Description of Update 2 for Intelligent Application Gateway 2007 Service Pack 2

Microsoft has released Update 2 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This article contains the following information about the update:

• The issues that the update fixes
• How to obtain the update
• Prerequisites for installing the update
• Information about any known issues

This update can be applied to the appliances that are running IAG 2007 with SP2 or SP2 Update 1, and it can be applied to the IAG 2007 with SP2 or SP2 Update 1 virtual machine.

For more information about IAG 2007 SP2, click the following article number to view the article in the Microsoft Knowledge Base:

Fixes and improvements that are included in this update

Improvements

This update contains the following improvements that were not previously documented in a Microsoft Knowledge Base article:

• 
  
  For trunks that do not publish an Alternative Access Mapping (AAM) application, the IAG session cookie will be a site cookie instead of a domain cookie.
  
  Details
  
  After you install this update, IAG will use domain cookies or site cookies per trunk that depends on the kinds of applications contained in the trunk and the rule.
  
  The Rule: If the public host name is IP address or short name, domain cookie is not enabled.
  
  Therefore, if the trunk contains AAM applications and the public host name is notan IP address or a short name, a domain cookie will be used for the trunk. Otherwise, a site cookie will be used.
  
  For example, if you add an AAM application to the trunk, the trunk will be defined as using a domain cookie. However, if the public host name is an IP address or a short name, when you active the configuration afterward, you will receive a warning message. In this case, a site cookie will be used.
  
  Additionally, if the trunk contains no AAM applications, a site cookie will be used.
• 
  
  With the introduction of Microsoft Exchange Server 2007 Service Pack 1 (SP1), there were some changes to the Exchange ActiveSync (EAS) protocol which are introduced in EAS version 12.1. This update adds the support for this updated version of the EAS protocol.
  
  Details
  
  With the continued evolution of Microsoft Exchange Server and the devices that connect to it, the protocol that enables mobile devices to synchronize with Exchange Server continues to evolve. With the introduction of Exchange Server 2007 SP1, the Exchange ActiveSync protocol was extended slightly, to EAS v12.1. This extension helps reduce how much data is sent and received by the mobile device during synchronization. The focus of these changes to the protocol was to improve battery life and to decrease the bandwidth used for synchronization. Most of the protocol changes the focus on how to use more WAP Binary XML (WBXML) and Base64 encoding so that the number of data transmitted can be further reduced. Most visibly In EAS 12.1, the ActiveSync parameters that used to be plain text in the URL were converted into Base64 encoded WBXML. IAG’s ActiveSync trunk and related security mechanisms were updated to support the changes in the protocol.
  
  After you apply this update, the ActiveSyncLogin.asp file will be changed in order to support the protocol changes. If there were any direct modifications to the ActiveSyncLogin.asp file, those changes have to be re-done. As always, we recommend that you change the default .asp files only through custom update of the .inc files so that changes will persist when the default files are updated.
  
  
• This update adds full support for Windows Internet Explorer 8.

Fixed issues

The update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:

Issue 1: Incorrect IAG behavior when headers contain blank characters.

Resolution

In this case, IAG will treat the parameter as an empty parameter.

Issue 2: IAG does not support Citrix XenApp5 applications well.

Resolution

After you install this update, new rules are added to enable application traffic and SRA signature for Citrix XenApp5 applications.

Issue 3: A 500 error occurs when IAG parses text/html response content type (not binary) body that uses chunked encoding type.

Symptom

A user receives a 500 error when the user tries to access the portal. This issue occurs when the response body is text/html content type (not binary) and the Transfer-encoding is chunked. Filter log shows an out-of-memory exception from the HTTP parser followed by IAG transmitting the 500-error page.

Resolution

This update fixes the bugs with the way IAG handles chunked bodies when it reads the chunk headers.

Issue 4: An error occurs when you use the IAG Socket Forwarding component on a Citrix Terminal Server, while the browser accesses a Web site for the second time.

Symptom

Web browser stability issue occurs when you run the IAG client components on a Citrix Terminal Server. This stability issue occurs when the Socket Forwarder is also used and the browser accesses a Web site for the second time. This issue does not occur when the IAG client components are not installed.

Resolution

This update resolve the stability issue on the client-side.

Issue 5: An error occurs in module WhlCppInfra.dll, version 3.7.0.10. This causes IAG server instability.

Symptom

The error in WhlCppInfra.dll prevents users from accessing resources that affect the production environment. When this issue occurs, users cannot connect or log on to the portal. Additionally, they receive one of the following error messages:

• Error Code 64: Host not available
• There are too many users on the Web site at the moment. Please try to access the site again in a few minutes.

Note This issue happens intermittently and there is no certain timeframe or conditions in which this issue happens.

Resolution

The instability occurs because of a buffer overflow when IAG parses monitor parameters.

Issue 6: A SharePoint persistent cookie name race condition occurs.

Symptom

An unexpected failure occurs when you use Microsoft Office components to edit and save documents to a SharePoint Web site while you are working with multiple trunks.

Resolution

When there are two or more trunks configured in IAG in a similar manner, and both use AAM and publish SharePoint sites, the Persistent Cookie may be written for the wrong trunk. This behavior causes a race condition. This update fixes this behavior.


Issue 7: An Authorization Key Header memory corruption may occur when an "Authorization Key" header is used.

Symptom

Memory usage of an appliance increases over time and the appliance starts to show memory corruption in the "Authorization Key" header.

Issue 8: IAG cannot to detect the AVG antivirus software on the client computer because of the mistyped value in the detection policy expression.

Symptom

After you create the custom endpoint detection policy, IAG cannot detect the AVG antivirus on the client computer. This is caused by a mistyped value in the detection policy expression for AVG up-to-date.

Resolution

The issue is in the detection mechanism. The expression that is used to indicate whether AVG is up to date was "AV_AVG_UptoDate." However, the expression in the policy was "AV_Avg_UptoDate". Because the expression is case-sensitive, AVG would always seem to be outdated.

This issue is fixed in the PolicyDefinitions.xml file.

Issue 9: A header may be removed incorrectly when header attributes have a common substring.

Symptom

When the Backend Server sends out a response with a header attribute that is to be removed and two header attributes have a common substring, the response is outputted incorrectly. The header attribute is not removed completely. Instead, a part of the header attribute is clipped out and the remaining part is attached to the next header attribute.

For example, assume that the response header contains the following attributes:

• Content-Transfer-Encoding: binary
• Content-Type: text/xml; charset=utf-8

In this example, the "Transfer-Encoding" part of the first attribute is trimmed out. However, the remaining "Content" part is attached to the next header attribute. Therefore, the output will include the remaining part of the original header "glue" to the next header:

Content-Content-Type: text/xml; charset=utf-8

This makes the next header attribute comes invalid.

Resolution

After you install this update, IAG removes header attribute only if there is full match in the header name.


Issue 10: The rule sets for both Internal Site and Whale Portal applications may be reset unexpectedly when the operating system is configured to use the "Automatically Adjust for daylight saving time" option.

Symptom

Customers who have customized the rule sets for Internal Site or Whale Portal applications may find that the rule sets are reset to their default settings without warning when daylight saving time or summer time switches occur.

Details

Every time that you activate the IAG configuration or manually save the configuration, the time stamp from the uninstall-last.bat file is saved into the current .egf file. When the IAG configuration is loaded, IAG checks the current time stamp on uninstall-last.bat, and compares it to the time stamp stored in .egf file. If the comparison does not match, the rule sets for both Internal Site and Whale Portal applications are reset to the default settings for each application. The design of this behavior was meant to force update the default rule sets when an IAG update is applied, to make sure that any updates to the default rule sets are applied. daylight saving time changes unexpectedly also trigger this behavior.



Resolution

The function that was used to compare the time stamp does not consider the possible time changes caused by “Automatically Adjust for Daylight Saving Time”. The function has now been updated to consider for this automatic time update and will no longer reset the rule sets on the automatic daylight saving time update.



Issue 11: Error message when you enable Server Name Translation (SNT) in IAG: "Allow http header block of a request to exceed 2KB and avoid SNT throwing an error"

Symptom

The issue occurs when the header of a request exceeds 2 kilobytes (KB) in SNT. In this situation, an error occurs and the client receives a 500 error that has the following error message:


Resolution

After you install this update, IAG enables the request header to exceed 2KB. This fix enables the usage of the MaxAllHeadersLen registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter. This value can be increased accordingly. The default value is 2048.

Issue 12: End point detection fails when the system locale is set to a non-English locale

Symptom

Because of en point detection failure, users cannot log on to the portal that is hosted on IAG3.7 SP2. This issue could affect any users who have local settings for non-unicode programs option. This issue affects all Windows XP Service Pack 3 (SP3) and Windows Vista Service Pack 1 (SP1) clients.

Resolution

This update fixes encoding in translating to wide string.


Issue 13: Several symptoms related to FormLogin Single Sign-On (SSO) occur.

Symptom 1

Multiple SSO logon fail if the HTTP verb inside the <METHOD> tag in the Formlogin.xml file has a different capitalization from the verb in the HTML response from the Web server. The first SSO logon always works, regardless of whether the HTTP verb is entered in lowercase or uppercase. However, the next logons will fail if the capitalization is not matched. The user must log completely out of the portal, for the SSO to work with the Web server again.

Symptom 2

FormLogin starts and injects JavaScript even if the <LOGIN_FORM><NAME> tag does not match FormLogin. JavaScript injection should not be performed if the <NAME> in the FormLogin.xml does not match FORM NAME of the HTML response form of the Web server. If the <NAME> tag does not exist, it will behave as if these tags matched.

Resolution

After you install this update, the <METHOD> tag will not be treated as case-sensitive and there will be no JavaScript injection if the <NAME> of the form does not match. If the <NAME> tag does not exist, it will behave as if these tags are matched.


Issue 14: Certain rule-set may break Java SSL Wrapper.

Resolution

This update changes rule set not to reject parameters that cause the program to be unable to be downloaded.

Issue 15: Error message when you create an HTTP redirect trunk to an HTTPS (port 443) Basic or Webmail trunk: "Cannot create redirect trunk, the require IP address and port number are not defined in the Service Policy Manager program. Define the required parameters for the Real Web Server. IP(<Customer Specific>), Port(443)"

Resolution

This update changes the default configuration to include support for the redirect trunk.

Issue 16: IAG does not recognize iPhone as "Macintosh."

Symptom

When you use iPhone to browse to the IAG portal logon page, you receive a message that JAVA is not installed.

Resolution

After you install this update, iPhone belongs to the "Other OS" category in IAG. To enable iPhone access, policy should be configured accordingly. To do this, on the Session tab, click Manage Policies, and then edit the required policy.

Issue 17: Problem when publishing DB2 through IAG

Resolution

After you install this update, you will be able to publish DB2 database servers through IAG.

Issue 18: Kerberos Constrained Delegation (KCD) does not work in case backend application does not support/configured to support for SPNEGO

Symptom

Kerberos Constrained Delegation (KCD) does not work in case back-end application does not support/configured to support for SPNEGO. The HTTP log indicates that a "200 OK" response is returned immediately after IAG sends a Kerberos token. The application sends a "200 OK" response while IAG is expecting a negotiation token.

Resolution

In an optimal scenario, the backend Web server should return 401 when it receives a GSS_S_CONTINUE_NEEDED value to complete the negotiation. In this case, IAG should send a token back to the back-end Web server to finish the authentication process.

However, some back-end applications do not support or are not configured to support mutual Kerberos authentication (no support for SPNEGO). For these applications, an additional SSP (Kerberos) may be used by setting the registry. The following registry entry changes the Security Support Provider(SSP) we use from Negotiate to Kerberos. Additionally, some back-end servers do not support Kerberos authentication against UPN names. The following registry entry enforces the authentication against SAM Account name.Note If the key does not exist or equals to zero, it means that SPNEGO and UPN name are used accordingly. By default, no registry keys will be defined.

The KCDUseSAMAccount setting enables authentication against SAM account names instead of UPN names.

You must restart IIS on the IAG server after you apply these registry settings.

Update information

A supported update is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the update. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

Before you install this update, make sure that you have either IAG 2007 Service Pack 2 installed on an appliance, or have IAG 2007 SP2 installed on a virtual machine.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Removal information

To remove this update, follow these steps:

1. On the IAG 2007 appliance, open the following folder:
   drive:\Whale-Com\e-Gap\patchDB
2. Double-click the Uninstall-last.bat file.

The uninstall process runs automatically. This process may take several minutes to finish. When the uninstall process is complete, you are notified that the process completed successfully.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

Known issues

• After you uninstall IAG 2007 SP2 Update 2, all configuration changes that are made after you upgrade to Update 2 are discarded. Therefore, we recommend that you back up an active configuration before you uninstall Update 2.
• If you are using your own version of a logon page, and you place it in the <drive>:\Whale-Com\e-Gap\von\InternalSite\CustomUpdate folder (for example, E:\Whale-Com\e-Gap\von\InternalSite\CustomUpdate \MyLoginForm.asp”), you must update the logon page by using the following steps:
  1. Find the "selectLang" iavascript function by locating "function selectLang()" in your custom file, and then replace the entire function with the selectLang() function from your logon.asp file with IAG 2007 SP2 Update 2 version.“

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Microsoft thanks the following for working with us to help protect customers:

• Kristian Erik Hermansen
  (http://www.google.com/profiles/kristian.hermansen)

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: