Release notes for Forefront UAG SP1

Applies To: Unified Access Gateway

These release notes address late-breaking issues for Forefront Unified Access Gateway (UAG) Service Pack One (SP1). In addition to reviewing these release notes, we recommend that you review the Release notes for Forefront UAG 2010, which include a list of RTM issues fixed by SP1.

If you are reading this help from the Forefront UAG Management console, the latest version of this topic is available in the Forefront UAG TechNet library.

  • Installation, upgrade, and administration issues

  • Forefront UAG DirectAccess issues

  • Publishing issues

  • Client issues

Installation, upgrade, and administration issues

  1. We recommend that you add a restore point on the Forefront UAG server before running SP1 installation.

  2. Installing SP1 on a server running Forefront UAG that has not had the configuration activated is not supported.

  3. We recommend that you do not have installations of other applications in progress when you install SP1 on an existing Forefront UAG server. Otherwise you might receive the following message during SP1 installation: “Setup failed during Forefront UAG prerequisites installation”. If you do receive this error, do the following:

    1. Restart the computer.

    2. Wait several minutes for any installations that are in progress to complete.

    3. Reinstall SP1.

  4. After cancelling Forefront UAG SP1 setup during installation of Forefront TMG SP1 or Forefront TMG SP1 Update 1 installation, the following might occur:

    1. Activation and export of the Forefront UAG configuration might not work as expected.

    2. You cannot rerun Forefront UAG SP1 setup.

    If this issue occurs, create the following VBScript, and run it as an administrator on each Forefront UAG server:

    set fpc = CreateObject("FPC.ROOT")
    set arr = fpc.GetContainingArray
    
    For Each srv in arr.Servers
      WScript.Echo "Removing SP1-specific filters from server " & srv.Name
      srv.InstalledWebFilters.RemoveSpecified "{9599218C-CCE6-4C39-B0DB-A0F2DFF0C486}"
    Next
    
    WScript.Echo "Saving..."
    arr.Save
    WScript.Echo "Done."
    

    After running this script Forefront UAG should work as expected, and you can rerun SP1 setup.

  5. After installing SP1 RTM on a Forefront UAG server running SP1 RC and acting as a DirectAccess server, the DNS64 service will be set to Manual. Following the installation, set the DNS64 service to Automatic and start the service.

  6. When you install SP1 on an existing Forefront UAG server, customized endpoint access policies (including download and upload policies) might be deleted. Record your customized policies and expressions before upgrading, and recreate them manually after completing SP1 installation.

  7. When you install SP1 on an existing Forefront UAG server, registry values you have customized might be overwritten with default values. Note custom values before running SP1 setup, and verify after installation. For more information about customizable values, see Forefront UAG registry keys.

  8. If you receive the error “Setup failed during Forefront TMG SP1 Update 1 installation” when installing SP1 on an existing Forefront UAG server, do the following:

    1. Press Enter to close the error dialog box.

    2. Restart the computer.

    3. Open a command line prompt and type: net stop isactrl /y. This stops the service and dependent services.

    4. Run the SP1 installation again.

  9. If you install SP1 on a Forefront UAG server that publishes multiple Outlook Web Access 2007 or Outlook Web App 2010 applications via the same trunk (using different host names), following installation each application will be assigned the same host name. As a workaround, record the host names before installing the service pack, and then manually modify the host names after installation.

  10. After installing SP1 RTM on a Forefront UAG server running SP1 RC, uninstalling the RTM service pack and rolling back to SP1 RC is not supported. For a complete list of uninstall scenarios, see Uninstalling and rolling back Forefront UAG SP1.

  11. For a summary of known globalization issues in Forefront UAG, see Compliance notes.

Forefront UAG DirectAccess issues

  1. When deploying Forefront UAG DirectAccess for remote management only, under specific circumstances clients can potentially access a server in the internal network via DirectAccess, by creating and merging local IPsec rules with corporate policy rules. To ensure this does not occur, we recommend that you do not provide users with local administrator privileges on DirectAccess client computers. For more information about this issue, see Selecting a deployment model in SP1.

  2. After installing SP1 on a Forefront UAG RTM server, folders in the Built-in Server Groups section on the Management Servers page of the DirectAccess Infrastructure Server Configuration Wizard are duplicated in the User-Defined Server Groups section. Do the following:

    1. Click Refresh All to ensure that servers that are automatically discovered appear in the built-in servers list.

    2. Copy any servers that do not exist in the Windows Update Servers group from the user-defined Windows Update group.

    3. Copy any servers that do not exist in the SCCM Servers group from the user-defined Client Management group.

    4. Copy any servers that do not exist in the HRA Servers group from the user-defined NAP group.

    After copying the servers you can remove the user-defined folders as required.

  3. On DirectAccess client computers, Forefront UAG DirectAccess configures a NAT compatibility setting for the SMB protocol.  This setting remains even if you disable DirectAccess or remove the client computer from the group of devices that receive the client GPO. To revert the setting manually, configure the following registry key via group policy:

    In HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Lanmanworkstation\ set the SMB1NATCompatibilityLevel value to 0.

  4. When you configure OTP CA settings with the automatically generated script, Forefront UAG enables the setting Do not include revocation information in issued certificates on the OTP client certificate templates. With this setting enabled, if you use OSCP server URLs in the AIA template files, CA services might not work as expected unless the OCSP URL locations appear last on the AIA extension list. As a workaround, disable the Do not include revocation information in issued certificates setting.

  5. When using Forefront UAG DirectAccess, do not configure Forefront UAG trunks with the external IP addresses that are defined for DirectAccess.

  6. When querying SQL Server Forefront UAG log fields using the Forefront TMG log viewer, the log cannot be filtered with the UAG error code field.

  7. If Forefront UAG DirectAccess is deployed for intranet access with force tunneling and you want to change the deployment mode to remote management only, do the following to ensure that DirectAccess clients do not lose Internet connectivity.

    1. Disable force tunneling.

    2. Enable DirectAccess for remote management only.

    3. Apply the configuration and activate.

Publishing issues

  1. When you publish an application with an application-specific hostname and identical internal and external host names, the port for the backend application must use the same standard port as the Forefront UAG trunk via which the application is published.

  2. After installing SP1 on a Forefront UAG server that publishes the Forefront Identify Manager 2010 or Rights Management Server applications, we recommend that you do the following:

    1. Record the publishing settings

    2. Remove the existing application from the portal

    3. Republish the application

  3. When publishing Forefront Identify Manager 2010 via Forefront UAG, the application does not open in the portal as expected. As a workaround, ensure that the setting Open in a new window is enabled in the Portal Link tab of the application properties.

  4. After installing SP1 on a u server that publishes SharePoint Server, clients might experience issues when syncing with Office applications. To avoid this issue, do the following to ensure that Forefront UAG does not replace URLs in the Web Service response:

    1. In the properties of the trunk via which the SharePoint Server is published, open the Portal tab.

    2. Click the Edit button next to Do not parse the response bodies of the response to these requests.

    3. In the URLs without body parsing in response dialog box, under Servers, click Add.

    4. Specify the name of the server running SharePoint Server. For example, if the server URL is https://contoso, specify the name contoso.

    5. In the URLs without body parsing dialog box, under URLs, click Add.

    6. In the Add URLS dialog box, add the following:

      • * .*/_vti_bin/webs\.asm

      • * .*/_vti_bin/lists\.asmx

  5. When you publish Outlook Web App via an anonymous trunk that does not require session authentication, clients logged on to Outlook Web App with a password that is about to expire might be presented with a policy error page instead of the password expired page. To ensure this does not occur, configure URL filtering to allow access to the password expired web page as follows:

    1. On the URL Set tab of the trunk properties, click Add Primary.

    2. Configure a rule with the following settings:

      • Name:  ExchangePub2010_Rule43 or ExchangePub2007_Rule37

      • Action: Accept

      • URL: /owa/auth/expiredpassword.aspx

      • Parameters: Ignore

      • Method: POST, GET

Client issues

  1. When more than one client device accesses a Forefront UAG portal simultaneously after configuration settings have been activated, the portal toolbar might not display as expected. To ensure this does not occur, always access the portal from a single client device directly after each activation. If the issue occurs, do either of the following:

    1. Activate again and access the portal from a single client device directly after activation.

    2. Alternatively, open the file \von\PortalHomePage\Data\SiteMap\ToolBar\Web.sitemap, and save it without making any changes. A single client device should then access the portal.

  2. After installing DirectAccess Connectivity Assistant (DCA) 1.5 on client computers running DCA 1.0, both DCA 1.0 and DCA 1.5 might appear in the Programs and Features list of the Control Panel. This does not cause unexpected behavior and can be ignored.

  3. In Forefront UAG RTM, mobile devices including the iPhone, Android and Windows Mobile were included in the Windows, Mac, and Linux platform-specific policies, and allowed access by the Forefront UAG Default Session Access policy. In Forefront UAG SP1, mobile devices were removed from this policy, and now belong to the Other platform-specific policy. To continue to include them in the Default Session Access Policy, do the following:

    1. In the trunk that allows access to these devices, open the Endpoint Access Settings tab, and click Edit Endpoint Policies.

    2. In the Manage Policies and Expressions list, click Default Session Access, and then click Edit Policy.

    3. In Other, select Always.

    4. Apply the configuration.

    Alternatively, you can modify an alternate predefined policy to allow mobile devices, or configure a custom policy. For more information about mobile device access, see Deploying Forefront UAG for mobile devices.

  4. Forefront UAG access policies allow or block access based on client device settings. If devices of one type access Forefront UAG resources acting as devices of a different type (for example, if you access a portal using a Windows Phone 7 device, and select the Desktop version as a website preference in Internet Explorer) then access policies might not be applied as expected. Note that even if portal access is allowed for a device, client components will not be installed.

  5. When client devices are running Outlook, and User Account Control (UAC) is enabled, the Email Logs button in DirectAccess Connectivity Assistant 1.5 might not work as expected.

  6. If a DirectAccess client computer has no connection to a DirectAccess server, DirectAccess Connectivity Assistant incorrectly shows a yellow warning icon instead of a red error icon. This occurs because the DirectAccess server address is stored in the DNS cache of the client computer. To show the correct icon, DirectAccess Connectivity Assistant users can clear the cache on the DirectAccess client computer by opening an elevated command line and running ipconfig/flushdns from the command line. If the cache is not cleared manually, the DNS entry expires after a predefined period (one hour by default).