Forefront Edge Security – IAG/UAG Forum

LOGIN_FORM USER_NAME with a variable name/id?

Wed, 25 Nov 2009 18:34:41 Z

Here's a fun on. In my FormLogin.xml i need to match a form with a name (and ID) that actually varies every time the user refreshes the page (a GUID is added to the name).

I have no contol over this remote app.

Anyone know of a way i can match it?

I tried :

<NAME>ctl00$PlaceHolderMain$Login1$LoginControlExtender1$*</NAME>

No success.

thanks,

steven

http://livz.org

IAG Network Connector and UAG SSTP

Tue, 24 Nov 2009 09:43:47 Z

I have a client in the education sector that would like to use the VPN functionality within IAG/UAG. As the client is in the educational sector they are looking at students connecting in and students may have Apple or Libux based machines. I understand that NC will not work on these machines. So I'll get to my question...... Will SSTP work for Linux / Apple to give end user the full VPN style connectivity.

Custom client app cannot connect to SQL server over Network Connector

Wed, 25 Nov 2009 14:30:39 Z

Hi all,

We have a custom client application that connects to an SQL server on port 1134 for authenticating the user.
This application is unable to communicate over the Network Connector, giving a network error.

Any suggestions on how to troubleshoot/fix this ? I thought Network Connector should allow full access to internal IPs?

Using telnet commands I can verify the port is unavailable when NC is up. NC access is testing ok for RDP, web etc.
I also cannot ping the internal IP address from the client PC using network connector.

The IP address of the SQL server is included in a network entry on the "Additional Networks" tab of the Network Connector configuration on the whale/iag server.

Using telnet commands I can verify that I can connect to the port from the internal whale/iag server to the SQL server.
I can ping the SQL server from the internal whale/iag server. Our firewall admin has confirmed that all traffic from the internal whale/iag server is allowed.

I know we could publish the client app on Citrix but we'd rather get it working over NC.

Whale Version 3.6.1.0.55
Service Pack 1.46
Update 4.55

Coding a Custom Credential Store for Basic authentication or HTTP forms-based authentication

Tue, 27 Oct 2009 17:39:08 Z

Hi. I have looked at some articles discussing how you can write code to authenticate against your own authentication backend with IAG.

Now, when IAG intercepts and replays credentials for a given site - say Hotmail.com, I again want to write code that uses my own authentication store (long story) to pull out the credentials to be POSTed for that user (i.e. i don't have all my credentials in the IAG store).

Does anyone know where i can get started?

thanks,

/steven

http://livz.org

How can you perform Multiple Authentication Types within one IAG

Tue, 24 Nov 2009 09:43:58 Z

We have an opportunity to replace a non-Microsoft reverse proxy with an IAG applicace. However the current device allows for different authentication methods dependant on the resource being accessed. As an example to get to the OWA the user has to use ID and Password but if they then move to a Finance application they also have to provide a Token (in this case Vasco). I can see how to get all of the resources to be accessed with an ID and Password or using ID, Password and Token but I really need to provide an or in this. That way all users can have the IAG security in front of OWA and they do not all need tokens. When finance then need to access they get asked to provide the Token in addition to the current authentication. I am not sure if thius can be done with multiple trunks but we need to keep the access URL's the same so that all users "see" the same thing.

Any ideas ???

UAG Direct Access and Citrix.

Sun, 22 Nov 2009 21:27:11 Z

We also have a Citrix farm where most of our applications are published. By using a Citrix secure gateway we were able to get citric working with Ipv 6 and the Direct Access server. But after upgrading the DA to a UAG It does not work anymore. We can access the webpage on the secure gateway but when we trying to kick an app we get an error saying that the ssl handshake failed error 40 (citrix error). My question is why does this not work on the UAG when it work's on a standard DA solution.

/Johan

Issue publish webbased ERP with IAG

Tue, 24 Nov 2009 10:40:34 Z

Hello,

we will publish our erp application with IAG. The welcome page works fine. The application url is http://servername/web/
Form the IAG Portal the URL is https://....whalecom0/web/home/default.aspx

On the left side is an navigation frame, which doesn't work.
The current url ist https://...whalecom0/navigation/menu.aspx --> The page cannot be desplayed.
https://...whalecom0/web/navigation/menu.apsx would be the correct url. The IAG ignore the rootfolder "web" of the webapplication and open the navigation-url directly after "whalecom0". How can I resolve this issue?

End-Point Compliance Warning?

Thu, 19 Nov 2009 16:20:08 Z

Hi,

Is there a way, without using NAP, that UAG can simply warn users when they are non-compliant - maybe some pop-up or something?
(e.g. "your anti-virus does not meet company requirements, and you will be granted access until 31 dec 2009, and each session will last 60 minutes. Contact helpdesk on 12345")

I assume this data would be available in the UAG log / report.

Regards,
TZ

UAG array and NLB questions

Thu, 19 Nov 2009 07:37:05 Z

Hi,

According to the UAG IPD:

"Load balancing of incoming requests can be performed by either of the following:

· Windows Network Load Balancing (NLB). Up to eight Forefront UAG servers can be placed into an array to load balance VPN or DirectAccess traffic.

· Hardware load balancer. A hardware load balancer is not supported for Forefront UAG when it is used to provide an array for DirectAccess.

Note that Forefront UAG is not supported in a Microsoft failover cluster.

No architectural guidance is available for determining the number of servers that will be required in the array. The array function is implemented by Forefront TMG, which is installed by the Forefront UAG installer. The array members share the same configuration and provide the same set of services. If an array node fails, services can be accessed from another array member. One of the array members is configured as the array manager and holds the configuration for the entire array.

To deploy multiple Forefront UAG servers in an array, all the servers must be domain members."

A few questions:
1. "The array function is implemented by Forefront TMG" so there is no separate UAG array concept? I can only think of a manual reconfiguration option here.
2. In order to have a UAG array, do I need the Standard or Enterprise Edition of TMG? I guess that is covered by the UAG license agreement? Do I need to purchase different UAG/TMG combo then?
3. The IPD states: "To deploy multiple Forefront UAG servers in an array, all the servers must be domain members" - is there a way to achieve a UAG array concept, without domain membership? Probably not.
4. Can I assume that if I do not utilise DirectAccess, I can still use a hardware load balancer for UAG?

Thank you,
TZ

UAG DirectAccess Wildcard Certificate

Tue, 17 Nov 2009 19:44:02 Z

Hi all,
Just having a small issue with UAG DirectAccess and a wildcard SSL certificate for the IP-HTTPS certificate.
As the wildcard certificate has a * in the subject name it is not accepted by the UAG DirectAccess setup and returns the following error.

"The selected certificate CN=*.example.com does not have a suitable subject name. Select a certificate with a valid FQDN as a subject name.

Does this mean that we cannot use our wildcard certificate for UAG DirectAccess?

How to configure IAG with RD Gateway using RPC over HTTPS

Wed, 18 Nov 2009 22:30:46 Z

We are looking for configuration guidance on how to configure IAG 2007 SP1 or SP2 to communicate to Remote Desktop Services Gateway running on Windows Server 2008 R2 using the 3389 RPC over HTTPS feature. I can not find any configuration guide for this since the release of R2. To be specific we are trying to configure IAG to talk to a Remote Desktop Gateway with HTTPS on 443, the more secure approach which is one of the new features of the R2 release of Remote Desktop Gateway (formerly Terminal Services Gateway).

IAG with OpenID credential capture and replay

Mon, 16 Nov 2009 11:16:51 Z

I know IAG can capture and replay basic authentication and forms authentication.

Anyone know if IAG can capture and replay OpenID authentication?

thanks,

steven

UAG R0 TS WEB Client

Fri, 23 Oct 2009 19:17:18 Z

Hi, when adding the TS Web client to the portal, the path is /tsweb/. I am using windows 2008 terminal services, and the path is /ts/. I have tried changing this in the applications properites for the Web client, but I still get an error.

jason

RDP Connectivity from Netbook With XP Home Edition

Wed, 11 Nov 2009 09:21:35 Z

I have a client running a NetBook with XP Home addition. When connecting through IAG we are unable to connect to an RDP session and see the error "Failed to connect to Server ......" This work from other clients but not from the Net Book. Anybody got any ideas ?

UAG Portal & TS RemoteApp

Wed, 18 Nov 2009 19:44:07 Z

Hi,

We are thinking of using the TS Remote App and using the TS Web concept - for access to non-web applications.
This TS Web can obviously be published via UAG.

However, when you first connect to UAG, you may have a few application icons on the portal page, and one being the link to the TS Web Remote App.
This second list of application may actually confuse some users.

So - is there a way of publishing those TS Remote Apps so that their shortcut icons appear directly in the UAG portal page?

Regards,
TZ

PS. Does someone know if there is another version of this site: http://www.iagserver.org/default.aspx?ctype=Articles&&name=How-to-install-and-configure-TS-RemoteApp-and-TS-Web-Access-and-Publish-through-Microsoft-Intelligent-Application-Gateway-(IAG)-2007-Server

There are many people that seem not to be able to view it, us included.

Windows 7 x64 - Remote Desktop UAG RC0

Mon, 23 Nov 2009 04:48:59 Z

I have a windows 7 x64 desktop and im trying to connect to a remote desktop option that i configured on the applications list in the UAG portal (UAG RC0).
I keep getting the error 'your computer does not meet the security policy requirements for this application'. I have enabled endpoint policy settings to 'always' for this application.

for testing i just want it to bypass all security settings. i used the debug option and found it made no difference even though it says its going disable security.

Where can i go to debug this security message?

dwethoma

certificate login and user status in AD

Sun, 22 Nov 2009 09:28:33 Z

Hi all,
after implementing certificate login with IAG2007 I have realized that disabled users can still access the portal after they have been disabled in AD.
I have been told that the IAG function getuserinformation may do the trick of checking the user status. can someone help with this as I have no programming skills.
any information, perhaps working code would be highly appreciated.
cheers,
tom

SSL Accelerators & UAG

Thu, 19 Nov 2009 05:43:12 Z

Hi,

I have read this post regrding planning for a large number of concurrent users and IAG and SSL impact: http://forums.forefrontsecurity.org/default.aspx?g=posts&m=808
Will this still apply to UAG?

We were thinking of, instead of an appliance, of getting a SSL Accelerator card and sticking it in the hyper-v machine running UAG...but will this limitation still apply?

"SSL accelerator network card is working with dedicated network driver but in Hyper-V you have the virtual network driver netvsc50.dll and you cannot replace it
So ... you only option is to use external SSL accelerator hardware solution"

So, does this mean that one should rather look at UAG appliances for large number of concurrent users over SSL? Are there any guidelines available - when to start using appliances vs hyper-v images?

I assume similar questions could be asked about NLB. UAG now has NLB support - but at which point do you switch over to a hardware solution (like F5 for instance?)

Kind regards,
TZ

802.1q Support?

Wed, 18 Nov 2009 17:45:32 Z

Hi,

Just curious whether UAG or TMG supports 802.1q (VLAN tagging)?

Regards,
TZ

IAG HAT & Address Rewrite

Tue, 17 Nov 2009 17:23:29 Z

Hi,

For security reasons IAG rewrites the URL address and hides the internal URLs.

However, lets assume that I wish to publish Public websites via IAG - but do not wish to do the address rewrite...so http://company.com always appears as http://company.com.

Is that possible?

Thanks,
T

IAG & non-web applications

Wed, 18 Nov 2009 05:40:56 Z

Hi,

Just trying to understand the technicalities behind IAG & publishing non-web apps.

Lets assume I have a home grown client/server app.
People on the intranet need the client portion installed on their desktops, and this connects to the backend server component on the intranet.

If I now want to publish this via IAG, how do I actually go about it?
Lets say I want to allow access to this client/server app to clients outside my network, that do not have the client portion installed on their desktops.

How do I use IAG for this?

The only way I can think of right noe is to setup a Terminal Server App Mode and install the client portion of the home grown app on it.
Then publish that thru IAG, maybe on a TS Web page.

Is that the right thinking, or did the IAG team have another solution in mind?

Thanks,
T

IAG DMZ Design ideas/questions

Mon, 16 Nov 2009 20:06:53 Z

Hi,

We have the following requirement:
- Internal corporate staff need to access application (web & non-web) that reside on the intranet & DMZ
- External partners need to access application (web & non-web) that reside on the intranet & DMZ

We will use IAG/UAG for most of the application access and publishing.

So I am suggesting 2 separate forests (internal staff & external partners) and a 2-way (selective authentication) trust between them.

I am then thinking of placing both these forests on the intranet. (as opposed to placing the external partners AD in the DMZ) - whats the best practice here?
Since some of the front-end Sharepoint components and IAG itself will reside in the DMZ, will there be any benefit of deploying RODCs to the DMZ from either forest?

Any pointers, thoughts, url's welcome.

Thank you,
T

Network Connector Error

Fri, 13 Nov 2009 12:33:36 Z

Hello All,

I am facing a issue with the network connector. If i activate the network connector and publish it on one of the trunk than the all the published trunk stops to work.And as soon as we disable the network connector than all the published portals starts to work. Anybody has an any idea as to why this is happening.

Cheers Bill

IAG Support For Windows 7

Tue, 21 Jul 2009 19:57:58 Z

We are currently running IAG. We are running a limited number of Windows 7 RC devices and would like to know if Windows 7 will be supported in the current release of IAG? It's our assumption that Windows 7 will RTM months before UAG w/ support for Windows 7 RTMs.

UAG RC0 Home Drive Question

Tue, 10 Nov 2009 15:18:43 Z

Hi Guys,

Server Details
Forefront Unified Access Gateway (UAG) RC0 Server,
Domain Member,
Two NICs, One Internal, One External (Portal.Mydomain.Com)

We have a Trunk up and running with a Portal containing a number of Websites. We can log on successfully and browse all the Internal Websites, some which require a username \ password and some which dont.
All working fine.

My Authentication Settings are as follows;

Under Authentication Settings
Server Type: ACTIVE DIRECTORY
Server Name: AD

Define Domain Controllers
IP Address/host: CAD1.mydomain.com 389
IP Address/host: CAD2.mydomain.com 389

Search settings
Base DN: DC=Mydomain,DV=com
Include Subfolders: Ticked
Level of Nested groups: 6

Server Access
User: (NetBios Name)\Username : CAD\UAG_User

Default domain name
Domain: Netbios Name : CAD

When I try and configure FILE ACCESS to allow access to Home Directorys. I log in using my Domain Admin accound and try and configure the following

Home Directory
Use Domain Controller Settings for Home Directories

Mapped Drives
Show Mapped Drives: Ticked

Share Permissions
Show only the shares a user is permitted to access: Ticked

However when I then try and click on File Access\File Access Admin\Network Sharing\Domains
I get the following Error

Failed to Enumerate domains
Please Check your permissions.

Any Ideas?

UAG file access home drive

Tue, 06 Oct 2009 20:31:56 Z

Hi, I have UAG installed on a windows 2008 r2 server. It is a domain member of a 2008 domain. I have a internal/external interface on the uag server. I have enabled file access "use domai controller settings for home directories". I have confirmed the home drive share by logging into the domain with a client (windows xp) computer.

When I logon to the portal I do not see a home drive. I only get 'file access' 'network'.

Is there anyway I can enable tracing or verbose debugging?

Any suggestions appreciated.
jason

IPSec Audit Failures when using Forefront UAG DirectAccess

Tue, 10 Nov 2009 22:50:10 Z

I've installed Forefront UAG DirectAcess and I'm not getting it to work properly. I read the planning and deployment guides and believe I have configured everything according to those. I'm not using IPv6 on our intranet. I'm able to ping all servers but that's it. I have no other access to them.

On the clients I'm getting the following two Audit Failures in the Security log:

An IPsec main mode negotiation failed.

Local Endpoint:
	Local Principal Name:	-
	Network Address:	2002:d5b0:91a5:8100:19a1:7094:9919:3984
	Keying Module Port:	500

Remote Endpoint:
	Principal Name:		-
	Network Address:	2002:d5b0:91a5::d5b0:91a5
	Keying Module Port:	500

Additional Information:
	Keying Module Name:	IKEv1
	Authentication Method:	Unknown authentication
	Role:			Initiator
	Impersonation State:	Not enabled
	Main Mode Filter ID:	0

Failure Information:
	Failure Point:		Local computer
	Failure Reason:		No policy configured

	State:			No state
	Initiator Cookie:		f88b2ecea742155c
	Responder Cookie:	0000000000000000

An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

Local Endpoint:
	Principal Name:		ANNATA\nori
	Network Address:	2002:d5b0:91a5:8100:19a1:7094:9919:3984
	Keying Module Port:	500

Remote Endpoint:
	Principal Name:		host/zanzan.annata.is
	Network Address:	2002:d5b0:91a5::d5b0:91a5
	Keying Module Port:	500

Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method:	Kerberos
	Role:			Initiator
	Impersonation State:	Enabled
	Quick Mode Filter ID:	67673

Failure Information:
	Failure Point:		Local computer
	Failure Reason:		IKE authentication credentials are unacceptable

	State:			Sent second (SSPI) payload

I've looked at the certificates and as far I can tell they are configured according to the prerequisites. There are two configured CRL distribution points. One LDAP and one publicly accessible.

Has anyone seen this behavior?

Kveðja,
Nóri

IAG, ActiveSync (E2K7 SP1) and Nokia Mail for Exchange

Thu, 17 Sep 2009 14:37:10 Z

Has anyone had any experience with Nokia Mail for Exchange and ActiveSync through an IAG SP1 appliance? Our client has an HTTPS ActiveSync trunk which works fine for WM devices but fails for Nokias running Mail for Exchange or RoadSync. We've tested Mail for Exchange against another E2K7 server which is firewalled but not behind IAG and it syncs fine. These are the IIS logs from the Exchange CAS server:

1. Successful Mail for Exchange sync on E2K7, no IAG

OPTIONS /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Log=V10_LdapC0_LdapL0_RpcC0_RpcL0_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=Settings&Log=V121_Ssnf:T_LdapC3_LdapL16_RpcC23_RpcL46_Ers1_Pk0_Error:DeviceNotProvisioned_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 449 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=Provision&Log=V121_LdapC0_LdapL0_RpcC10_RpcL15_Pk0_S1_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=Provision&Log=V121_LdapC0_LdapL0_RpcC11_RpcL0_Pk1623791423_Pa1_S1_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=Settings&Log=V121_LdapC0_LdapL0_RpcC12_RpcL0_Pk1314988479_DevModel:NokiaE61i_DevIMEI:IMEI351879013504065_DevName:Nokia%2fMail+For+Exchange_DevOS:.0633.65.01_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=FolderSync&Log=V121_St:F_Srv:22a0c0d0s0e0r_LdapC0_LdapL0_RpcC72_RpcL46_Pk1314988479_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0
POST /Microsoft-Server-ActiveSync/default.eas User=user1&DeviceId=IMEI351879013504065&DeviceType=IMEI351879013504065&Cmd=Sync&Log=V121_Sk:0_LdapC0_LdapL0_RpcC22_RpcL15_Pk1314988479_S8_ 443 domain1\user1 212.183.134.130 NokiaE61i/2.09(158)MailforExchange 200 0 0

2. Successful WM sync on E2K7, IAG in place

OPTIONS /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Log=V120_LdapC0_LdapL0_RpcC0_RpcL0_Pk1080181950_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 218
POST /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Cmd=FolderSync&Log=V120_St:S_LdapC0_LdapL0_RpcC15_RpcL78_Pk1080181950_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 453
POST /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Cmd=GetItemEstimate&Log=V120_Fc3_Fid:40d1ced297368646b2ccb1bedbff9649-65278ae_Sk:2_Sst3_Pfs1_Fid:40d1ced297368646b2ccb1bedbff9649-65278ad_Sk:2_Sst11_Pfs1_Fid:40d1ced297368646b2ccb1bedbff9649-652ac30_Sk:47_Sst12_Pfs1_LdapC0_LdapL0_RpcC31_RpcL218_Pk1080181950_S1_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 625
POST /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Cmd=Sync&Log=V120_Fc1_Fid:40d1ced297368646b2ccb1bedbff9649-65278ad_Ty:Ca_Filt4_St:S_Sk:2_Sst11_Srv:0a0c0d4s0e0r_LdapC0_LdapL0_RpcC17_RpcL15_Pk1080181950_S1_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 406
POST /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Cmd=Sync&Log=V120_Fc1_Fid:40d1ced297368646b2ccb1bedbff9649-652ac30_Ty:Em_Filt3_St:S_Sk:47_Sst12_Srv:0a0c0d28s0e0r_LdapC0_LdapL0_RpcC24_RpcL46_Pk1080181950_S1_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 250
POST /Microsoft-Server-ActiveSync/default.eas User=user2&DeviceId=48213A9049BC18642293876E5D8680AF&DeviceType=SmartPhone&Cmd=Settings&Log=V120_LdapC0_LdapL0_RpcC10_RpcL0_Pk1080181950_UserInfo:Get_ 443 domain2\user2 34.105.248.4 MSFT-SPhone/5.2.402 200 0 0 390

3. Unsuccessful Mail for Exchange sync on E2K7, IAG in place

OPTIONS /Microsoft-Server-ActiveSync/default.eas &Log=V20_LdapC1_LdapL0_RpcC0_RpcL0_ 443 domain2\user3 34.105.248.4 RoadSync-S60/4.0 200 0 0 187
POST /Microsoft-Server-ActiveSync/default.eas &Log= 443 domain2\user3 34.105.248.4 RoadSync-S60/4.0 501 0 0 0

4. Unsuccessful RoadSync sync on E2K7, IAG in place

OPTIONS /Microsoft-Server-ActiveSync/default.eas &Log=V10_LdapC0_LdapL0_RpcC0_RpcL0_ 443 domain2\user3 34.105.248.4 NokiaE61i/2.09(158)MailforExchange 200 0 0 218
POST /Microsoft-Server-ActiveSync/default.eas &Log= 443 domain2\user3 34.105.248.4 NokiaE61i/2.09(158)MailforExchange 501 0 0 15

As you can see, the unsuccessful syncs are missing the "User=", "DeviceID=", "DeviceType=" and the start of the "Cmd=" sections. This returns a 501 not implemented error on the Nokia.

My IAG troubleshooting knowledge is limited - I've been on an administrators course but it didn't really cover this kind of in depth troubleshooting of IAG itself. If anyone can point me in the right direction, that would be great. Unfortunately for us, the client has most of their execs on Nokias which means the issue is getting lots of attention :(

Thanks in advance,

Louis Yung

Windows 7 & IAG (Whale Client Components)

Mon, 18 May 2009 09:39:19 Z

Hi,

as a Microsoft and Windows Enthusiast i have testet Windows 7 Beta and now the RC!

On a "normal way" i don´t get the Whale Client Compents and the Network Connector not installed. Now i have a workaround not a solution because this method and IAG/Whale Client Components are not offical supportet from Microsoft under Windows 7.
I hope i can help other IAG users and the hole community with this.

Her is the Workaround that works for me under Windows 7 (x86):
- Locate the Directory "OfflineClientSetup" from the IAG-SP2 and extract the Complete OfflineClientSetup Diretory for example to c:\temp.
- browse to Whale Client Components "Setup.exe" and set the compatibility mode to "Windows Vista SP2"
- browse to "ClientCompoents.xml" locate the entry for the Network Connector set it to "1″
- now start the installation of the Whale Client Components with the "Setup.exe" (as Administrator)
- Your can use normal or custom setup and start the installation (Attention: at the end of the setup the is a failure you can ignore "Can not register Whale Client Components whlvaw.dll") - end the Setup
- start cmd oder PowerShell as administrator (!) and switch to the path "C:\Program Files\Whale Communications\Client Components\3.1.0″
- execute the command: "regsvr32 whlvaw.dll" (Attention: Ignore the Warning about the Driver isntallation and select YES!
- Now you you your IAG Portal to login and start the Network Connector! But this only successful if you start the Internet Explorer as a Administrator, because the file "whlioc.exe" & "whliocsv.exe" would launched with local administrator rights!

I hope this helps the hole community out the, who test Windows 7, because WINDOWS 7 ROCKZ!

Screenshots: http://cid-966b26a11278266e.skydrive.live.com/browse.aspx/Windows%207%20IAG%20Client%20Components

Greetz Joerg

Custom Endpoint Detection Question

Wed, 11 Nov 2009 17:47:27 Z

I have written quite a few custom endpoint detection scripts and I think it's about time we all understand some parts of this. When you create the "PolicyTemplate.xml" file in the customupdate folder, you have to create your custom variable. Well, in looking through the stock PolicyTemplate.xml file, there seem to be different values used for different things. Here's the XML structure that you need to utilize:

<Name></Name> - Obvioulsy, the name of the variable

<ID></ID> - The variable you are using to record the results of whatever check in your script.

<Type></Type> - I have no idea here, anyone? It seems to take a numeric value, but does anyone know what the types are and what values they map to?

<Value></Value> - Is this the initial value of the variable? Is this how variable is determined? In some, I see "false", but in others I see scripting.

<Description></Description> - A description of your variable.

<Section></Section> - The section in the UI that you want it to appear.

<Flags></Flags> - Again, no idea here. It seems that this is optional, but when I do see it, I see a value of "6". What is this field used for and what does 6 mean?

</policy>

Thanks!

UAG DirectAccess and RDP

Fri, 06 Nov 2009 22:39:07 Z

I've setup UAG RC0 and gone through the DirectAccess configuration. I have a client using Teredo. It connects to the UAG server and is able to ping resources on the Intranet, however, I am unable to browse to UNC paths or use RDP. Does anyone have any troubleshooting advice?

Network Connector Troubleshootig

Thu, 12 Nov 2009 14:10:56 Z

I have posted the problem we are seeing at a customer site when using Network Connector across 3G.

We have setup logging on the Network Connector but I would like to setup some tracing / logging on the actual portal would anybody be able to assist in how I could set this logging up.

I have found how to setup the IIS logging but that doesn't seem to have the information I'm after.

I'm trying to see if I can capture why the NC is just stopping is it down to a timeout and the IAG applianced is sending the terminate commend or is it on the client side that the terminate comes from.

Anybody got any ideas ?

UAG Installation Failures On Server 2008 R2

Thu, 12 Nov 2009 20:48:46 Z

What am I missing here folks. I've tried several times to install UAG Beta RC0 on Server 2008 R2 Enterprise Edition and every time it fails when it gets to 'installing TMG'. Here's an event log entry ->

Product: Microsoft Forefront Threat Management Gateway Beta EE -- Error 1305.Error reading from file D:\ISA\FPC\program files\Microsoft ISA Server\UI_HTMLs\EE\06AlertsTab.htm. Verify that the file exists and that you can access it.

Here's the ISAWRAP_255.log ->

15:34:06 INFO:    Installer activated, command-line='/v" /qn REBOOT=ReallySuppress FULLPATHANSWERFILE=\"C:\Users\2333\AppData\Local\Temp\TmgInstall.091112.153406.2848.ini\""'
15:34:06 INFO:    Running setup wrapper in quiet mode.
15:34:06 INFO:    Expanded full extraction path of SQL Express 2008 SP1 Package is 'C:\Windows\temp\{CECBAEFD-9EB9-4C4F-8136-21C75BD74050}'.
15:34:06 INFO:    Install scenario
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
15:34:06 ERROR:    CSSEInstaller::GetInstanceId failed to open reg key 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
15:34:06 INFO:    CSSEInstaller::Prepare: Failed to get the instace id of MSFW
15:34:06 ERROR:    CSSEInstaller::GetInstanceId failed to open reg key 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
15:34:06 INFO:    CSSEInstaller::Prepare: Failed to get the instace id of ISARS
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
15:34:06 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
15:34:06 INFO:    Installing ISA (Core components)...
15:34:06 INFO:    Service W3SVC is running.
15:34:06 INFO:    Service iisadmin is stopped.
15:34:06 INFO:    CFirewallInstaller: Activating installation, command line args = '-I "D:\ISA\FPC\MS_FPC_Server.msi " /qn REBOOT=ReallySuppress FULLPATHANSWERFILE="C:\Users\2333\AppData\Local\Temp\TmgInstall.091112.153406.2848.ini" WRAPPER=1 ARPSYSTEMCOMPONENT=1 REBOOT=ReallySuppress'
15:34:49 ERROR:    Setup failed. Error returned: 0x643
15:34:49 ERROR:    CBasicInstaller: Install failed, hr=0x80070643
15:34:49 ERROR:    Installation failed. hr = 0x80070643
15:34:49 ERROR:    Installation failed, hr=0x80070643
15:34:49 INFO:    Service W3SVC is running.
15:34:49 INFO:    Service iisadmin is stopped.
15:34:49 ERROR:    InstallProducts: Install ISA (Core components) failed, hr=0x80070643
15:34:49 ERROR:    Wrapper: Install failed, hr = 0x80070643
15:34:49 ERROR:    Wrapper: DoSetup failed, hr = 0x80070643
15:34:49 ERROR:    Wrapper: DoSetup failed, hr = 80070643
15:34:49 ERROR:    Setup of ISA failed. Return value: SETUP_ERROR_ISA

Network Connector Server settings

Mon, 09 Nov 2009 16:30:14 Z

When setting up the newtork connector server their is and adnvanced tab that has a section for server resources. Could anybody explain what those fields are for and what they do. HAs anybody changed these settings to get NC working better ?

UAG RC0 Activation removes TMG policies randomly/ Certified Endpoints/ AES 256

Thu, 12 Nov 2009 09:50:19 Z

Hello all,

I just wanted to let someone know that on my test installation of UAG RC0 it seems that when I am published RDS conenction's and activate them the UAG Management app deletes the majority of the TMG firewall policies required to access the Portal. I'm working around this by simply backing up the TMG whenever a successful activation occurs. I wasn't sure how to report back issues with the RC so I'm trying my best and publishing it here...

Has anyone managed to get Certified Endpoints working with the RC0, I have a client certificate installed as standard on my workstation's and my UAG Certifiacte is a trusted internal Server certificate, I have installed all the Whale Endpoint software and try to coax my connection's into being Certified Endpoints only with the Access Policies but still no joy, what am I missing?

Also, does anyone know how to force AES 256 encryption on Server 2008 R2, I've seen the how to on Server 2003, but 08 R2 does not have the reg key for AES??

Any help would be greatly appreciated :)

IAG translations/Custom changes

Tue, 10 Nov 2009 20:42:18 Z

Hi All,

This forum has been excellent to know things about IAG and I cant stop thanking enough Mark and Ben on their consistancy!!!

can some please explain what is SRA.I tried to search it on google and technet.I could not get any information on it, not even in the user guide as well but the closest I could get is this:

1. Sometimes, applications may contain client-side code (like JavaScript or Vbscript) that cannot be automatically rewritten; this is the case
especially with very complex web applications that rely heavily on client-side logic to generate URLs. In these cases, specific sections of the
script or HTML code may need to be rewritten using either an application wrapper or SRA template.

I come across isssues where in Javascript gives errors and wouldnt work so I believe in those cases I would have to write an SRA.Can anyone please throw
some light on how we write and what exactly is an SRA?

2. Also, why do we use JavaScript parser and how is it different than the SRA or application wrapper.

Java script parser is used in responses only. It is defined in the AAP configuration file in the element <PARSER_EXCEPTION>
I tried to look for parser exception but was not able to comprehend it...can anyone help explaining it.
PARSER_EXCEPTION:- Defines all the JavaScript commands that are parsed; the links that are found within those commands are manipulated, . By default,
the parser is configured to parse all standard commands that contain links. You can edit the file to add other, non-standard commands, which might
contain links in your application.

3. The information sent from IAG to the application server is in which of these (or all of them could apply) ?
SSL 2.0
SSL3.0
TLS1.0

4. How does IAG handle Flash rewrites (SWF) or sites which have Flash based images?

I read it somwhere that IAG cannot rewrtie the absolute URL's within the swf / flash content type because its a compiled bytecode. IAG doesnt know how to handle these SWF URL's and therefore you cant tell the IAG engine to HAT the URL's if you are publishing a flash based application via IAG.
Can “HAT via Proxy” resolve it?

Thanks and regards
Prashant Bhandari
nAppiance Networks- Application protection and acceleration
www.nappliance.com

x64 Client Support

Tue, 10 Nov 2009 17:31:40 Z

Are Windows Vista x64 and Window 7 x64 supported in UAG 2010? I have published RDP in UAG 2010 Beta 2 but my x64 clients cannot use the RDP links. Is there a way to make those work? They just come up with an error that its's not supported. It would appear that x64 clients are at a disadvantage.

Given that IAG and UAG are enterprise-level products, we should be able to support x64 clients fully!!! If you go to a computer store now, almost all of the laptops they are selling are x64. It's hard to even find an x86 client anymore.

Also, what is the plan for x64 support with IAG 2007 SP2?

Corporate Status Indicator

Tue, 10 Nov 2009 20:05:05 Z

Hi,

We cannot get the Network Tray icon display "Internet and Corporate" when conncted with UAG Directaccess.

The Network Connectivity Status Indicatorshow policys are configured. What can be the problem?

Thanks

Can ISA Server 2006 authenticate domain user accounts when working as a workgroup computer ?

Sun, 08 Nov 2009 12:33:08 Z

Hello Friends :

I have a standalone ISA Server 2006 installed, and i also have an active directory domain, can i sa server authenticate users from active directory when it is not joined to it ?

thank you.

Network is my LOVE

Network Connector Dropping session after 1 - 3 mins

Mon, 09 Nov 2009 15:37:57 Z

A client is currently running IAG SP2 Update1 and we seem to be having problems with the Network Connector dropping the session after 1 - 3 mins. The client is connecting using a T-Mobile 3G dongle. Connectivity through Wireless or LAN connection seems to be fine.

Has anybody got any ideas of what may be causing this problem. The dongle shows good reception and somestimes it shows this behaviour and then other times it we work okay.

Thanks in advance

Darren