Article ID: 975491 - View products that this article applies to.
Microsoft has released Update 2 for Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2). This article contains the following information about the update:
Collapse this tableExpand this table
This update can be applied to the appliances that are running IAG 2007 with SP2 or SP2 Update 1, and it can be applied to the IAG 2007 with SP2 or SP2 Update 1 virtual machine.
For more information about IAG 2007 SP2, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/962977/ )Description of Intelligent Application Gateway (IAG) 2007 Service Pack 2
(http://support.microsoft.com/kb/968384/ )Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2
Fixes and improvements that are included in this update
ImprovementsThis update contains the following improvements that were not previously documented in a Microsoft Knowledge Base article:
Fixed issuesThe update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:
Issue 1: Incorrect IAG behavior when headers contain blank characters.
In this case, IAG will treat the parameter as an empty parameter.
Issue 2: IAG does not support Citrix XenApp5 applications well.
After you install this update, new rules are added to enable application traffic and SRA signature for Citrix XenApp5 applications.
Issue 3: A 500 error occurs when IAG parses text/html response content type (not binary) body that uses chunked encoding type.
A user receives a 500 error when the user tries to access the portal. This issue occurs when the response body is text/html content type (not binary) and the Transfer-encoding is chunked. Filter log shows an out-of-memory exception from the HTTP parser followed by IAG transmitting the 500-error page.
This update fixes the bugs with the way IAG handles chunked bodies when it reads the chunk headers.
Issue 4: An error occurs when you use the IAG Socket Forwarding component on a Citrix Terminal Server, while the browser accesses a Web site for the second time.
Web browser stability issue occurs when you run the IAG client components on a Citrix Terminal Server. This stability issue occurs when the Socket Forwarder is also used and the browser accesses a Web site for the second time. This issue does not occur when the IAG client components are not installed.
This update resolve the stability issue on the client-side.
Issue 5: An error occurs in module WhlCppInfra.dll, version 220.127.116.11. This causes IAG server instability.
The error in WhlCppInfra.dll prevents users from accessing resources that affect the production environment. When this issue occurs, users cannot connect or log on to the portal. Additionally, they receive one of the following error messages:
Note This issue happens intermittently and there is no certain timeframe or conditions in which this issue happens.
The instability occurs because of a buffer overflow when IAG parses monitor parameters.
Issue 6: A SharePoint persistent cookie name race condition occurs.
An unexpected failure occurs when you use Microsoft Office components to edit and save documents to a SharePoint Web site while you are working with multiple trunks.
When there are two or more trunks configured in IAG in a similar manner, and both use AAM and publish SharePoint sites, the Persistent Cookie may be written for the wrong trunk. This behavior causes a race condition. This update fixes this behavior.
Issue 7: An Authorization Key Header memory corruption may occur when an "Authorization Key" header is used.
Memory usage of an appliance increases over time and the appliance starts to show memory corruption in the "Authorization Key" header.
Issue 8: IAG cannot to detect the AVG antivirus software on the client computer because of the mistyped value in the detection policy expression.
After you create the custom endpoint detection policy, IAG cannot detect the AVG antivirus on the client computer. This is caused by a mistyped value in the detection policy expression for AVG up-to-date.
The issue is in the detection mechanism. The expression that is used to indicate whether AVG is up to date was "AV_AVG_UptoDate." However, the expression in the policy was "AV_Avg_UptoDate". Because the expression is case-sensitive, AVG would always seem to be outdated.
This issue is fixed in the PolicyDefinitions.xml file.
Issue 9: A header may be removed incorrectly when header attributes have a common substring.
When the Backend Server sends out a response with a header attribute that is to be removed and two header attributes have a common substring, the response is outputted incorrectly. The header attribute is not removed completely. Instead, a part of the header attribute is clipped out and the remaining part is attached to the next header attribute.
For example, assume that the response header contains the following attributes:
In this example, the "Transfer-Encoding" part of the first attribute is trimmed out. However, the remaining "Content" part is attached to the next header attribute. Therefore, the output will include the remaining part of the original header "glue" to the next header:
Content-Content-Type: text/xml; charset=utf-8
This makes the next header attribute comes invalid.
After you install this update, IAG removes header attribute only if there is full match in the header name.
Issue 10: The rule sets for both Internal Site and Whale Portal applications may be reset unexpectedly when the operating system is configured to use the "Automatically Adjust for daylight saving time" option.
Customers who have customized the rule sets for Internal Site or Whale Portal applications may find that the rule sets are reset to their default settings without warning when daylight saving time or summer time switches occur.
Every time that you activate the IAG configuration or manually save the configuration, the time stamp from the uninstall-last.bat file is saved into the current .egf file. When the IAG configuration is loaded, IAG checks the current time stamp on uninstall-last.bat, and compares it to the time stamp stored in .egf file. If the comparison does not match, the rule sets for both Internal Site and Whale Portal applications are reset to the default settings for each application. The design of this behavior was meant to force update the default rule sets when an IAG update is applied, to make sure that any updates to the default rule sets are applied. daylight saving time changes unexpectedly also trigger this behavior.
The function that was used to compare the time stamp does not consider the possible time changes caused by “Automatically Adjust for Daylight Saving Time”. The function has now been updated to consider for this automatic time update and will no longer reset the rule sets on the automatic daylight saving time update.
Issue 11: Error message when you enable Server Name Translation (SNT) in IAG: "Allow http header block of a request to exceed 2KB and avoid SNT throwing an error"
The issue occurs when the header of a request exceeds 2 kilobytes (KB) in SNT. In this situation, an error occurs and the client receives a 500 error that has the following error message:
The data error passed to a system call is too small.
After you install this update, IAG enables the request header to exceed 2KB. This fix enables the usage of the MaxAllHeadersLen registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter. This value can be increased accordingly. The default value is 2048.
Issue 12: End point detection fails when the system locale is set to a non-English locale
Because of en point detection failure, users cannot log on to the portal that is hosted on IAG3.7 SP2. This issue could affect any users who have local settings for non-unicode programs option. This issue affects all Windows XP Service Pack 3 (SP3) and Windows Vista Service Pack 1 (SP1) clients.
This update fixes encoding in translating to wide string.
Issue 13: Several symptoms related to FormLogin Single Sign-On (SSO) occur.
Multiple SSO logon fail if the HTTP verb inside the <METHOD> tag in the Formlogin.xml file has a different capitalization from the verb in the HTML response from the Web server. The first SSO logon always works, regardless of whether the HTTP verb is entered in lowercase or uppercase. However, the next logons will fail if the capitalization is not matched. The user must log completely out of the portal, for the SSO to work with the Web server again.
Issue 14: Certain rule-set may break Java SSL Wrapper.
This update changes rule set not to reject parameters that cause the program to be unable to be downloaded.
Issue 15: Error message when you create an HTTP redirect trunk to an HTTPS (port 443) Basic or Webmail trunk: "Cannot create redirect trunk, the require IP address and port number are not defined in the Service Policy Manager program. Define the required parameters for the Real Web Server. IP(<Customer Specific>), Port(443)"
This update changes the default configuration to include support for the redirect trunk.
Issue 16: IAG does not recognize iPhone as "Macintosh."
When you use iPhone to browse to the IAG portal logon page, you receive a message that JAVA is not installed.
After you install this update, iPhone belongs to the "Other OS" category in IAG. To enable iPhone access, policy should be configured accordingly. To do this, on the Session tab, click Manage Policies, and then edit the required policy.
Issue 17: Problem when publishing DB2 through IAG
After you install this update, you will be able to publish DB2 database servers through IAG.
Issue 18: Kerberos Constrained Delegation (KCD) does not work in case backend application does not support/configured to support for SPNEGO
Kerberos Constrained Delegation (KCD) does not work in case back-end application does not support/configured to support for SPNEGO. The HTTP log indicates that a "200 OK" response is returned immediately after IAG sends a Kerberos token. The application sends a "200 OK" response while IAG is expecting a negotiation token.
In an optimal scenario, the backend Web server should return 401 when it receives a GSS_S_CONTINUE_NEEDED value to complete the negotiation. In this case, IAG should send a token back to the back-end Web server to finish the authentication process.
However, some back-end applications do not support or are not configured to support mutual Kerberos authentication (no support for SPNEGO). For these applications, an additional SSP (Kerberos) may be used by setting the registry. The following registry entry changes the Security Support Provider(SSP) we use from Negotiate to Kerberos.
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\eGap\von\UrlFilterAdditionally, some back-end servers do not support Kerberos authentication against UPN names. The following registry entry enforces the authentication against SAM Account name.
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\eGap\von\UrlFilterNote If the key does not exist or equals to zero, it means that SPNEGO and UPN name are used accordingly. By default, no registry keys will be defined.
The KCDUseSAMAccount setting enables authentication against SAM account names instead of UPN names.
You must restart IIS on the IAG server after you apply these registry settings.
A supported update is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Customer Support Services to obtain the update. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
PrerequisitesBefore you install this update, make sure that you have either IAG 2007 Service Pack 2 installed on an appliance, or have IAG 2007 SP2 installed on a virtual machine.
Restart requirementYou do not have to restart the computer after you apply this hotfix.
Removal informationTo remove this update, follow these steps:
Hotfix replacement informationThis hotfix does not replace any other hotfixes.
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
(http://www.microsoft.com/technet/security/bulletin/policy.mspx)the following for working with us to help protect customers:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates