Tuesday, 14 December 2010

Forefront UAG SP1 Endpoint Assessment Changes Impact Mobile Devices like iPads/iPhones

I noticed from the Forefront UAG SP1 release notes that endpoint assessment for mobile devices has changed within SP1. I have also seen a few people reporting issues on the TechNet forums with UAG portal access problems when using Apple iPhone/iPad devices since applying SP1. These changes are covered by the following statement:

“In Forefront UAG RTM, mobile devices including the iPhone, Android and Windows Mobile were included in the Windows, Mac, and Linux platform-specific policies, and allowed access by the Forefront UAG Default Session Access policy. In Forefront UAG SP1, mobile devices were removed from this policy, and now belong to the Other platform-specific policy.”

The net result of this change is that mobile devices like iPads/iPhones will receive  the following error when attempting to access the UAG trunks: The endpoint does not meet access policy requirements for this site.

To continue to include them in the Default Session Access Policy, do the following:

  1. In the trunk that allows access to these devices, open the Endpoint Access Settings tab, and click Edit Endpoint Policies.
  2. In the Manage Policies and Expressions list, click Default Session Access, and then click Edit Policy.
  3. In Other, select Always.
  4. Apply and activate the configuration.
image

To continue to include them in the Default Web Application Access Policy, do the following:

  1. In the trunk that allows access to these devices, open the Endpoint Access Settings tab, and click Edit Endpoint Policies.
  2. In the Manage Policies and Expressions list, click Default Web Application Access, and then click Edit Policy.
  3. In Other, select Always.
  4. Apply and activate the configuration.

image

To ensure published applications appear in the portal when using mobile devices like iPads/iPhones (when applications are supported for mobile devices):

  1. In the trunk that allows access to these devices, review the Applications area, click the required application, and then click Edit.

  2. On the Application Properties dialog box, click the Portal Link tab.

  3. On the Portal Link tab, select the Premium mobile portal check box to show this application in the premium mobile portal.

  4. On the Application Properties dialog box, click OK.

  5. Activate the configuration.

image

Thursday, 9 December 2010

Microsoft Forefront UAG DNS64 Service Incorrectly Set to Manual After Forefront UAG SP1 Installation

The Forefront UAG SP1 Release Notes document the following issue:

“After installing SP1 RTM on a Forefront UAG server running SP1 RC and acting as a DirectAccess server, the DNS64 service will be set to Manual. Following the installation, set the DNS64 service to Automatic and start the service.”

However, although this problem is a known issue when upgrading from Forefront UAG RC1 to SP1, from my recent deployment experience it can also happen when deploying UAG SP1 onto an RTM version (including RTM U1 and RTM U2 versions).

Please Note: A good overview of UAG version numbers provided by Ben@MSFT can be found here.

The fix is easy, after applying SP1, simply reconfigure the Microsoft Forefront UAG DNS64 Service service startup type to be Automatic as opposed to Manual; then start the service manually.

image

This issue (obviously) assumes you are actually using the DNS64 service in your UAG DirectAccess deployment and consequently need the DNS64 service to be started and running to provide DNS translation services from IPv6/IPv4.

A bit annoying I agree, but an easy fix nevertheless Smile

Thursday, 2 December 2010

Silversands Microsoft Security Consultant Wanted!

Microsoft Security Consultant Role

£Excellent + profit share scheme + flexible benefits + car allowance

We are seeking an experienced security consultant to join our expanding consultancy team.

The role involves all areas of consultancy from presales activities and presentations to detailed design planning and implementation of solutions.

The successful candidate will have outstanding customer facing skills along with a sound working knowledge of Microsoft Forefront products and other third party security products.  A good business understanding is essential as is the ability to help clients identify their needs and work with them to deliver quality solutions.

You should have experience in the following technical areas:

  • Design and implementation of Microsoft security solutions including Certificate Services, ISA Server, Threat Management Gateway (TMG), Unified Access Gateway (UAG) and DirectAccess
  • Conducting in-depth technical design workshops and creation of detailed design documentation
  • Experience of publishing Exchange and SharePoint application services using TMG and UAG  
  • Excellent understanding of TCP/IP and networking topologies
  • Excellent IT security awareness
  • A broad understanding of all core Microsoft technologies including Active Directory, Exchange and SharePoint with an appreciation for following Microsoft security best practice is essential
  • Ideally the successful candidate will have an understanding of third party security solutions including Trend Micro, Juniper, RSA, Websense, Celestix etc. 
  • Ideally the successful candidate will be a MCITP Enterprise Administrator in Windows Server 2008 or CISSP

This is an outstanding opportunity to join a leading Microsoft Gold Partner committed to delivering quality solutions to its customers and work alongside our Microsoft Forefront MVP (that would be me!). Silversands’ close working relationship with Microsoft will ensure that you have the opportunity to keep abreast of developing technologies and exposure to new products through the Technology Adoption Program (TAP) and Customer Advisory Group (CAG) programmes.

Potential candidates can drop me an email or visit: www.silversands.co.uk for more information.