[This article originally appeared in the "Closer to the Edge" blog at: http://blog.msedge.org.uk/2010/12/forefront-uag-sp1-endpoint-assessment.html]

I noticed from the Forefront UAG SP1 release notes that endpoint assessment for mobile devices has changed within SP1. I have also seen a few people reporting issues on the TechNet forums with UAG portal access problems when using Apple iPhone/iPad devices since applying SP1. These changes are covered by the following statement:

“In Forefront UAG RTM, mobile devices including the iPhone, Android and Windows Mobile were included in the Windows, Mac, and Linux platform-specific policies, and allowed access by the Forefront UAG Default Session Access policy. In Forefront UAG SP1, mobile devices were removed from this policy, and now belong to the Other platform-specific policy.”

The net result of this change is that mobile devices like Apple iPads/iPhones will receive the following error when attempting to access the UAG trunks: The endpoint does not meet access policy requirements for this site.

To continue to include them in the Default Session Access Policy, do the following:

  1. In the trunk that allows access to these devices, open the Endpoint Access Settings tab, and click Edit Endpoint Policies.
  2. In the Manage Policies and Expressions list, click Default Session Access, and then click Edit Policy.
  3. In Other, select Always.
  4. Apply and activate the configuration.

To continue to include them in the Default Web Application Access Policy, do the following:

  1. In the trunk that allows access to these devices, open the Endpoint Access Settings tab, and click Edit Endpoint Policies.
  2. In the Manage Policies and Expressions list, click Default Web Application Access, and then click Edit Policy.
  3. In Other, select Always.
  4. Apply and activate the configuration.

To ensure published applications appear in the portal when using mobile devices like iPads/iPhones (when applications are supported for mobile devices):

  1. In the trunk that allows access to these devices, review the Applications area, click the required application, and then click Edit.
  2. On the Application Properties dialog box, click the Portal Link tab.
  3. On the Portal Link tab, select the Premium mobile portal check box to show this application in the premium mobile portal.
  4. On the Application Properties dialog box, click OK.
  5. Activate the configuration.

This article was originally written by:

Jason Jones, Forefront MVP
Principal Security Consultant
Silversands Limited
--------
My Forefront Edge Blog: http://blog.msedge.org.uk/
My ISA Server Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
Twitter: http://twitter.com/jjatsilversands