locked
Uag 2010 broken out of the box? RRS feed

  • Question

  • Hi,

    I have a clean installation of 2008r2 64 bit ent. The windows box is added to the (child)domain.
    After succesfull installation of UAG 2010, the machine looses connectivity to the domain. I also cannot start the UAG management console. It givesthe following error:
    "the configuration cannot be loaded from Forefront TMG storage. An unrecoverable error has occured. the appliation will close.
    If I remove the machine from the domain, I can successfully start the UAG management console and walk through the wizard. But after that I want to place the machine back into the domain, which is impossible because all traffic to internal is blocked. Even afer adding some any any rules, I cannot connect to the domain controller any more.
    I have retried this installation several times with different ISO's. It always bahaves this way.
    My setup:
    Windows 2008r2 64bit ent. On Xenserver 5.5
    nic1(secure) 10.5.0.16/8, dns 10.5.0.11 (which is also the DC it cannot connect to, however it can PING to) (the DC cannot PING the UAG, however)
    nic2 (external) pub ip1 and pub ip2 with gateway and NO dns.
    Domain member. Windows update ran. (gave them pub IP's bacause of DA. I also tried with private (our DMZ) ip's 172.16.1.1)

    Does anyone have similar problems? Os know what I'm doning wrong?

    Best regards,
    Ruud Boersma
    MSCE
    Tuesday, March 16, 2010 12:52 PM

Answers

  • Found the problem. The xentools where interfering with the network adapters. I can communite with the dc after deinstalling the xentools.
    Conclusion is: do not install UAG or TMG on Citrix XENserver. It won't work.

    I'll switch to the Citrix forums now.

    Thanks for helping out and giving me your suggestions.
     Best regards,

    Ruud Boersma


    MSCE
    • Marked as answer by Ruud Boersma Wednesday, March 17, 2010 6:16 PM
    Wednesday, March 17, 2010 3:28 PM

All replies

  • How are you defining your internal network during the installation?
    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, March 16, 2010 1:05 PM
  • Hi,

    Installing UAG 2010 is clicking 4 times "next". You have to specify the network settings after installation, when starting the UAG management consle for the first time. Which I cannot start, until I remove the machine from the domain. When i do that, I specify the 10.5.x.x adapter to be internal and the pub ip adapter to be external.

    I also ran the TMG "Launch getting started"  setup wizard several times with different setups. This also does not help.


    MSCE
    Tuesday, March 16, 2010 1:11 PM
  • the configuration cannot be loaded from Forefront TMG storage. An unrecoverable error has occured. the appliation will close

    I had this error over the weekend because the Network cards had changed. (Vmware updates)

    I ended up disabling/enabling each NIC, then swaping the Config on my ESX server to change the NICs around.

    I actually also renamed the NICs to Internal_1 / External_2

    Afterwards I could start the console but had to change the Network the Internal / External network card setting

    .. Fixed the problem.

    Tuesday, March 16, 2010 3:25 PM
  • Hi,

    This is a clean install (did it 4x times allready, on clean systems (no uninstalls and re-installs)). There are no changes whatsoever. Just mounting the uag 2010 iso in  and click install on a clean 2008r2 installation (domain member). Which is the way MS recommends in the docs.

    Adrian, Are you referring to TMG or UAG?


    MSCE
    Tuesday, March 16, 2010 4:08 PM
  • Ruud,

    Since UAG uses TMG Storage, and TMG Storage requires domain authentication, I think the fact that you're unable to connect to your DC is the root of the problem here.

    Have you checked the TMG monitor to see if anything's being blocked when you try to connect to the DC?
    Are you logged in as a domain user?

    -Mike Havens
    UAG Support
    Tuesday, March 16, 2010 5:59 PM
  • Hi Mike,

    That's exactly what i'm wondering about. I can successfully make the clean 2008r2 installation domain member, but after a default installation of UAG i'm loosing all domain connectivity, while all TMG system policy rules from localhost to internal (ldap etc.) are in place. I can even ping the domain controller. But i cannot telnet to it's port 389.
    If i check the TMG monitor it shows that's it is sending packages, but is not recieving any. So I created an additional rule that says that all traffic from internal to localhost is allowed. But that did not do the trick.
    It just lets all icmp traffic trough, but it seems to block all udp and tcp traffic.

    EDIT:yes i'm logged on as a domain administrator, but since it cannot find/connect the dc/gc after install it's using some cached cred.


    MSCE
    Tuesday, March 16, 2010 6:53 PM
  • Since this is a test environment, just as a test - try adding an "anywhere to anywhere" rule in TMG to see if this changes things.  Also, check TMG "logs & reports" -> "logging" tab to see if there are denied connections.
    Mike H | Microsoft IAG/UAG Subject Matter Expert
    Tuesday, March 16, 2010 7:37 PM
  • Hi,

    I'm doing another clean install on a new domain member.
    Could you provide me your way of creating the any any rule. Just to be sure that i'm not doing something else.
    MSCE
    Tuesday, March 16, 2010 8:02 PM
  • Hi,

    Installing UAG 2010 is clicking 4 times "next". You have to specify the network settings after installation, when starting the UAG management consle for the first time. Which I cannot start, until I remove the machine from the domain. When i do that, I specify the 10.5.x.x adapter to be internal and the pub ip adapter to be external.

    I also ran the TMG "Launch getting started"  setup wizard several times with different setups. This also does not help.


    MSCE

    Sorry that wasn't phrased very well and I had my TMG head on!

    Once UAG is installed (and TMG below it) traffic flow will be dictated by TMG. By default, TMG has a series of system polices that permit domain traffic and these are based upon the default network object called "Internal".

    Can you provide info on what addresses are defined for the Internal network object?

    Do you get any alerts in TMG relating to routing configuration errors, IP spoofing or flood mitigation?

    Cheers

    JJ
     
    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, March 16, 2010 8:17 PM
  • Create access rule
    "rule action" -> "allow"
    protocols -> "all outbound traffic"
    sources -> network sets -> all networks (and localhost)
    destinations -> network sets -> all networks (and localhost)
    user sets -> all users

    Apply and test. 

    Again, this is only for testing.
    Mike H | Microsoft IAG/UAG Subject Matter Expert
    Tuesday, March 16, 2010 8:18 PM
  • Hi,

    After installation, i rebooted the machine.
    As expected applying settings etc. and logon is extremely slow.
    I cannot start UAG management console. Gives the same error:
    "the configuration cannot be loaded from Forefront TMG storage. An unrecoverable error has occured. the appliation will close"
    I cannot telnet to port 389 and 636 of the DC in internal LAN anymore , which I could before installing UAG.

    I started the TMG management console and went directly to the firewall rules. So i did not run the TMG's "Launch getting started" wizard, and added the any any rule.
    After applying, I still cannot telnet to the dc's  port 389. I can ping the dc. And UAG management consoles still states above error message when starting.

    I noticed that the networks in the network and sharing center are both unidentified. The internal was identified as "domain" before installing UAG. This is offcourse because the machine is domain member. The fact that thay are now both unidentified and public could be because the internal lan cannot connect to the domain any more.




    MSCE
    Tuesday, March 16, 2010 9:43 PM
  • Have you tried to manually configure the network sets in TMG?

    Is there some other firewall between the UAG and the DC?


    Mike H | Microsoft IAG/UAG Subject Matter Expert
    Tuesday, March 16, 2010 9:53 PM
  • no other firewalls. Like i mentioned, i can connect and add the machine to the domain before installing UAG.
    The dc and the internal nic of the UAG are on the same subnet. I can ping the dc.

    Firewall in DC is disabled.

    I manualy set the network set internal in TMG to the right subnet, without results
    EDIT: The only failed attempts logged are port 135 to the dc. Alle other connections (53, 389,445,139) are succesful, although I cannot telnet to them. The any any rule, should let everything trouhg, including 135.

    EDIT2: In monitoring-->configuration tab Th configuration status mentions something strange:
    SERVERNAME  error  30-11-1999  1:00:00   Server is unable to update the configuration (see alert tab)

    I applied all settings, and it did not give me any errors. It seems it can not change config due to the fact that it cannot authenticate. This is the alert:
    Configuration changes made may result in loss of connectivity to the confgiurations storage server [servername]
    . and cannot be apllied, this alert is caused by failure to connect to the domain controller.

    Now it seems I cannot edit the TMG setting because of the lossed connection to the dc. Seems to end up in a chicken and egg config.


    MSCE
    Tuesday, March 16, 2010 10:09 PM
  • I think the core of the problem lies in the fact that after UAG installation the internal NIC is changed to unidentified instead of Domain in "network and sharing center" Any idea how I can change unidentified (which makes it public by default) back to domain?

    EDIT:did a diagnose of the network interface. This set the interface to dhcp, which is not what i want, but it made it domain again instead of unidentified. I set the static ip back , and rebooted the machine. This takes forever again. No domain auth.


    MSCE
    Wednesday, March 17, 2010 12:21 PM
  • Domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. An administrator cannot manually assign this network location type. Because of the higher level of security and isolation from the Internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets. On a computer that is running Windows 7 or Windows Server 2008 R2, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. On computers that are running Windows Vista or Windows Server 2008, then the Domain network location type is applied only when a domain controller can be detected on the networks attached to every network adapter.

    Source: http://technet.microsoft.com/en-us/library/cc753545(WS.10).aspx

    So, this again points to your inability to connect to the DC once UAG is installed.

    It has to be something about your IP address, routing or TMG configuration that is preventing access to the DC...

    With a DHCP address, can you access the DC using telnet on 389?

    If DHCP allows you to communicate to the DC, surely this implies an issue with your static IP address for some reason???

    You could cheat and use DHCP with a reserved address relating to the UAG internal NIC MAC address :)

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 17, 2010 1:29 PM
  • Could the static IP address you assigned to the Internal interface on UAG already be in use?

    Is the UAG server name dynamically registered in DNS?

    Can you ping the DC?

    Are there any interesting entires in the Event Viewer?

    Any interesting entries in the Web Monitor?

    Any interesting entries in the TMG Logs?

    Thanks!
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, March 17, 2010 1:52 PM
  • Found the problem. The xentools where interfering with the network adapters. I can communite with the dc after deinstalling the xentools.
    Conclusion is: do not install UAG or TMG on Citrix XENserver. It won't work.

    I'll switch to the Citrix forums now.

    Thanks for helping out and giving me your suggestions.
     Best regards,

    Ruud Boersma


    MSCE
    • Marked as answer by Ruud Boersma Wednesday, March 17, 2010 6:16 PM
    Wednesday, March 17, 2010 3:28 PM
  • Why on earth would you try and install UAG on a Citrix server????

    I assumed that when you said Xenserver in your original post that you were referring to some sort of hardware vendor!!! :)

    Oh well, case closed!

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 17, 2010 4:06 PM
  • xenserver is a virtualization platform. Just like hyper-v and vmware. Your confusing with Citrix Xenapp (presentation server) which is a totally different product.

    The xentools, are the network drivers. Just like you have them with vmware. So there is something wrong with the network drivers.
    MSCE
    Wednesday, March 17, 2010 4:48 PM
  • xenserver is a virtualization platform. Just like hyper-v and vmware. Your confusing with Citrix Xenapp (presentation server) which is a totally different product.

    The xentools, are the network drivers. Just like you have them with vmware. So there is something wrong with the network drivers.
    MSCE

    Ah, ok sorry, my bad!

    So, likely that both TMG and UAG aren't going to work on this virtualisation platform then...for reference MS probably dont support this platform anyhow...

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 17, 2010 4:59 PM
  • Actually they do support it:
    http://www.windowsservercatalog.com/svvp.aspx

    But in this case the problem must lie in the para-virtualized drivers provided by Citrix. I'll post in the Citrix forums for this one. When I openen the thread i'll post the link here.


    MSCE
    Wednesday, March 17, 2010 5:38 PM
  • Ah, ok via SVVP...info Citrix should know then!!!
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 17, 2010 11:45 PM
  • Actually it does work... you need to do the DisableTaskOffload procedure on all VMs and then it works fine, as outlined in this thread: http://forums.citrix.com/thread.jspa?threadID=259718&tstart=0

     

    Tuesday, July 20, 2010 1:40 AM