Description of the Service Pack 1 Update 1 for Forefront Unified Access Gateway (UAG)


Microsoft has released the Service Pack 1 (SP1) Update 1 for Microsoft Forefront Unified Access Gateway (UAG) 2010. The build number of this update is 4.0.1773.10100. This article contains information about how to obtain the update and about the issues that are fixed by the update.

More Information

New features in the update

  • Lync web services publishing: Forefront UAG now supports publishing Lync web services
  • Dynamics CRM 2011 publishing: Forefront UAG now supports publishing Dynamics CRM 2011
  • SharePoint 2010 with Office Online: Forefront UAG now supports publishing SharePoint 2010 with Office Online
  • Improved browser support: Forefront UAG now supports more web browsers than in previous releases

Issues that are fixed in Service Pack 1 Update 1 for Forefront Unified Access Gateway

This update fixes the following issues:
  1. Issues caused by non-ASCII characters in the username, password or path of the distinguished name
  2. UAG does not encrypt LDAPS data when talking to the global catalog on port 3269
  3. Single Sign-On for RemoteApps does not work when UAG component installation and activation is disabled
  4. Direct Access does not work for many clients because of an access violation error on the DCA Service
  5. The Home button does not work in the SharePoint app on Firefox
  6. MAC address that does not start with '00' causes connection problems
  7. Stack corruption error in w3wp.exe
  8. WFE WhlFiltAuthorization function fails
  9. Exchange 2010 Idle Session time-out does not work
  10. MAC address change may prevent the SSL Network Tunneling Service from being started
  11. Users cannot log on if password includes the plus character (+)
  12. Users cannot log on if password is close to expiration
  13. Umlaut character is not processed
  14. Memory leak in uagqecsvc.exe
  15. SSTP zombie sessions

Details of the issues that are fixed in the update

  1. Issues caused by non-ASCII characters in the username, password, or path of the distinguished name
    The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functionalities to change the user password and to check for password expiration cannot handle non-ASCII characters that are contained in the username, password, or path of the distinguished name.
  2. UAG does not encrypt LDAPS data when talking to global catalog on port 3269
    When you configure Active Directory Federated Services (ADFS), you can set the configuration to use Port 3269 for Keberos/TCP and select the option to have secure connections. This conversation is expected to use a secure encrypted session to global catalog by using TCP port 3269 to access to locate the nearest domain controller. Then, use secure and encrypted session over LDAPS (TCP port 636) to authenticate the user. This is expected to always occur over an encrypted session, and it is preferable for this conversation not to be allowed to fall back to clear text that uses TCP port 3268 or 389.

    However, if you validate the traffic by using Network Monitor traces, you may notice that the conversation on TCP 3269 sometimes occurs in clear text and sometimes is encrypted.
  3. Single Sign-On for RemoteApps does not work when UAG component installation and activation is disabled
    Single Sign-On (SSO) for RemoteApps does not work when UAG component installation and activation is disabled.
  4. Direct Access does not work for many clients because of an access violation error on the DCA Service
    Clients cannot use Direct Access because of an access violation error on the DCA Service.

  5. The Home button does not work in the SharePoint app on Firefox
    When you use the SharePoint app on Firefox, the Home button does not work.

  6. MAC address that does not start with 00 causes connection problems
    Clients cannot connect to Network Connector when the UAG server external network adapter's MAC address does not start with 00.
  7. Stack corruption error in W3wp.exe
    When you perform a trace by using Nirvana Architecture TTT- Time Travel Tracing (iDNA/TTT), the worker process (W3wp.exe) may crash with a stack corruption error.
  8. WFE WhlFiltAuthorization function fails
    The Whale Filtering Extension (WFE) WhlFiltAuthorization function does not honor the UsermgrCom!AuthenticateUser() vector parameter argument in the Radius repository.
  9. Exchange 2010 Idle Session time-out does not work
    The Idle Session time-out for Microsoft Exchange 2010 publishing does not work as expected.
  10. MAC address change may prevent the SSL Network Tunneling Service from being started
    The UAG array member's SSL Network Tunneling Service cannot be started after a MAC address change.
  11. Users cannot log on if password includes the plus character (+)
    Authentication fails when a user tries to log on to UAG if the password includes the plus character (+) and if Remote Desktop Service (RDS) SSO is turned on.
  12. Users cannot log on if password is close to expiration
    Users cannot log on to UAG published ActiveSync or Outlook Anywhere if the user's password is almost expired. This problem occurs if the Notify user * days before password expiration option is enabled.
  13. Umlaut character is not processed
    The German umlaut character in the canonical name (CN) of a certificate is not processed by UAG, and authentication times out.
  14. Memory leak in Uagqecsvc.exe
    A memory leak may occur in the Uagqecsvc.exe process.
  15. SSTP zombie sessions
    Zombie sessions are seen on the trunk in Web Monitor even when users are no longer logged on to the trunk. The sessions are from SSTP and the network connector, and they persist on the trunk and may seem to be mostly from unauthenticated users. The same issue has been reported for SSLVPN sessions.

Download information

The following file is available for download from the Microsoft Download Center:

Download Download the UAG-KB2585140-v4.0.1773.10100-ENU.msp package now.

Release Date: October 11, 2011

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

How to install the update

 To install the update, follow these steps:
  1. Run the installer. To do this, double-click the update executable file.

    Note When the installer is running, the Forefront services are stopped.
  2. After the installation is complete and the Forefront services are restarted, make sure that Forefront is working correctly.

    • The Forefront services are restarted automatically during the installation.
    • Forefront service packs, updates, or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode, and user input is not required. The rest of the process remains the same as when you double-click the executable file to run the installer.


You must have Unified Access Gateway 2010 Service Pack 1 installed to apply this update.

For more information about Unified Access Gateway 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
2285712 Description of Forefront Unified Access Gateway 2010 Service Pack 1 (SP1)

Known issues with this update

You may receive an error message that resembles the following when you try to install this update:

Windows Installer

The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.

This issue may occur if security update 2649261 is already installed when you try to install update 2585140.

To resolve this issue, uninstall security update 2649261 and then install update 2585140. After you install update 2585140, install security update 2649262.

For more information about security updates 2649261 and 2649262, click the following article numbers to view the article in the Microsoft Knowledge Base:

2649261  MS12-026: Description of the security update for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1: April 10, 2012  
2649262  MS12-026: Description of the security update for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 Update 1: April 10, 2012  

Frequently asked questions

Q1: Can security update for UAG SP1 U1 (KB 2649262) be installed on a system that has already installed UAG SP1 U1 Rollup 1 (KB 2647899)?
A1: Yes, KB 2649262 can be installed on both SP1 U1 and on SP1 U1 Rollup1. If the security update is installed on SP1 U1 (without Rollup 1), you do not also have to install Rollup 1. (Note that KB 2649262’s build number is 4.0.1773.10190, while KB 2647899’s build number is 4.0.1773.10110).

Q2: If you install security update 2649261 (KB 2649261 as described in security bulletin MS12-026) on top of UAG SP1 (KB 2522485) and later install UAG SP1 U1(KB 2585140), do you need to install security update 2649262 (MS12-026) to be protected by this bulletin?
A2: Yes

File information

This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.

The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File nameFile versionFile sizeDateTimePlatform
Adfs.login.aspNot Applicable26,96223-Sep-201103:38Not Applicable
Adfs.whlclientinst.incNot Applicable1,10423-Sep-201103:38Not Applicable Applicable5,659,67507-Jul-201101:01Not Applicable
Agent_lin_helper.jarNot Applicable4,686,75508-May-201120:41Not Applicable
Agent_mac_helper.jarNot Applicable3,834,73408-May-201120:41Not Applicable
Agent_win_helper.jarNot Applicable1,537,14608-May-201120:41Not Applicable
Appwraptemplates.https_whlfiltappwrap_forportal.xmlNot Applicable64,45523-Sep-201103:37Not Applicable
Appwraptemplates.http_whlfiltappwrap_forportal.xmlNot Applicable62,97223-Sep-201103:37Not Applicable
Clientcompres.cabNot Applicable255,81623-Sep-201104:59Not Applicable
Clientconf.cabNot Applicable8,42923-Sep-201104:58Not Applicable
Clientconf.xmlNot Applicable8,56123-Sep-201102:27Not Applicable
Clientconf.xml.sigNot Applicable12823-Sep-201102:27Not Applicable
Conf.policytemplateextended.xmlNot Applicable123,96423-Sep-201103:54Not Applicable
Conf.wizarddefaults.wizarddefaultparam.iniNot Applicable62,48321-Sep-201102:06Not Applicable
Da.dca.msiNot Applicable3,505,15223-Sep-201104:21Not Applicable
Internalsite.login.aspNot Applicable26,96223-Sep-201103:38Not Applicable
Internalsite.samples.login.aspNot Applicable26,96223-Sep-201103:38Not Applicable
Internalsite.web.configNot Applicable6,07223-Sep-201103:38Not Applicable
Microsoftclient.jarNot Applicable117,07520-Aug-201104:00Not Applicable
Monitor.applicationlist.aspNot Applicable14,66323-Sep-201103:38Not Applicable
Monitor.applicationmonitor.aspNot Applicable26,95323-Sep-201103:38Not Applicable
Monitor.applicationmonitorlinerefresh.aspNot Applicable2,08023-Sep-201103:38Not Applicable
Monitor.applicationstatisticsresults.aspNot Applicable25,61523-Sep-201103:38Not Applicable
Monitor.applicationuserstatistics.aspNot Applicable15,35523-Sep-201103:38Not Applicable
Monitor.damonitorcurrentstatus.aspNot Applicable8,70023-Sep-201103:38Not Applicable
Monitor.default.aspNot Applicable1,23623-Sep-201103:38Not Applicable
Monitor.eventreport.aspNot Applicable18,90523-Sep-201103:38Not Applicable
Monitor.eventviewer.aspNot Applicable7,88423-Sep-201103:38Not Applicable
Monitor.eventviewerrefresh.aspNot Applicable4,25223-Sep-201103:38Not Applicable
Monitor.exceltable.aspNot Applicable4,50123-Sep-201103:38Not Applicable
Monitor.farmmonitor.aspNot Applicable10,21123-Sep-201103:38Not Applicable Applicable2,97720-Aug-201104:00Not Applicable
Monitor.images.appicons.microsoftcrm5.gifNot Applicable55815-Jun-201118:36Not Applicable
Monitor.images.appicons.microsoftlync2010.gifNot Applicable1,07626-Jul-201101:20Not Applicable Applicable10,60523-Sep-201103:38Not Applicable Applicable5,72623-Sep-201103:38Not Applicable
Monitor.naptseventreport.aspNot Applicable16,83023-Sep-201103:38Not Applicable
Monitor.nlbmonitor.aspNot Applicable13,80923-Sep-201103:38Not Applicable
Monitor.sessionlist.aspNot Applicable10,04923-Sep-201103:38Not Applicable
Monitor.sessionmonitor.aspNot Applicable5,83023-Sep-201103:38Not Applicable
Monitor.sessionmonitordatabuilder.aspNot Applicable2,29023-Sep-201103:38Not Applicable
Monitor.sessionparameters.aspNot Applicable7,87223-Sep-201103:38Not Applicable
Monitor.sessionstatisticsresults.aspNot Applicable23,81023-Sep-201103:38Not Applicable
Monitor.statisticsgraphdata.aspNot Applicable4,31923-Sep-201103:38Not Applicable
Monitor.userlist.aspNot Applicable8,51623-Sep-201103:38Not Applicable
Monitor.usermonitor.aspNot Applicable5,89023-Sep-201103:38Not Applicable
Monitor.usermonitordatabuilder.aspNot Applicable2,07623-Sep-201103:38Not Applicable
Monitor.usersessionstatistics.aspNot Applicable15,77823-Sep-201103:38Not Applicable
Monitor.userstatistics.aspNot Applicable9,81523-Sep-201103:38Not Applicable
Monitor.userstatisticsresults.aspNot Applicable20,06023-Sep-201103:38Not Applicable
Oesislocal.jarNot Applicable58,45208-May-201120:41Not Applicable
Offlineclientsetup.clientcompres.cabNot Applicable255,81623-Sep-201104:59Not Applicable
Offlineclientsetup.clientconf.cabNot Applicable8,42923-Sep-201104:58Not Applicable
Offlineclientsetup.clientconf.xmlNot Applicable8,56123-Sep-201102:27Not Applicable
Offlineclientsetup.clientconf.xml.sigNot Applicable12823-Sep-201102:27Not Applicable
Offlineclientsetup.rsast.cabNot Applicable79,74523-Sep-201104:58Not Applicable
Offlineclientsetup.sfhlprutil.cabNot Applicable63,04323-Sep-201104:59Not Applicable
Offlineclientsetup.uagqec.cabNot Applicable64,89223-Sep-201104:59Not Applicable
Offlineclientsetup.whlcache.cabNot Applicable265,44623-Sep-201104:58Not Applicable
Offlineclientsetup.whlclntproxy.cabNot Applicable244,31823-Sep-201104:59Not Applicable
Offlineclientsetup.whlcompmgr.cabNot Applicable951,62223-Sep-201104:59Not Applicable
Offlineclientsetup.whldetector.cabNot Applicable262,23123-Sep-201104:59Not Applicable
Offlineclientsetup.whlio.cabNot Applicable191,70223-Sep-201104:58Not Applicable
Offlineclientsetup.whllln.cabNot Applicable167,05023-Sep-201104:59Not Applicable
Offlineclientsetup.whlllnconf1.cabNot Applicable6,52123-Sep-201104:59Not Applicable
Offlineclientsetup.whlllnconf2.cabNot Applicable6,61023-Sep-201104:59Not Applicable
Offlineclientsetup.whlllnconf3.cabNot Applicable6,59923-Sep-201104:58Not Applicable
Offlineclientsetup.whltrace.cabNot Applicable255,93023-Sep-201104:58Not Applicable
Otp.whlclientinst.incNot Applicable1,10423-Sep-201103:38Not Applicable
Policytemplate.xmlNot Applicable113,87723-Sep-201103:34Not Applicable,89623-Sep-201104:15x86
Portalhomepage.images.appicons.microsoftcrm5.gifNot Applicable3,15915-Jun-201118:36Not Applicable
Portalhomepage.images.appicons.microsoftcrm5_dis.gifNot Applicable3,20715-Jun-201118:36Not Applicable
Portalhomepage.images.appicons.microsoftcrm5_icon.gifNot Applicable55815-Jun-201118:36Not Applicable
Portalhomepage.images.appicons.microsoftcrm5_icon_dis.gifNot Applicable55615-Jun-201118:36Not Applicable
Portalhomepage.images.appicons.microsoftlync2010.gifNot Applicable3,50526-Jul-201101:20Not Applicable
Portalhomepage.images.appicons.microsoftlync2010_dis.gifNot Applicable3,51426-Jul-201101:20Not Applicable
Portalhomepage.images.appicons.microsoftlync2010_icon.gifNot Applicable1,07626-Jul-201101:20Not Applicable
Portalhomepage.images.appicons.microsoftlync2010_icon_dis.gifNot Applicable1,07226-Jul-201101:20Not Applicable
Portalhomepage.scripts.toolbarscript.jsNot Applicable9,95123-Sep-201103:38Not Applicable
Portalhomepage.web.configNot Applicable20,51523-Sep-201103:38Not Applicable
Portalhomepage.whlclientsetup_all.msiNot Applicable3,555,32823-Sep-201104:21Not Applicable
Portalhomepage.whlclientsetup_basic.msiNot Applicable3,554,81623-Sep-201104:26Not Applicable
Portalhomepage.whlclientsetup_networkconnector.msiNot Applicable3,555,32823-Sep-201104:22Not Applicable
Portalhomepage.whlclientsetup_networkconnectoronly.msiNot Applicable3,554,81623-Sep-201104:11Not Applicable
Portalhomepage.whlclientsetup_socketforwarder.msiNot Applicable3,554,81623-Sep-201104:28Not Applicable
Postvalidate.jsNot Applicable2,51126-Jul-201101:20Not Applicable
Rsast.cabNot Applicable79,74523-Sep-201104:58Not Applicable
Ruleset.level0.ruleset_fordialin.iniNot Applicable2,04323-Jun-201119:53Not Applicable
Ruleset.level0.ruleset_forlync2010.iniNot Applicable2,04323-Jun-201119:53Not Applicable
Ruleset.level0.ruleset_formeet.iniNot Applicable2,04323-Jun-201119:53Not Applicable
Ruleset.level0.ruleset_formscrm5.iniNot Applicable16,33816-Sep-201106:00Not Applicable
Ruleset.level1.ruleset_formscrm5.iniNot Applicable16,33816-Sep-201106:00Not Applicable
Ruleset.level2.ruleset_formscrm5.iniNot Applicable16,33816-Sep-201106:00Not Applicable
Ruleset.level3.ruleset_formscrm5.iniNot Applicable16,33816-Sep-201106:00Not Applicable
Sfhlprutil.cabNot Applicable63,04323-Sep-201104:59Not Applicable
Sp1rtm_sp1up1.diffpkgNot Applicable36,69720-Jun-201123:49Not Applicable
Uagqec.cabNot Applicable64,89223-Sep-201104:59Not Applicable
Uninstalluagupdate.cmdNot Applicable18323-Sep-201105:08Not Applicable
Usermgrcore.dll4.0.1773.10100945,04023-Sep-201104:12x64 Applicable5,659,67507-Jul-201101:01Not Applicable Applicable5,659,67507-Jul-201101:01Not Applicable
Whlcache.cabNot Applicable265,44623-Sep-201104:58Not Applicable
Whlclientinst.incNot Applicable1,10423-Sep-201103:38Not Applicable
Whlclntproxy.cabNot Applicable244,31823-Sep-201104:59Not Applicable
Whlcompmgr.cabNot Applicable951,62223-Sep-201104:59Not Applicable
Whldetector.cabNot Applicable262,23123-Sep-201104:59Not Applicable
Whlio.cabNot Applicable191,70223-Sep-201104:58Not Applicable
Whllln.cabNot Applicable167,05023-Sep-201104:59Not Applicable
Whlllnconf1.cabNot Applicable6,52123-Sep-201104:59Not Applicable
Whlllnconf2.cabNot Applicable6,61023-Sep-201104:59Not Applicable
Whlllnconf3.cabNot Applicable6,59923-Sep-201104:58Not Applicable
Whltrace.cabNot Applicable255,93023-Sep-201104:58Not Applicable
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.


ID articol: 2585140 - Ultima examinare: 17 apr. 2014 - Revizie: 1