Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: The endpoint policy expression "Any Personal Firewall (Windows)" is incorrect for Windows 7 and Windows 8 in Forefront Unified Access Gateway 2010 Service Pack 3

FIX: The endpoint policy expression "Any Personal Firewall (Windows)" is incorrect for Windows 7 and Windows 8 in Forefront Unified Access Gateway 2010 Service Pack 3

Symptoms

Consider the following scenario:
  • You install Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 (SP3).
  • You add a new publishing trunk.
  • You change the default endpoint policies to include the "Any Personal Firewall (Windows)" expression.

In this scenario, you may find that access policies that require the "Any Personal Firewall (Windows)" expression to evaluate as TRUE incorrectly block access for Windows 7 or Windows 8 endpoints. This problem may occur even though endpoint detection correctly detects the presence of an installed and running personal firewall.

Note An existing trunk that contains endpoint policies that were created from the previous policy template will not include the new Windows 8 client variables and is therefore not affected.

↑ Back to the top

Cause

Forefront UAG 2010 lets you specify endpoint access settings to control access from endpoint devices, depending on the security settings of the endpoint devices. One platform-specific policy expression that may be selected is "Any Personal Firewall (Windows)." This expression is not included in the default endpoint policies but may be added by the administrator to a site or application access policy.

Forefront UAG SP3 adds support for Windows 8 client access. This includes endpoint detection functionality and the Windows 8 client variables PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING. These variables are added to the platform-specific endpoint policy expression "Any Personal Firewall (Windows)." When the variables are added, they are interspaced incorrectly in the existing Windows 7 client variable expression. The result is two expressions. Each of these expressions includes one member variable from each operating system version in such a way that neither expression evaluates correctly:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)

↑ Back to the top

Resolution

This problem is fixed in the update that is described in Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3 .

↑ Back to the top

Workaround

You can manually update the "Any Personal Firewall (Windows)" expression for each trunk that is used in an endpoint policy. To do this, change the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN8_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN7_RUNNING)

Change this expression to the following expression:

(PFW_WIN7_INSTALLED and PFW_WIN7_RUNNING) or (PFW_WIN8_INSTALLED and PFW_WIN8_RUNNING)

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For information about how to change access policies and expressions, please see Configuring Forefront UAG access policies.

For information about how to create, edit, and remove platform-specific policies and expressions, please see Configuring Forefront UAG platform-specific access policies.

For information about software update terminology, please see Description of the standard terminology that is used to describe Microsoft software updates .

↑ Back to the top

Keywords: kbqfe, kbfix, kbnotautohotfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 2831865
Revision : 1
Created on : 1/7/2017
Published on : 4/9/2013
Exists online : False
Views : 88