Description of the Service Pack 1 Update 1 for Forefront Unified Access Gateway (UAG)

New features in the update

• Lync web services publishing: Forefront UAG now supports publishing Lync web services
  
• Dynamics CRM 2011 publishing: Forefront UAG now supports publishing Dynamics CRM 2011
  
• SharePoint 2010 with Office Online: Forefront UAG now supports publishing SharePoint 2010 with Office Online
  
• Improved browser support: Forefront UAG now supports more web browsers than in previous releases

Issues that are fixed in Service Pack 1 Update 1 for Forefront Unified Access Gateway

This update fixes the following issues:

1. Issues caused by non-ASCII characters in the username, password or path of the distinguished name
2. UAG does not encrypt LDAPS data when talking to the global catalog on port 3269
3. Single Sign-On for RemoteApps does not work when UAG component installation and activation is disabled
4. Direct Access does not work for many clients because of an access violation error on the DCA Service
5. The Home button does not work in the SharePoint app on Firefox
6. MAC address that does not start with '00' causes connection problems
7. Stack corruption error in w3wp.exe
8. WFE WhlFiltAuthorization function fails
9. Exchange 2010 Idle Session time-out does not work
10. MAC address change may prevent the SSL Network Tunneling Service from being started
11. Users cannot log on if password includes the plus character (+)
12. Users cannot log on if password is close to expiration
13. Umlaut character is not processed
14. Memory leak in uagqecsvc.exe
15. SSTP zombie sessions

Details of the issues that are fixed in the update

1. Issues caused by non-ASCII characters in the username, password, or path of the distinguished name
   
   Symptoms
   The UAG Active Directory Service Interfaces (ADSI) repository and LDAP repository functionalities to change the user password and to check for password expiration cannot handle non-ASCII characters that are contained in the username, password, or path of the distinguished name.
2. UAG does not encrypt LDAPS data when talking to global catalog on port 3269
   
   Symptoms
   When you configure Active Directory Federated Services (ADFS), you can set the configuration to use Port 3269 for Keberos/TCP and select the option to have secure connections. This conversation is expected to use a secure encrypted session to global catalog by using TCP port 3269 to access to locate the nearest domain controller. Then, use secure and encrypted session over LDAPS (TCP port 636) to authenticate the user. This is expected to always occur over an encrypted session, and it is preferable for this conversation not to be allowed to fall back to clear text that uses TCP port 3268 or 389.
   
   However, if you validate the traffic by using Network Monitor traces, you may notice that the conversation on TCP 3269 sometimes occurs in clear text and sometimes is encrypted.
3. Single Sign-On for RemoteApps does not work when UAG component installation and activation is disabled
   
   Symptoms
   Single Sign-On (SSO) for RemoteApps does not work when UAG component installation and activation is disabled.
4. Direct Access does not work for many clients because of an access violation error on the DCA Service
   
   Symptoms
   Clients cannot use Direct Access because of an access violation error on the DCA Service.
   
   
5. The Home button does not work in the SharePoint app on Firefox
   
   Symptoms
   When you use the SharePoint app on Firefox, the Home button does not work.
   
   
6. MAC address that does not start with 00 causes connection problems
   
   Symptoms
   Clients cannot connect to Network Connector when the UAG server external network adapter's MAC address does not start with 00.
7. Stack corruption error in W3wp.exe
   
   Symptoms
   When you perform a trace by using Nirvana Architecture TTT- Time Travel Tracing (iDNA/TTT), the worker process (W3wp.exe) may crash with a stack corruption error.
8. WFE WhlFiltAuthorization function fails
   
   Symptoms
   The Whale Filtering Extension (WFE) WhlFiltAuthorization function does not honor the UsermgrCom!AuthenticateUser() vector parameter argument in the Radius repository.
9. Exchange 2010 Idle Session time-out does not work
   
   Symptoms
   The Idle Session time-out for Microsoft Exchange 2010 publishing does not work as expected.
10. MAC address change may prevent the SSL Network Tunneling Service from being started
    
    Symptoms
    The UAG array member's SSL Network Tunneling Service cannot be started after a MAC address change.
    
11. Users cannot log on if password includes the plus character (+)
    
    Symptoms
    Authentication fails when a user tries to log on to UAG if the password includes the plus character (+) and if Remote Desktop Service (RDS) SSO is turned on.
12. Users cannot log on if password is close to expiration
    
    Symptoms
    Users cannot log on to UAG published ActiveSync or Outlook Anywhere if the user's password is almost expired. This problem occurs if the Notify user * days before password expiration option is enabled.
    
13. Umlaut character is not processed
    
    Symptoms
    The German umlaut character in the canonical name (CN) of a certificate is not processed by UAG, and authentication times out.
    
14. Memory leak in Uagqecsvc.exe
    
    Symptoms
    A memory leak may occur in the Uagqecsvc.exe process.
15. SSTP zombie sessions
    
    Symptoms
    Zombie sessions are seen on the trunk in Web Monitor even when users are no longer logged on to the trunk. The sessions are from SSTP and the network connector, and they persist on the trunk and may seem to be mostly from unauthenticated users. The same issue has been reported for SSLVPN sessions.

Download information

The following file is available for download from the Microsoft Download Center:


Download the UAG-KB2585140-v4.0.1773.10100-ENU.msp package now.

Release Date: October 11, 2011

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=support

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

How to install the update

 To install the update, follow these steps:

1. Run the installer. To do this, double-click the update executable file.
   
   Note When the installer is running, the Forefront services are stopped.
   
2. After the installation is complete and the Forefront services are restarted, make sure that Forefront is working correctly.
   
   Notes
   • The Forefront services are restarted automatically during the installation.
     
   • Forefront service packs, updates, or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode, and user input is not required. The rest of the process remains the same as when you double-click the executable file to run the installer.

Prerequisites

You must have Unified Access Gateway 2010 Service Pack 1 installed to apply this update.

For more information about Unified Access Gateway 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

Known issues with this update

You may receive an error message that resembles the following when you try to install this update:






This issue may occur if security update 2649261 is already installed when you try to install update 2585140.



To resolve this issue, uninstall security update 2649261 and then install update 2585140. After you install update 2585140, install security update 2649262.

For more information about security updates 2649261 and 2649262, click the following article numbers to view the article in the Microsoft Knowledge Base:

Frequently asked questions

Q1: Can security update for UAG SP1 U1 (KB 2649262) be installed on a system that has already installed UAG SP1 U1 Rollup 1 (KB 2647899)?
A1: Yes, KB 2649262 can be installed on both SP1 U1 and on SP1 U1 Rollup1. If the security update is installed on SP1 U1 (without Rollup 1), you do not also have to install Rollup 1. (Note that KB 2649262’s build number is 4.0.1773.10190, while KB 2647899’s build number is 4.0.1773.10110).

Q2: If you install security update 2649261 (KB 2649261 as described in security bulletin MS12-026) on top of UAG SP1 (KB 2522485) and later install UAG SP1 U1(KB 2585140), do you need to install security update 2649262 (MS12-026) to be protected by this bulletin?
A2: Yes