FIX: The endpoint policy expression "Any Personal Firewall (Windows)" is incorrect for Windows 7 and Windows 8 in Forefront Unified Access Gateway 2010 Service Pack 3


Symptoms


Consider the following scenario:
  • You install Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 (SP3).
  • You add a new publishing trunk.
  • You change the default endpoint policies to include the "Any Personal Firewall (Windows)" expression.

In this scenario, you may find that access policies that require the "Any Personal Firewall (Windows)" expression to evaluate as TRUE incorrectly block access for Windows 7 or Windows 8 endpoints. This problem may occur even though endpoint detection correctly detects the presence of an installed and running personal firewall.

Note An existing trunk that contains endpoint policies that were created from the previous policy template will not include the new Windows 8 client variables and is therefore not affected.

Cause


Forefront UAG 2010 lets you specify endpoint access settings to control access from endpoint devices, depending on the security settings of the endpoint devices. One platform-specific policy expression that may be selected is "Any Personal Firewall (Windows)." This expression is not included in the default endpoint policies but may be added by the administrator to a site or application access policy.

Forefront UAG SP3 adds support for Windows 8 client access. This includes endpoint detection functionality and the Windows 8 client variables PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING. These variables are added to the platform-specific endpoint policy expression "Any Personal Firewall (Windows)." When the variables are added, they are interspaced incorrectly in the existing Windows 7 client variable expression. The result is two expressions. Each of these expressions includes one member variable from each operating system version in such a way that neither expression evaluates correctly:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)

Resolution


This problem is fixed in the update that is described in Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3 .

Workaround


You can manually update the "Any Personal Firewall (Windows)" expression for each trunk that is used in an endpoint policy. To do this, change the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)

Change this expression to the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN7_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING)

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


For information about how to change access policies and expressions, please see Configuring Forefront UAG access policies.

For information about how to create, edit, and remove platform-specific policies and expressions, please see Configuring Forefront UAG platform-specific access policies.

For information about software update terminology, please see Description of the standard terminology that is used to describe Microsoft software updates .