation on the Domain Controller and cannot retrieve a token on behalf of the user for a specific application.

Resolution: Make sure that Forefront UAG has delegation rights on the Domain Controller for the specified application. Use the Forefront UAG Management Console to export a batch file that can be run on the Domain Controller to automatically configure delegation rights as follows: Click the Admin menu, select KCD and then select Export Batch File.

A member server of the array cannot be reached.

Cause: This could be the result of the server going down or no network connectivity to the server.

Resolution: Make sure that the servers are available and can be reached.

Warning that the Configuration UI displays and is also sent to the Web Monitor.

Cause: The cause varies depending on the warning. More information is generally given with the warning.

Resolution: The resolution depends on the warning given.

Error that the Configuration UI displays and is also sent to the Web Monitor.

Cause: The cause varies depending on the error. More information is generally given with the error.

Resolution: The resolution depends on the error given.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft