Description of Update 4 for Intelligent Application Gateway 2007 Service Pack 2

Article translations Article translations
Article ID: 2230978 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

Microsoft has released Update 4 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This article contains the following information about this update:
  • The issues that this update fixes
  • How to obtain this update
  • Prerequisites for installing this update
  • Information about any known issues

INTRODUCTION

Collapse this tableExpand this table
ProductUpdate nameBuild
Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2)IAG3.7-SP2Update-4.exe (IAG v3.7 SP2 Update 4)53
This update can be applied to appliances or virtual machines that are running the following versions of IAG 2007 SP2:
  • IAG 2007 SP2
  • IAG 2007 SP2 with Update 2
  • IAG 2007 SP2 with Update 3


For more information about IAG 2007 SP2, click the following article numbers to view the articles in the Microsoft Knowledge Base:
962977 Description of Intelligent Application Gateway (IAG) 2007 Service Pack 2
968384 Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2
975491 Description of Update 2 for Intelligent Application Gateway 2007 Service Pack 2
979097 Description of Update 3 for Intelligent Application Gateway 2007 Service Pack 2

New features and improvements that are included in this update

  • Support for initial application when you work with Active Directory Federation Services (ADFS)
  • Support for bookmarking to ADFS applications
  • Support for Microsoft SharePoint Alternative Access Mapping AAM in ADFS
  • Support for Logoff from ADFS when you log off from IAG portal
  • Update for Client Components

Details of the ADFS improvements

This update fixes various issues that occur when you publish applications that use ADFS in a holistic way. Changes to configuration files no longer have to be made manually. They are now made automatically when you run the IAG ADFS configuration script. All fixes to the IAG infrastructure that are required to support ADFS v1 publishing have now been made. ADFS v2 publishing is not supported by IAG.

Limitations of the ADFS improvements

You must run the ADFS script after you install and enable the update. Additionally, you must run this script after each configuration change. For example, you must run this script when you add an application to an existing trunk. The script can be found under \utils\ADFS.

Updates for Client Components

Update 4 for IAG Service Pack 2 contains new Client Components (version 4.0.1152.100) that are aligned with UAG Update 1. Users are required to upgrade previously installed versions of Client Components when they first access an IAG Service Pack 2 Update 4 server. Users may be required to restart their computer after they complete the Client Components installation.

Limitations to the Client Components update

The Network Connector feature is not implemented for Windows 7. Therefore, full remote network connectivity is not available for Windows 7 with IAG. Customers who require full network connectivity for Windows 7 clients must upgrade from IAG 2007 to Microsoft Forefront Unified Access Gateway (UAG) 2010. Forefront UAG 2010 provides support for SSTP and Direct Access for Windows 7.

Client OS compatibility with Update 4 for IAG 2007 Service Pack 2

Collapse this tableExpand this table
FeatureWindows XP 32-bitWindows Vista 32-bitWindows Vista 64-bitWindows 7 32-bitWindows 7 64-bitMac or Linux
Offline installationYesYesYesYesYesNo
Online installationYesYesYesYesYesYes
EndPoint detectionYesYesYesYesYesYes
AttachmentWiperYesYesYesYesYesYes
SSL WrapperYesYesYesYesYesYes
Socket forwardingYesYesNoYesNoNo
Network Connector (NC)YesYesYesNoNoNo
Note For more information about the browser, operating system, and Client Components features and the compatibility of these features, visit the following Microsoft website:
General information about the IAG client endpoint system requirements

Issues that are fixed by this update

This update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:

Issue 1

Symptoms
When you use SAP instead of the Whale portal as the default application in IAG, you receive the following HTTP 500 error:
Server Error in '/adfs' Application. Request is sent to the wrong port (whale portal port, instead of directly to the Default application
Cause
This issue occurs because the configurator does not recognize that ADFS is enforced. When you set an initial application that enforces ADFS, the initial port in the configuration files is set to 6002.
Resolution
The code in the configurator is now ADFS-aware. Therefore, the port is set correctly.

When you set an application as the initial application, you must change the cookie domain to the actual domain.

If you publish SharePoint applications, you must enter the domain that corresponds to your Forefront UAG host name and the AAM host name in the cookie domain field. For example, if the Forefront UAG portal uses the host name portal.example.com and the SharePoint AAM host name is sp.example.com, enter .example.com.

For more information about how to configure SharePoint AAM applications, visit the following Microsoft website:
Configuring SharePoint AAM applications with AD FS

Issue 2

Symptoms
When you use an ADFS trunk that directly links to an internal page, you receive the following error message:
You are not authorized to access this application.
Additionally, the following error is logged in the web monitor:
unrecognized application
Cause
This issue occurs because of an error in the ADFS authentication process. This process involves changing the orig_url attribute and the host attribute. However, during this process these parameters are malformed. Therefore, bookmarks cannot be used in ADFS.
Resolution
The internal site files and the filter mechanism now support the scenario in which ADFS is enforced.

When you set an application as the initial application, you must change the cookie domain to the actual domain.

If you publish SharePoint applications, you must enter the domain that corresponds to your Forefront UAG host name and the AAM host name in the cookie domain field. For example, if the Forefront UAG portal uses the host name portal.example.com and the SharePoint AAM host name is sp.example.com, enter .example.com.

For more information about how to configure SharePoint AAM applications, visit the following Microsoft website:
Configuring SharePoint AAM applications with AD FS

Issue 3

Symptoms
When you sign out of IAG, you do not sign out of ADFS. This means that you can access the IAG portal again without having to sign in. This may be a security risk in scenarios where the client connects to the IAG portal from a shared public computer. 
Cause
When you sign out of IAG, you do not sign out of ADFS. This means that you can access the IAG portal again without having to sign in. This may be a security risk in scenarios where the client connects to the IAG portal from a shared public computer. 
Resolution
The logoff URL of ADFS is now injected into the LogOff function of the IAG portal. When you log off from the IAG portal, you are also logged off from ADFS.

Issue 4

Symptoms
The GetUserInformation function of the Usermgrcom module cannot retrieve an attribute value that is not part of partial attributes list of an Active Directory repository.
Cause
When you perform an Active Directory Service Interfaces (ADSI) search in the global catalog, Active Directory Service Interfaces (ADSI) will only read attributes that are part of the global catalog “partial attribute” list. However, the search results include empty values for these attributes.
Resolution
If no attribute is found in the global catalog, the function returns a false result instead of adding an empty attribute value. Additionally, the function enables a fallback search by using Lightweight Directory Access Protocol (LDAP).

Note If you want to use the GetuserInformation function to retrieve several Active Directory values that includes exported and un-exported attributes, you must split the call to the function into two calls. You must create one call for all exportable attributes together and a second call for all other attributes. The second call will not receive attributes from the global catalog. Therefore, the LDAP search will be initiated.

Issue 5

Symptoms
The Microsoft Office Outlook Web Access 2003 SP1 template blocks calendar items after 2009.
Cause
This issue occurs when the default template for Outlook Web Access 2003 SP1 has multiple rules that specify parameter values between 1999 and 2010. These values are used by various Outlook Web Access calendar functions to refer to dates, and allows for only dates between the years 2000 and 2009. Therefore, calendar events after 2009 are blocked when this template is used. 

Issue 6

Symptoms
When IAG tries to obtain the user principal name (UPN) of a user, the operation fails if there is a slash in the common name (CN) of the user.
Cause
The issue occurs because CN strings that contain a slash are parsed incorrectly. The slash is treated as a path separator.
Resolution
This update implements an additional function that encodes CN strings that contain a slash.

Issue 7

Symptoms
After you install IAG 3.7 SP2 Update 2, you cannot import a trunk export ECP file as an ECP file. You can only import the file as an EGF file. Additionally, the following error is generated:
Failed to Decrypt new configuration, Please make sure you use the correct keys.
Cause
This issue occurs when you cannot import single trunk functionality. 
Resolution
After you apply the update a single trunk can be imported successfully.

Note If you want to import a trunk into a configuration that already has a trunk with the same name, we strongly recommend that you cancel the operation, delete the existing trunk, and then import the new trunk again.

Issue 8

Symptoms
You receive the following error message:
ContentLength issue of AJAX by using IAG 2007 - the message that is received from the server could not be parsed.
Cause
This issue occurs because the AJAX response from the server is parsed incorrectly. The bug (37978) was previously fixed and delivered as a private fix. However, the fix is overwritten by Update 3.
Resolution
The fix was incorporated into Update 4.

Issue 9

Symptoms
You have a Java-enabled web browser that is not Windows Internet Explorer installed on a computer that is running a supported version of Windows. When you connect to IAG 2007 from this computer, you receive the following warning message:
Whale Client Components could not run on this computer, since the script signature could not be verified. Your user experience while using the site may vary, depending on your organization's security policies.
If you remove any custom detection scripts, you no longer receive this warning message.

Note This issue does not affect Windows Internet Explorer.
Cause
This issue occurs because of a feature in the endpoint detection application that is implemented in Java for Windows clients that use web browsers other than Internet Explorer. Some potentially dangerous characters that might be passed to Java programs are blocked by this application. This includes the comma character (,). However, the list of client detection script files that must be executed on an endpoint computer is delivered to the client as a comma separated list. Therefore, the Java application cannot parse the list and returns the error message that is mentioned in the "Symptoms" section to the client computer.
Resolution
This update changes the delimiter to a semicolon (;).

Issue 10

Symptoms
The icon to download the offline client components on Windows 7-based client computers is not visible.
Cause
This issue occurs because the client detection agent cannot detect windows 7 when you run IAG in a portal. 
Resolution
This update adjusts an agent detection script to detect Windows 7 in the same manner as regular endpoint detection.

UPDATE INFORMATION

A supported update is now available from Microsoft. However, it is intended to correct only the problems that this article describes. Apply it only to systems that are experiencing these specific problems.

To resolve these problems, contact Microsoft Customer Support Services to obtain the update. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, the charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. 

Prerequisites

Before you install this update, make sure that you have Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2) installed on an appliance or on a virtual machine.

For more information about the IAG client endpoint system requirements, visit the following Microsoft TechNet website:
http://technet.microsoft.com/en-us/library/dd277998.aspx

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Removal information

To remove this update, follow these steps:
  1. On the IAG 2007-based computers, open the following folder:
    drive:\Whale-Com\e-Gap\patchDB
  2. Double-click the Uninstall-last.bat file.
The uninstallation process runs automatically. This process may take several minutes to finish. When the uninstallation process is complete, you are notified that the process completed successfully.

Hotfix replacement information

This hotfix does not replace any other hotfix.

Known Issues

Supported products notes

  • Not all the products that are supported in Forefront UAG 2010 are supported in IAG 2007. For example, Exchange 2010, SharePoint 2010, Windows Server 2008 Remote Desktop Protocol (RDP), and Windows Server 2008 Remote Desktop Gateway (RDG) are not supported in IAG 2007.
  • Microsoft Customer Support Services (CSS) cannot fully support beta, non-RTM, and non-generally-available (GA) products.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File NameFile VersionSizeDateTime
Configuration.exe3.7.2.516,318,55222-Mar-0916:00
Usermgrcore.dll3.7.2.51805,29622-Mar-0916:00
Whlfiltsnt.dll3.7.2.51166,29616-Jun-1013:36
Whlfiltappwrap.dll3.7.2.51338,35216-Jun-1013:25
Whlfiltauthorization.dll3.7.2.51322,01616-Jun-1013:25
Whlfilter.dll3.7.2.51510,36016-Jun-1013:25
Whlfiltformlogin.dll3.7.2.51395,71216-Jun-1013:25
Whlfiltruleset.dll3.7.2.51547,24816-Jun-1013:25
Whlfiltsecureremote.dll3.7.2.511,173,96816-Jun-1013:25
Whlserverproxy.dll3.7.2.51477,64822-Mar-0916:00
Adfsconfigtool.vbsNot applicable42,03616-Jun-1013:36
Sslvpntemplates.xmlNot applicable65,58116-Jun-1013:36
Wizarddefaultparam.iniNot applicable93,65016-Jun-1013:36
Https_whlfiltappwrap_forfederationserver.xmlNot applicable3,80916-Jun-1013:36
Https_whlfiltappwrap_forportal.xmlNot applicable151,42816-Jun-1013:36
Formlogin.xmlNot applicable38,76216-Jun-1013:36
Logoffmsg.aspNot applicable5,54516-Jun-1013:36
Logoffparams.aspNot applicable2,93116-Jun-1013:36
Whlmgr.dll3.7.283.0959,64016-Jun-1013:36
Activesynclogin.aspNot applicable7,65316-Jun-1013:36
Login.aspNot applicable20,26716-Jun-1013:36
Postvalidate.aspNot applicable18,53316-Jun-1013:36
Redirecttoorigurl.aspNot applicable60516-Jun-1013:36
Sharepoint.aspNot applicable8,83516-Jun-1013:36
Sharepointredirector.aspNot applicable9,13816-Jun-1013:36
Login.aspNot applicable20,26716-Jun-1013:36
Logoffmsg.aspNot applicable5,82716-Jun-1013:36
Postvalidate.aspNot applicable18,53316-Jun-1013:36
Redirecttoorigurl.aspNot applicable60516-Jun-1013:36
Validatetrampoline.aspNot applicable1,10116-Jun-1013:36
Install.incNot applicable13,09316-Jun-1013:36
Internalsite.incNot applicable29,10316-Jun-1013:36
Logoffmsg.aspNot applicable5,54516-Jun-1013:36
Logoffparams.aspNot applicable2,93116-Jun-1013:36
Install.incNot applicable13,09316-Jun-1013:36
Internalsite.incNot applicable29,10316-Jun-1013:36
Login.aspNot applicable20,26716-Jun-1013:36
Login.aspNot applicable34,53416-Jun-1013:36
Logoff.jsNot applicable18,02916-Jun-1013:36
Sslvpnpage.jsNot applicable22,05816-Jun-1013:36
Sharepointkcd.jsNot applicable5,59316-Jun-1013:36
Sessionstatisticsresults.aspNot applicable21,84116-Jun-1013:36
Userstatisticsresults.aspNot applicable16,21216-Jun-1013:36
Https_whlfiltformlogin.xmlNot applicable3116-Jun-1013:53
Sslvpn_https_profiles.xmlNot applicable7216-Jun-1013:53
Whlfiltappwrap_https.xmlNot applicable1,97516-Jun-1013:53
Https_whlfiltformlogin.xmlNot applicable1,15016-Jun-1015:53
Sslvpn_https_profiles.xmlNot applicable7216-Jun-1013:46
Whlfiltappwrap_https.xmlNot applicable151,63616-Jun-1013:36
Whlfiltsecureremote_https.xmlNot applicable100,80016-Jun-1013:46
Whlfiltappwrap_https.xmlNot applicable1,02116-Jun-1014:17
Sslvpn_https_profiles.xmlNot applicable7216-Jun-1013:25
Whlfiltsecureremote_https.xmlNot applicable100,43516-Jun-1013:25
Detection.vbsNot applicable319,94816-Jun-1013:36
Logoffmsg.aspNot applicable5,80016-Jun-1013:36
Logoffparams.aspNot applicable3,06316-Jun-1013:36
Ruleset_forcitrixxenapp5.iniNot applicable24,88016-Jun-1013:36
Ruleset_forcitrixxenapp5.iniNot applicable96016-Jun-1013:36
Ruleset_forcitrixxenapp5.iniNot applicable96016-Jun-1013:36
Ruleset_forcitrixxenapp5.iniNot applicable96016-Jun-1013:36
Ruleset_foractivesync.iniNot applicable3,42416-Jun-1013:36
Ruleset_forinternalsite.iniNot applicable39,03216-Jun-1013:36
Ruleset_forowa2003sp1.iniNot applicable350,67216-Jun-1013:36
Ruleset_forowa2007.iniNot applicable1,06416-Jun-1013:36
Ruleset_forportal.iniNot applicable8,45616-Jun-1013:36
Ruleset_forsharepoint2003.iniNot applicable320,77616-Jun-1013:36
Ruleset_forsharepoint2007.iniNot applicable1,02416-Jun-1013:36
Ruleset_forsharepoint2007aam.iniNot applicable1,02416-Jun-1013:36
Ruleset_foractivesync.iniNot applicable3,41616-Jun-1013:36
Ruleset_forowa2003sp1.iniNot applicable350,16016-Jun-1013:36
Ruleset_forowa2007.iniNot applicable1,06416-Jun-1013:36
Ruleset_forsharepoint2003.iniNot applicable320,77616-Jun-1013:36
Ruleset_forsharepoint2007.iniNot applicable1,02416-Jun-1013:36
Ruleset_forsharepoint2007aam.iniNot applicable1,02416-Jun-1013:36
Ruleset_forowa2007.iniNot applicable1,06416-Jun-1013:36
Ruleset_forsharepoint2007.iniNot applicable1,02416-Jun-1013:36
Ruleset_forsharepoint2007aam.iniNot applicable1,02416-Jun-1013:36
Ruleset_forowa2007.iniNot applicable1,06416-Jun-1013:36
Ruleset_forsharepoint2007.iniNot applicable1,02416-Jun-1013:36
Ruleset_forsharepoint2007aam.iniNot applicable1,02416-Jun-1013:36
Whlfiltsecureremote_http.xmlNot applicable92,87816-Jun-1013:36
Whlfiltsecureremote_https.xmlNot applicable98,69716-Jun-1013:36

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 2230978 - Last Review: August 13, 2010 - Revision: 3.0
APPLIES TO
  • Microsoft Intelligent Application Gateway 2007
Keywords: 
kbqfe kbfix kbexpertiseinter kbsurveynew KB2230978

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com