Microsoft has released the Service Pack 1 (SP1) Update 1 for Microsoft Forefront Unified Access Gateway (UAG) 2010. The build number of this update is 4.0.1773.10100. This article contains information about how to obtain the update and about the issues that are fixed by the update.
Details of the issues that are fixed in the update
Issues caused by non-ASCII characters in the username, password, or path of the distinguished name
The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functionalities to change the user password and to check for password expiration cannot handle non-ASCII characters that are contained in the username, password, or path of the distinguished name.
UAG does not encrypt LDAPS data when talking to global catalog on port 3269
When you configure Active Directory Federated Services (ADFS), you can set the configuration to use Port 3269 for Keberos/TCP and select the option to have secure connections. This conversation is expected to use a secure encrypted session to global catalog by using TCP port 3269 to access to locate the nearest domain controller. Then, use secure and encrypted session over LDAPS (TCP port 636) to authenticate the user. This is expected to always occur over an encrypted session, and it is preferable for this conversation not to be allowed to fall back to clear text that uses TCP port 3268 or 389.
However, if you validate the traffic by using Network Monitor traces, you may notice that the conversation on TCP 3269 sometimes occurs in clear text and sometimes is encrypted.
Single Sign-On for RemoteApps does not work when UAG component installation and activation is disabled
Single Sign-On (SSO) for RemoteApps does not work when UAG component installation and activation is disabled.
Direct Access does not work for many clients because of an access violation error on the DCA Service
Clients cannot use Direct Access because of an access violation error on the DCA Service.
The Home button does not work in the SharePoint app on Firefox
When you use the SharePoint app on Firefox, the Home button does not work.
MAC address that does not start with 00 causes connection problems
Clients cannot connect to Network Connector when the UAG server external network adapter's MAC address does not start with 00.
Stack corruption error in W3wp.exe
When you perform a trace by using Nirvana Architecture TTT- Time Travel Tracing (iDNA/TTT), the worker process (W3wp.exe) may crash with a stack corruption error.
WFE WhlFiltAuthorization function fails
The Whale Filtering Extension (WFE) WhlFiltAuthorization function does not honor the UsermgrCom!AuthenticateUser() vector parameter argument in the Radius repository.
Exchange 2010 Idle Session time-out does not work
The Idle Session time-out for Microsoft Exchange 2010 publishing does not work as expected.
MAC address change may prevent the SSL Network Tunneling Service from being started
The UAG array member's SSL Network Tunneling Service cannot be started after a MAC address change.
Users cannot log on if password includes the plus character (+)
Authentication fails when a user tries to log on to UAG if the password includes the plus character (+) and if Remote Desktop Service (RDS) SSO is turned on.
Users cannot log on if password is close to expiration
Users cannot log on to UAG published ActiveSync or Outlook Anywhere if the user's password is almost expired. This problem occurs if the Notify user * days before password expiration option is enabled.
Umlaut character is not processed
The German umlaut character in the canonical name (CN) of a certificate is not processed by UAG, and authentication times out.
Memory leak in Uagqecsvc.exe
A memory leak may occur in the Uagqecsvc.exe process.
SSTP zombie sessions
Zombie sessions are seen on the trunk in Web Monitor even when users are no longer logged on to the trunk. The sessions are from SSTP and the network connector, and they persist on the trunk and may seem to be mostly from unauthenticated users. The same issue has been reported for SSLVPN sessions.
The following file is available for download from the Microsoft Download Center:
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the update
To install the update, follow these steps:
Run the installer. To do this, double-click the update executable file.
Note When the installer is running, the Forefront services are stopped.
After the installation is complete and the Forefront services are restarted, make sure that Forefront is working correctly.
The Forefront services are restarted automatically during the installation.
Forefront service packs, updates, or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode, and user input is not required. The rest of the process remains the same as when you double-click the executable file to run the installer.
You must have Unified Access Gateway 2010 Service Pack 1 installed to apply this update.
For more information about Unified Access Gateway 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
Description of Forefront Unified Access Gateway 2010 Service Pack 1 (SP1)
Known issues with this update
You may receive an error message that resembles the following when you try to install this update:
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.
This issue may occur if security update 2649261 is already installed when you try to install update 2585140.
To resolve this issue, uninstall security update 2649261 and then install update 2585140. After you install update 2585140, install security update 2649262.
For more information about security updates 2649261 and 2649262, click the following article numbers to view the article in the Microsoft Knowledge Base:
MS12-026: Description of the security update for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1: April 10, 2012 2649262
MS12-026: Description of the security update for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 Update 1: April 10, 2012
Frequently asked questions
Q1: Can security update for UAG SP1 U1 (KB 2649262
) be installed on a system that has already installed UAG SP1 U1 Rollup 1 (KB 2647899
)? A1: Yes, KB 2649262 can be installed on both SP1 U1 and on SP1 U1 Rollup1. If the security update is installed on SP1 U1 (without Rollup 1), you do not also have to install Rollup 1. (Note that KB 2649262’s build number is 4.0.1773.10190, while KB 2647899’s build number is 4.0.1773.10110).
Q2: If you install security update 2649261 (KB 2649261
as described in security bulletin MS12-026) on top of UAG SP1 (KB 2522485
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.