An update is available for Microsoft e-Gap Appliance 3.6 and for Microsoft Intelligent Application Gateway (IAG) 2007 (version 3.7). The update functionality is the same for e-Gap Appliance 3.6 and for Intelligent Application Gateway 2007. However, this update is released in the following two kits.
|e-Gap Appliance 3.6 Service Pack 1||e-Gap3.6-SP1Update-3 (e-Gap v3.6 SP1 Update 3)||51|
|Intelligent Application Gateway (IAG) 2007 Service Pack 1||IAG3.7-SP1Update-4 (IAG v3.7 SP1 Update 4)||47|
Fixes and improvements that are included in this update
An IAG Detection Center feature is added that supports WMI detection
This update introduces a Detection Center feature that enables Windows Management Instrumentation (WMI) detection on client computers. After you apply this update, IAG can detect client security applications by using the WMI interface in addition to the existing detection mechanism. This feature makes the following changes:
- The detection script and the client components are updated to enable WMI detection. You can set a server value to disable WMI detection.
- Default policy expressions are updated to include the new variables that are added for WMI detection.
- New policy variables are added to process the new values that WMI detection generates.
A registry entry is added to control the maximum size of a downloadable file
The maximum size of a downloadable file is currently hardcoded to 10 megabytes. After you apply this hotfix, you can use a registry entry to set the maximum size of a downloadable file. For more information, see the "Registry information" section.
Fixes for SharePoint applications
After you apply this update, you can use the following new features:
- On the Web Servers tab of the Application Properties dialog box, you can insert the public host name of the SharePoint server as the target address.
- On the Web Servers tab of the Application Properties dialog box, you can insert an IP address as the target address.
Support for additional applications
After you apply this update, IAG supports the following third-party products:
- Domino iNotes v8.x
- Sametime 8 plug-in
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note
In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
To apply this update for e-Gap Appliance 3.6, you must have e-Gap Appliance 3.6 Service Pack 1 (version 3.6.1) installed on the computer.
To apply this update for Intelligent Application Gateway 2007, you must have Intelligent Application Gateway 2007 Service Pack 1 (version 3.7.1) installed on the computer.
You do not have to restart the computer after you apply this update.
Update replacement information
This update is cumulative. It replaces the following updates that were released for e-Gap Appliance 3.6 and for IAG 2007:
- Update 1 for e-Gap Appliance 3.6
- Update 2 for e-Gap Appliance 3.6
- Update 1 for IAG 2007
- Update 2 for IAG 2007
- Update 3 for IAG 2007
Known issues in this update
- When you use the Sametime plug-in, you may be unable to attend a meeting on the first attempt.
- The Detection Center feature cannot detect Windows Firewall by using WMI detection. Therefore, the existing detection mechanism is used to detect whether Windows Firewall is running and enabled on the client computers.
Known issues in previous updates
- You cannot use IP addresses to define a public host name for a trunk. Instead, you must use only host names. In the Trunk Configuration console, the trunk's Public Hostname/IP Address box is replaced by a Public Hostname box. Additionally, host names must contain at least two periods.
- In some cases, you must change the default body size that is defined in the request smuggling protection definitions of e-Gap Appliance or of IAG. For example, for some Web parts in a SharePoint site, the request size is larger than the default size in e-Gap or in IAG. In this case, you receive the following message in the Web Monitor:
HTTP Request Smuggling (HRS) attempt detected.
- The new update does not support the offline installation of the client components. If you want to run an offline installation, you must install the IAG 2007 Service Pack 1 (SP1) offline client components. The client components are automatically upgraded the first time that you access a computer that runs the new update.
- IAG 3.7 Update 3 also provides a resolution to an issue ("Issue 2") that is described in Microsoft Knowledge Base article 953623. After you apply IAG 3.7 Update 3 or IAG 3.7 Update 4, you can switch between the OWA Premium version and the OWA Light version, or you can switch between the Private computer option and the Public computer option. However, special instructions are required to use this feature for IAG 3.7 Update 4. To obtain instructions about how to use this feature in update 4, contact Microsoft Customer Service and Support.
Note This feature is not available in e-Gap Appliance 3.6.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To configure the maximum size of downloadable files, follow these steps:
- Open Registry Editor. To do this, click Start, click Run, type regedit in the Open box, and then press ENTER.
- Locate and then click the following registry subkey:
- On the Edit menu, point to New, and then click DWORD Value.
- Type MaxBodyBufferSize, and then press ENTER.
- Right-click MaxBodyBufferSize, and then click Modify.
- Under Base, click Decimal.
- In the Value data box, type the desired value, and then click OK.
Note This value represents the maximum size in bytes of a downloadable file. If the
MaxBodyBufferSize registry entry is not present, the maximum size of downloadable files is set to a default of 10,485,760 (10 megabytes).
- Exit Registry Editor.
Do not set too large a value for the
registry entry. If the value is too large, the system is likely to run out of memory.
Detection Center overview
When IAG client components are installed and enabled, Detection Center extends the existing IAG client detection capabilities by adding a WMI detection mechanism. For certain operating systems, Detection Center can retrieve all data that is stored in the WMI Security store.
On Windows XP Service Pack 2-based client computers, Detection Center can detect the antivirus applications and personal firewall applications that are installed on the system. On Windows Vista-based computers, Detection Center can also detect antispyware programs that are installed. This is because of the new WMI functionality that is introduced in Windows Vista. Future versions of Detection Center may detect additional applications or services.
The data that is collected from the WMI store, together with other data that is collected by the Endpoint Detection client component, is reported back to IAG. On the server that hosts IAG, IAG processes this data, and then it calculates the detection results. Then, the IAG policy engine checks for policy compliance against the detection results. During this process, users do not experience any changes in the existing policy enforcement behavior. Additionally, in the Policy Editor, an administrator will not notice significant changes when they are creating or managing policies. Administrators will notice only that some WMI detection-specific expressions were added. Administrators who use the Advanced Policy Editor may notice several new detection strings and some modifications to some default policies.
The following are the details about Detection Center.
The detection script
- The detection script now includes both the WMI detection mechanism and the existing detection mechanism.
- WMI detection is performed in a single function. You can disable the WMI detection mechanism by adding a custom client script that contains the following line:
Params("Skip_DetectWmi") = True
- If the client computer does not support WMI, the existing detection mechanism is used, and WMI detection does not start.
The policy template
- The policy template is updated to modify the existing expressions and to add some new detection expressions.
- An Any_WMI_Antivirus expression is introduced to use WMI to detect antivirus applications.
- The default Any_Antivirus expression is updated so that the existing Any_Antivirus expression and the new Any_WMI_Antivirus expression are joined by OR logic.
- The expression for each manufacturer changes to the following logic pattern:
Installed AND Running AND (Last_Update_Not_Older_Than_X OR ProductUpToDate)Note Installed is the specific expression for whether a certain program is installed. Running is the specific expression for whether a certain program is running. Last_Update_Not_Older_Than_X is the expression that is provided by the legacy script for whether the last update time is recent enough. ProductUpToDate is a parameter that is copied from the corresponding WMI detection variable during a translation procedure. The ProductUpToDate parameter is provided by WMI.
The policy definition
The policy definition file is updated to accommodate changes in the Policy Editor user interfaces if you add or edit a policy by using the Policy Editor instead of the Advanced Policy Editor. A list entry is added for the following expressions:
- Any WMI Anti-Virus
- Any WMI Firewall
- Any WMI Anti Spyware
You can select this list entry to add WMI detection to a policy. Note
field of the expressions is irrelevant. The Last Updated
field of the Any WMI Anti-Virus
entry contains an UptoDate
value. If the UptoDate
value is removed from the Last Updated
field, the "Up To Date" WMI parameter is removed from the evaluation policy.
Translation from WMI variables to IAG legacy variables
When the client variables are sent to IAG, the WMI detection variables are translated into detection variables that are recognized by IAG. The translation process is performed by translation rules. In this process, all known vendors, versions, and editions that are retrieved from WMI are translated into detection variables that are recognized by IAG. For each retrieved WMI security variable, a WMI_NAME field is parsed to find matching text according to predefined translation rules. Currently, the most popular manufacturers and editions are translated by the built-in rules. You can easily expand the translation rules by adding new rules in the WmiTranslate.inc file in the following folder:
placeholder represents the folder in which IAG or e-Gap Appliance is installed.
The System Information window
The System Information window is updated. Green text that reads Up to Date
appears next to the existing Update: Date/Time
text if the following conditions are true:
- An antivirus application is detected by WMI.
- The antivirus application is up to date.
Additionally, if the information about the detected antivirus application is successfully translated into a corresponding existing detection product variable, the Update: Date/Time
text is also displayed.
If a product is detected by WMI and if no translation exists, no Update: Date/Time
text is displayed. However, the Up to Date
text is still displayed if the product is up to date.