Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • You install Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 (SP3).

  • You add a new publishing trunk.

  • You change the default endpoint policies to include the "Any Personal Firewall (Windows)" expression.


In this scenario, you may find that access policies that require the "Any Personal Firewall (Windows)" expression to evaluate as TRUE incorrectly block access for Windows 7 or Windows 8 endpoints. This problem may occur even though endpoint detection correctly detects the presence of an installed and running personal firewall.

Note An existing trunk that contains endpoint policies that were created from the previous policy template will not include the new Windows 8 client variables and is therefore not affected.

Cause

Forefront UAG 2010 lets you specify endpoint access settings to control access from endpoint devices, depending on the security settings of the endpoint devices. One platform-specific policy expression that may be selected is "Any Personal Firewall (Windows)." This expression is not included in the default endpoint policies but may be added by the administrator to a site or application access policy.

Forefront UAG SP3 adds support for Windows 8 client access. This includes endpoint detection functionality and the Windows 8 client variables PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING. These variables are added to the platform-specific endpoint policy expression "Any Personal Firewall (Windows)." When the variables are added, they are interspaced incorrectly in the existing Windows 7 client variable expression. The result is two expressions. Each of these expressions includes one member variable from each operating system version in such a way that neither expression evaluates correctly:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)

Resolution

This problem is fixed in the update that is described in Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3.

Workaround

You can manually update the "Any Personal Firewall (Windows)" expression for each trunk that is used in an endpoint policy. To do this, change the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)
Change this expression to the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN7_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING)

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For information about how to change access policies and expressions, please see Configuring Forefront UAG access policies.

For information about how to create, edit, and remove platform-specific policies and expressions, please see Configuring Forefront UAG platform-specific access policies.

For information about software update terminology, please see Description of the standard terminology that is used to describe Microsoft software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×