Description of Update 4 for Intelligent Application Gateway 2007 Service Pack 2

Microsoft has released Update 4 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This article contains the following information about this update:

• The issues that this update fixes
• How to obtain this update
• Prerequisites for installing this update
• Information about any known issues

This update can be applied to appliances or virtual machines that are running the following versions of IAG 2007 SP2:

• IAG 2007 SP2
• IAG 2007 SP2 with Update 2
• IAG 2007 SP2 with Update 3

For more information about IAG 2007 SP2, click the following article numbers to view the articles in the Microsoft Knowledge Base:

New features and improvements that are included in this update

• Support for initial application when you work with Active Directory Federation Services (ADFS)
• Support for bookmarking to ADFS applications
• Support for Microsoft SharePoint Alternative Access Mapping AAM in ADFS
• Support for Logoff from ADFS when you log off from IAG portal
• Update for Client Components

Details of the ADFS improvements

This update fixes various issues that occur when you publish applications that use ADFS in a holistic way. Changes to configuration files no longer have to be made manually. They are now made automatically when you run the IAG ADFS configuration script. All fixes to the IAG infrastructure that are required to support ADFS v1 publishing have now been made. ADFS v2 publishing is not supported by IAG.

Limitations of the ADFS improvements

You must run the ADFS script after you install and enable the update. Additionally, you must run this script after each configuration change. For example, you must run this script when you add an application to an existing trunk. The script can be found under \utils\ADFS.

Updates for Client Components

Update 4 for IAG Service Pack 2 contains new Client Components (version 4.0.1152.100) that are aligned with UAG Update 1. Users are required to upgrade previously installed versions of Client Components when they first access an IAG Service Pack 2 Update 4 server. Users may be required to restart their computer after they complete the Client Components installation.

Limitations to the Client Components update

The Network Connector feature is not implemented for Windows 7. Therefore, full remote network connectivity is not available for Windows 7 with IAG. Customers who require full network connectivity for Windows 7 clients must upgrade from IAG 2007 to Microsoft Forefront Unified Access Gateway (UAG) 2010. Forefront UAG 2010 provides support for SSTP and Direct Access for Windows 7.

Client OS compatibility with Update 4 for IAG 2007 Service Pack 2

Note For more information about the browser, operating system, and Client Components features and the compatibility of these features, visit the following Microsoft website:

Issues that are fixed by this update

This update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:

Issue 1

Symptoms

When you use SAP instead of the Whale portal as the default application in IAG, you receive the following HTTP 500 error:

Cause

This issue occurs because the configurator does not recognize that ADFS is enforced. When you set an initial application that enforces ADFS, the initial port in the configuration files is set to 6002.

Resolution

The code in the configurator is now ADFS-aware. Therefore, the port is set correctly.

When you set an application as the initial application, you must change the cookie domain to the actual domain.

If you publish SharePoint applications, you must enter the domain that corresponds to your Forefront UAG host name and the AAM host name in the cookie domain field. For example, if the Forefront UAG portal uses the host name portal.example.com and the SharePoint AAM host name is sp.example.com, enter .example.com.

For more information about how to configure SharePoint AAM applications, visit the following Microsoft website:

Issue 2

Symptoms

When you use an ADFS trunk that directly links to an internal page, you receive the following error message: Additionally, the following error is logged in the web monitor:

Cause

This issue occurs because of an error in the ADFS authentication process. This process involves changing the orig_url attribute and the host attribute. However, during this process these parameters are malformed. Therefore, bookmarks cannot be used in ADFS.

Resolution

The internal site files and the filter mechanism now support the scenario in which ADFS is enforced.

When you set an application as the initial application, you must change the cookie domain to the actual domain.

If you publish SharePoint applications, you must enter the domain that corresponds to your Forefront UAG host name and the AAM host name in the cookie domain field. For example, if the Forefront UAG portal uses the host name portal.example.com and the SharePoint AAM host name is sp.example.com, enter .example.com.

For more information about how to configure SharePoint AAM applications, visit the following Microsoft website:

Issue 3

Symptoms

When you sign out of IAG, you do not sign out of ADFS. This means that you can access the IAG portal again without having to sign in. This may be a security risk in scenarios where the client connects to the IAG portal from a shared public computer. 

Cause

When you sign out of IAG, you do not sign out of ADFS. This means that you can access the IAG portal again without having to sign in. This may be a security risk in scenarios where the client connects to the IAG portal from a shared public computer. 

Resolution

The logoff URL of ADFS is now injected into the LogOff function of the IAG portal. When you log off from the IAG portal, you are also logged off from ADFS.

Issue 4

Symptoms

The GetUserInformation function of the Usermgrcom module cannot retrieve an attribute value that is not part of partial attributes list of an Active Directory repository.

Cause

When you perform an Active Directory Service Interfaces (ADSI) search in the global catalog, Active Directory Service Interfaces (ADSI) will only read attributes that are part of the global catalog “partial attribute” list. However, the search results include empty values for these attributes.

Resolution

If no attribute is found in the global catalog, the function returns a false result instead of adding an empty attribute value. Additionally, the function enables a fallback search by using Lightweight Directory Access Protocol (LDAP).

Note If you want to use the GetuserInformation function to retrieve several Active Directory values that includes exported and un-exported attributes, you must split the call to the function into two calls. You must create one call for all exportable attributes together and a second call for all other attributes. The second call will not receive attributes from the global catalog. Therefore, the LDAP search will be initiated.

Issue 5

Symptoms

The Microsoft Office Outlook Web Access 2003 SP1 template blocks calendar items after 2009.

Cause

This issue occurs when the default template for Outlook Web Access 2003 SP1 has multiple rules that specify parameter values between 1999 and 2010. These values are used by various Outlook Web Access calendar functions to refer to dates, and allows for only dates between the years 2000 and 2009. Therefore, calendar events after 2009 are blocked when this template is used. 

Issue 6

Symptoms

When IAG tries to obtain the user principal name (UPN) of a user, the operation fails if there is a slash in the common name (CN) of the user.

Cause

The issue occurs because CN strings that contain a slash are parsed incorrectly. The slash is treated as a path separator.

Resolution

This update implements an additional function that encodes CN strings that contain a slash.

Issue 7

Symptoms

After you install IAG 3.7 SP2 Update 2, you cannot import a trunk export ECP file as an ECP file. You can only import the file as an EGF file. Additionally, the following error is generated:

Cause

This issue occurs when you cannot import single trunk functionality. 

Resolution

After you apply the update a single trunk can be imported successfully.

Note If you want to import a trunk into a configuration that already has a trunk with the same name, we strongly recommend that you cancel the operation, delete the existing trunk, and then import the new trunk again.

Issue 8

Symptoms

You receive the following error message:

Cause

This issue occurs because the AJAX response from the server is parsed incorrectly. The bug (37978) was previously fixed and delivered as a private fix. However, the fix is overwritten by Update 3.

Resolution

The fix was incorporated into Update 4.

Issue 9

Symptoms

You have a Java-enabled web browser that is not Windows Internet Explorer installed on a computer that is running a supported version of Windows. When you connect to IAG 2007 from this computer, you receive the following warning message: If you remove any custom detection scripts, you no longer receive this warning message.

Note This issue does not affect Windows Internet Explorer.

Cause

This issue occurs because of a feature in the endpoint detection application that is implemented in Java for Windows clients that use web browsers other than Internet Explorer. Some potentially dangerous characters that might be passed to Java programs are blocked by this application. This includes the comma character (,). However, the list of client detection script files that must be executed on an endpoint computer is delivered to the client as a comma separated list. Therefore, the Java application cannot parse the list and returns the error message that is mentioned in the "Symptoms" section to the client computer.

Resolution

This update changes the delimiter to a semicolon (;).

Issue 10

Symptoms

The icon to download the offline client components on Windows 7-based client computers is not visible.

Cause

This issue occurs because the client detection agent cannot detect windows 7 when you run IAG in a portal. 

Resolution

This update adjusts an agent detection script to detect Windows 7 in the same manner as regular endpoint detection.

A supported update is now available from Microsoft. However, it is intended to correct only the problems that this article describes. Apply it only to systems that are experiencing these specific problems.

To resolve these problems, contact Microsoft Customer Support Services to obtain the update. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website: Note In special cases, the charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. 

Prerequisites

Before you install this update, make sure that you have Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2) installed on an appliance or on a virtual machine.

For more information about the IAG client endpoint system requirements, visit the following Microsoft TechNet website:

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Removal information

To remove this update, follow these steps:

1. On the IAG 2007-based computers, open the following folder:
   drive:\Whale-Com\e-Gap\patchDB
2. Double-click the Uninstall-last.bat file.

The uninstallation process runs automatically. This process may take several minutes to finish. When the uninstallation process is complete, you are notified that the process completed successfully.

Hotfix replacement information

This hotfix does not replace any other hotfix.

Known Issues

Supported products notes

• Not all the products that are supported in Forefront UAG 2010 are supported in IAG 2007. For example, Exchange 2010, SharePoint 2010, Windows Server 2008 Remote Desktop Protocol (RDP), and Windows Server 2008 Remote Desktop Gateway (RDG) are not supported in IAG 2007.
• Microsoft Customer Support Services (CSS) cannot fully support beta, non-RTM, and non-generally-available (GA) products.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.