Description of Update 1 for Unified Access Gateway 2010

These release notes address late-breaking issues that are related to Microsoft Forefront Unified Access Gateway (UAG) 2010. Before you install Forefront Unified Access Gateway (UAG), you must read the information that is contained in this document and review system requirements for Forefront UAG servers.

The sections in this article describe known issues that relate to the following topics:

• Installation
• Arrays and Network Load Balancing (NLB)
• Publishing and authentication
• Remote network access (SSL network tunneling)
• DirectAccess
• Client endpoint access
• Administration

This article describes Update 1 for Forefront UAG 2010 and provides installation instructions. Update 1 for Forefront UAG 2010 provides the following features:

• Remote Desktop access from Windows Vista and from Windows XP: Client endpoints that are running Windows Vista and Windows XP can now access RemoteApps and Remote Desktops that are published through Forefront UAG.
• Support for Microsoft Office Forms Based Authentication (MSOFBA): Forefront UAG now supports the MSOFBA protocol that enables rich clients to access directly applications that are published by using Forefront UAG.
• Support for site cookies: Forefront UAG now supports site cookies for non-alternate access mapping applications in addition to domain cookies.
• Support for large CustomUpdate files: Forefront UAG now supports CustomUpdate files that are 1.5 gigabytes (GB) large.
• Support for Microsoft SharePoint Server 2010
• Changes in Group Policy object (GPO) provisioning for DirectAccess clients: Update 1 fixes the following issues:
  • The export script that creates GPOs fails.
  • The GPO is applied to all authenticated users in the domain that includes computer accounts. However, you expect the APO to apply to DirectAccess clients only.

For more information about new features in Update 1 for Forefront UAG 2010, refer to the "What's new in Forefront UAG" section on the following Microsoft Web site:Product evaluation that applies to Forefront UAG

Update information

How to obtain the Forefront Unified Access Gateway (UAG) Update 1 installation

To obtain the UAG 2010 installation , visit the following Microsoft Download Center Web site:

Prerequisites

This update can only be applied to a computer or appliance that is running Forefront UAG 2010 RTM version.

Restart requirement

On standalone UAG, you do not have to restart the computer after you install Update 1 for Forefront UAG 2010. The package will restart UAG services automatically.

However, in an array environment, you may have to restart the computer on the member server in the array.

Known issues

Installation notes

• Forefront UAG can be installed only on computers that are running 64-bit versions of Windows Server 2008 R2 Standard edition or of Windows Server 2008 R2 Enterprise edition.
• Do not include double-byte character set (DBCS) characters in the Forefront UAG installation path.
• When you start Forefront TMG for the first time after you install Forefront UAG, many Forefront TMG alerts may be issued. You can safely ignore these alerts.
• Before you install Update 1, make sure the following conditions are true on Forefront UAG RTM servers:
  • Custom Update files are not set as read-only.
  • Spaces are not included in the names of custom update files or in the names of folders that contain custom update files.
  • Forefront UAG rules do not contain excluded rule parameter sets.
• After you install Update 1 and then activate the configuration, you may receive an error message in the Activate Configuration dialog box. This error message states that the Web sites WebMonitor and the Default Web Site cannot be started. To resolve this issue, activate the configuration again.
• After you install Update 1, you can no longer repair the installation by using the Repair feature.

Arrays and Network Load Balancing (NLB)

• When you try to join two servers concurrently to the same array, the array storage may be corrupted. If this happens, restore the settings from a backup configuration.
• When you delete an IPv6 virtual IP address (VIP) in the Forefront UAG Management console, the address may not be removed completely. To work around this issue, delete the address in the operating system properties and in the Forefront UAG Management console.
• Forefront UAG may not detect that an array member that uses integrated NLB loses network connectivity. Therefore, Forefront UAG may continue to route traffic to the unavailable server. To avoid this issue, disable the internal and external adapters of offline array members. Enable the adapters again after connectivity issues are resolved. If you have Microsoft System Center Operations Manager 2007 deployed in your organization, you can monitor the status of array member network adapters. To do this, follow these steps:
  1. Make sure that the Windows Server Operating System and Windows Server 2008 NLB management packs are installed on each array member.
  2. Use Operations Manager 2007 to detect disconnected network adapters on array members. Operations Manager 2007 reports issues as follows:
     • If there is a problem with the adapter that is connected to the internal network, Operations Manager 2007 reports that no heartbeat is detected.
     • If there is a problem with the adapter that is connected to the external network, Operations Manager 2007 reports a Windows NLB issue.
• When you create a redirect trunk for an HTTPS trunk in an array that does not have load balancing enabled, you must manually assign the IP addresses of the redirect trunk for each array member.

Publishing and authentication

• When you create trunks and publishing applications, the use of nonstandard ports is not supported. Servers must listen on port 80 for HTTP and on port 443 for HTTPS.
• When you publish a back-end application server through multiple trunks, the name that is specified for the server should be the same in the properties of every trunk.
• After you publish a generic Web application through a portal, you cannot change the IP address of the Web application. This operation is not supported.
• The following limitations apply when you publish Remote Desktop Services (RDS) through Forefront UAG:
  • Forefront UAG provides RDS access for client endpoints that support Remote Desktop Protocol (RDP) 7.0 (Remote Desktop client 6.1). RDP 7.0 is supported only on endpoints that are running Windows 7. Currently, there is no support for clients that are running Windows Vista and Windows XP to access RDS RemoteApps, Remote Desktop (predefined), and Remote Desktop (user-defined) resources that are published through Forefront UAG. RDP client tunneling should be used for these clients if RDP client tunneling is required. This issue is resolved in Update 1. For more information, refer to the "Enabling RDS on Windows Vista and Windows XP" item.
  • You publish RemoteApps on a Forefront UAG server that is running DirectAccess or SSL Network Tunneling by using SSTP.However, the Remote Desktop (RD) Gateway certificate may be deleted when the configuration is activated in the Forefront UAG Management console. Additionally, client access may function incorrectly. If this occurs, reconfigure the RD Gateway certificate from the RD Gateway Management console. This issue is resolved in Update 1.
  • RDS sessions fail when session cookies contain more than 800 characters. This issue may occur if cross-site single sign-on is configured. Cross-site single sign-on lets users log on to a portal and then access additional portals without reauthentication.
  • Some client endpoints use an Internet Explorer 6 browser to access RDS applications that are published through a Forefront UAG trunk. These client endpoints may encounter very large icons. This issue is resolved in Update 1.
  • To use single sign-on for RDS applications, users must specify their logon name in "domain\user" format.
  • You publish RDS through Forefront UAG and then access RDS. In this situation, you may receive a pop-up message. This message indicates that the Terminal Services ActiveX control must be installed. However, the gold bar that asks whether you want to use the control does not appear. To resolve this issue, refresh the portal Web page by pressing CTRL+F5 after you enter credentials to access the portal.
  • When you change the application name of an RDS application that is published through a trunk, the updated name may not appear as expected in the Web portal.
• The following limitations apply when you publish Exchange services through Forefront UAG:
  • When you publish Outlook Web Access 2010 through Forefront UAG, the application does not open in the portal as expected. To work around this issue, make sure that the Open in a new window setting is enabled on the Portal Link tab of the Exchange application properties. By default, this check box is selected. Do not clear the check box.
  • When you publish Outlook Web Access through Forefront UAG and then apply an Outlook Web Access appearance, the This is a private computer setting does not appear in the user interface. Instead, clients that connect from a private computer should select the This site automatically identified the endpoint that you are connecting from as a private computer option.
  • You cannot apply the Outlook Web Access appearance trunk settings when you publish Exchange 2003. This operation is not supported.
• When you publish Office Communications Server (OCS) 2007 R2, application sharing, desktop sharing, and file transfers are not supported.
• The following limitations apply when you publish SharePoint through Forefront UAG:
  • For endpoints that access SharePoint 2010 through Forefront UAG, the Explorer view maybe displayed incorrectly in the portal. To work around this issue, make sure that the Open in a new window setting is selected on the Portal Link tab of the application properties. Or, client endpoints can access the site directly by using Alternate Access Mappings (AAMs). For more information, refer to the "Alternate Access Mappings" section.
  • Sometimes, the WebDAV user agent is used in requests for files in SharePoint 2010 that is published through Forefront UAG. This behavior may cause endpoint users to be prompted several times for credentials before the requested file is opened. This behavior affects only sessions that are initiated by Office client applications.
  • You log off from a SharePoint 2010 site, and then you logon again by using the "Click here to log on again" link. In this situation, an Error 500 may occur. To avoid this issue, do not log on immediately after you log off.
  • When you publish SharePoint in Update 1, legitimate HTTP requests for SharePoint resources may be blocked. To work around this issue, manually change Forefront UAG rules. To do this, follow these steps:
    1. On rule 51 of SP14AAM, change /_layouts/[^"#&/:<>?\\{|}~]*\.(js|htm) to /_layouts/[^"#&/:<>?\\{|}~]*\.(js|htm|aspx).Additionally, add the HEAD method.
    2. On rule 39 of SP14AAM, add the HEAD method.
    3. On rule 59 of SP14AAM, add the DELETE method.
• Client endpoints may be unable to access Citrix XenApp that is published through Forefront UAG. This occurs because the Citrix XenApp application template is missing. To add the template, follow these steps on the Forefront UAG server or on each array member:
  1. Open the SSLVPNTemplates.xml file for editing. In a default Forefront UAG installation, this file is located in the following folder:
     %ProgramFiles%\Microsoft Forefront Unified Access Gateway/von/Conf
  2. At the beginning of the "Templates" section, add the following section before the Remote Network Access application:

     <!--
     *********************************************************************************
     ** Citrix Presentation Server (Web Interface 3)                                **
     *********************************************************************************
     -->
     <!-- Auto-Sense mode                                                          -->
     <template name="CitrixPresentationServer" wfehandler="yes" userrights="0" use-with-lsp="yes" default="yes"><!--All platforms-->
     <port id="0" remoteport="1494,2598" flags="73" default="yes"/><!--All Platforms--> </template>

  3. Close the file, and then save the changes.
  4. Restart IIS with IISReset. You must have administrator credentials on the local computer to make these changes.

Remote network access (SSL network tunneling)

• For this release, PPTP and L2TP/IPSec protocols for SSL network tunneling are not supported even though these options appear in the Forefront UAG Management console.
• Forefront TMG system policy rules enable or disable traffic to the Forefront UAG server. By default, the rules drop IPv6 traffic that is destined for Forefront UAG from back-end servers. To enable access to the Forefront UAG server for IPv6 monitoring servers and for other services, change system policy rules. To enable IPv6 traffic on a specific system policy rule, follow these steps:
  1. On the Start menu, open the Forefront TMG Management console.
  2. On the console tree, click the Firewall Policy node.
  3. On the Tasks tab, click Edit System Policy.
  4. In the Configuration Groups tree in System Policy Editor, click the group that contains the rule for which you want to enable IPv6 traffic.
  5. On the To tab, click Add, and then select Anywhere (IPv6). Click Close, and then click OK.
• When you use Forefront UAG DirectAccess, protocols that do not support NAT traversal may function incorrectly if the published back-end server supports IPv4 only. For example, the server supports Real Time Streaming Protocol (RTSP).
• Before you install Forefront UAG DirectAccess, delete existing DirectAccess Group Policy objects that are located on the domain controller.
• When you use integrated Network Load Balancing in an array of Forefront UAG DirectAccess servers, multicast mode is not supported.
• After you run the exported configuration script to create General Policy Objects (GPOs), General Policy Objects that are created in the domain may be applied to the Authenticated Users security group. This behavior causes the General Policy Objects to be applied to DirectAccess servers. This situation creates a configuration conflict. This issue is fixed in Forefront UAG Update 1.

Client endpoint access

• You cannot install or run the Forefront UAG Endpoint Detection component on client endpoints that are running Windows Server 2008 R2.
• When you authenticate by using Basic authentication, client endpoints that use languages that require DBCS characters have the following requirements:
  • The endpoint must be configured to use a DBCS locale.
  • The Forefront UAG server and back-end servers that receive requests from the endpoint must be configured to use the same DBCS locale.
• Client endpoints that are running a Firefox browser on a Macintosh computer log on to a portal by using a slow connection. Then, you click Quit Browser. In this situation, the Endpoint Session Cleanup component does not wipe endpoint cache settings even if the component is configured to do this.
• Endpoints that are running a Windows 7 32-bit operating system may be unable to access correctly non-Web applications that are published through Forefront UAG. To work around this issue, explicitly specify that the Socket Forwarding component should be enabled on client endpoints for each non-Web application. To do this, enable the required socket forwarding mode on the Client Settings tab of the application properties.

Administration

• When you export a Forefront UAG configuration, customized internal network ranges are not preserved. After you import the configuration, the internal network is defined according to the network ranges of a certain adapter. This adapter was associated with the internal network when you ran the Getting Started Wizard. Additionally, you may have to reconfigure network load balancing after the export and after the import.
• When you configure and then activate changes in the Forefront UAG Management console, changes are not applied to active sessions.