Sunday, 16 December 2012

DirectAccess Hotfix Summary

I thought it might be useful to provide a summary list of DirectAccess related hotfixes from the past and present that may be of use to those embarking on a DirectAccess deployment for the first time, or those experiencing problems that have been solved already!

PLEASE NOTE: Microsoft have now provided an official dynamic knowledgebase article which provides a summary of Windows 7, Windows 8 and Windows Server 2012 hotfixes which can be found here: http://support.microsoft.com/kb/2883952 and consequently supersedes the below information.

Last updated 14/08/13 with KB2849568.

Hotfixes: Windows 8 and Windows Server 2012

KB2859347: IPv6 address of a DirectAccess server binds to the wrong network interface in Windows Server 2012.

KB2855269: Error message when you use an account that contains a special character in its DN to connect to a Windows Server 2012-based Direct Access server.

KB2849568: Vulnerability in the Windows NAT driver could allow denial of service: August 13, 2013.

KB2845152: DirectAccess server cannot ping a DNS server or a domain controller when a DirectAccess client is pinging the same server in Windows Server 2012.

KB2844033: DirectAccess Setup Wizard fails on a Windows Server 2012-based server in a domain that has a disjoint namespace.

KB2836232: Subnet mask changes to an incorrect value and the server goes offline in DirectAccess in Windows Server 2012.

KB2796394: Error when you run the Get-RemoteAccess cmdlet during DirectAccess setup in Windows Server 2012 Essentials

KB2795944: Windows 8 and Windows Server 2012 cumulative update: February 2013. This update includes fixes for DA that provide stability under heavy load.

KB2788525: You cannot enable external load balancing on a Windows Server 2012-based DirectAccess server.

KB2782560: DNS64 does not resolve computer names when you use DirectAccess and external load balancing in Windows Server 2012.

KB2769240: You cannot connect a DirectAccess client to a corporate network in Windows 8 or Windows Server 2012.

KB2748603: The process may fail when you try to enable Network Load Balancing in DirectAccess in Window Server 2012.

KB2666914: DirectAccess Connectivity Assistant 2.0 is available.

Hotfixes: Windows 7, Windows Server 2008 R2 and Forefront UAG 2010

KB2797301: A Forefront Unified Access Gateway 2010 DirectAccess client experiences repeated OTP prompts.

KB2758949: You cannot build an IP-HTTPS protocol-based connection on a computer that is running Windows 7 or Windows Server 2008 R2.

KB2718654: You are prompted to enter credentials when you try to access a SharePoint server on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer.

KB2680464: Location detection feature in DirectAccess is disabled intermittently in Windows 7 or in Windows Server 2008 R2.

KB2663354: DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010.

KB2633127: DA client cannot reconnect to the UAG DA server when a Windows 7-based or Windows Server 2008 R2-based client computer is connected to the Internet.

KB2615847: "ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH" error when you try to start an IPsec connection between two computers that are running Windows 7 or Windows Server 2008 R2

KB2535133: IP-HTTPS clients may disconnect from Windows Server 2008 R2-based web servers intermittently after two minutes of idle time.

KB2444558: You cannot access a host that is hosting the IPv4 file share by using SMB v1 from a Windows 7-based or Windows Server 2008 R2-based DirectAccess client.

KB2288297: You are unexpectedly prompted to enter your credentials when you try to access a WebDAV resource in a corporate network by using a DirectAccess connection in Windows 7 or in Windows Server 2008 R2.

KB979373: The DirectAccess connection is lost on a computer that is running Windows 7 or Windows Server 2008 R2 that has an IPv6 address.

KB978738: You cannot use DirectAccess to connect to a corporate network from a computer that is running Windows 7 or Windows Server 2008 R2.

KB974080: DirectAccess Workaround for reaching IPv4 address checking sites.

KB973982: The certificate for IP-HTTPS does not rebind if the certificate is changed after the configuration is applied one time in Windows Server 2008 R2.

KB972516: A DirectAccess access failure occurs after the DNS servers that are running Windows Server 2008 return empty responses for AAAA queries in a WINS zone.

Security Updates: Windows Server 2008 R2 and Windows Server 2012

KB2765809: Vulnerability in IP-HTTPS component could allow security feature bypass (MS12-083).

Hope the list is useful!

Thursday, 13 December 2012

Forefront TMG/UAG: Useful Tools and Scripts

I spend a fair bit of time deploying both Forefront TMG and Forefront UAG for customers and therefore have defined a pretty good build checklist that I follow for every deployment. This makes implementations easier to support as we have a standard build and standard toolset available for every customer. As part of these deployments, I install some core tools and also run several scripts to provide a solid foundation for both products.

I thought it may be useful to share my experience and provide the community with some advice for more polished and supportable TMG/UAG deployments.

image

Please Note: As Forefront UAG includes an instance of Forefront TMG, it is recommended to install all tools, but only run the scripts defined in the ‘Scripts: General’ section on UAG servers.

Tools

In terms of tools, my standard build would normally include the following tools:

Forefront TMG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront TMG installation and configuration.

Forefront UAG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront UAG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront UAG installation and configuration.

Network Monitor which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG/UAG server to aid troubleshooting when the time comes. Network Monitor is also a prerequisite for using the Data Packager element of the Forefront TMG Best Practice Analyser.

Please Note: Additional Forefront TMG tools can also be downloaded from here, but I don’t tend to install all of these by default.

Scripts: General (Applicable to TMG and/or UAG)

In terms of general scripts, my standard build would normally include:

SetNetBTNodeType.reg which can be downloaded here.

This script is used to prevent NetBIOS broadcast traffic (and thereby dramatically
improve TMG performance) by configuring Windows as a peer-node host using the NetBT NodeType registry value. Props for this particular registry setting goes to the Microsoft Forefront TMG Administrators Companion book, which is highly recommended! Winking smile

SetServiceDependencies.bat which can be downloaded here.

Since Forefront TMG Service Pack 1 and above, I have had numerous occasions where Forefront TMG server takes a long time to reboot. These problems are well documented on various forums and blogs and I am still unsure if the issue has been fully fixed, even in the latest service pack level. To combat these problems, we which lies with the failure to start the Microsoft Forefront TMG Control service (isactrl) within a timely fashion, it is possible to change/reset the dependencies of the Forefront TMG Control service, thereby eliminating the problem.

RemoveWeakVersions2k8.reg which can be downloaded here.

This script is used to disable SSL version 2 which is enabled by default with Windows Server 2008/R2.

Disabling SSL v2 is a well versed security recommendation as it suffers from several cryptographic flaws and has been deprecated for several years. You can validate this change has been completed successfully using the Qualys SSL LABS: SSL Server Test available here.

Scripts: Web Proxy (N/A to UAG)

In terms of web proxy specific scripts, my standard build would normally include:

SetTemporaryStorageSettings.vbs and ShowTemporaryStorageSettings.vbs which can both be downloaded here.

Until quite recently, I was unaware that Forefront TMG Malware Inspection imposed a maximum disk space, in megabytes, that may be allocated for temporary disk storage for a single client  during malware inspection. The default maximum disk space is set at 50MB, which sometimes needs adjusting depending on the different customer environments. This script can therefore be used to set (or show) the default temporary storage limits to something more appropriate. It is a shame you cannot modify these parameters from within the Forefront TMG console, but this makes the script all the more useful and valuable.

More information (including other temporary storage limit settings) can be found here.

UseDNSforWPAD.vbs which can be downloaded here.

Based upon information provided in this blog article and personally experiencing problems with the WPAD.DAT file containing the IP address of the RAS adapter instead of the correct server primary internal IP address; I started using this script which instructs TMG to use the DNS name of array members (or server) instead of IP addresses in the WPAD script.

Please Note: With the advent of Forefront TMG SP2, using Kerberos with an NLB web proxy array is now much improved as discussed here.

Scripts: Web Publishing (N/A to UAG)

In terms of web publishing specific scripts, my standard build would normally include:

EnableSP2FBACookieSharing.vbs which can be downloaded here.

By default, a Forefront TMG forms-based authentication cookie is only valid on the array member that generated the cookie. If a client request that contains an authentication cookie from one array member is sent to a different array member, the client is asked to re-authenticate. This behaviour may occur when a node is taken offline. Or, this behaviour may occur if the client source IP changes between requests that affect which array member handles the incoming request.

Forefront TMG Service Pack 2 added functionality to support cookie sharing across array members. To do this, SP2 enables support for the cookie encryption keys to be shared across array members.

Please Note: To support sharing cookie encryption keys, the array members must be domain-joined. Be aware that this script does not work for workgroup-based array members.

As this is a pretty significant change in functionality, for the better, I now run this script by default when deploying standalone or EMS-managed arrays where array members meet the domain joined prerequisite.

More information on this new SP2 feature is available here.

Other Important Build Configuration

I wasn’t planning on talking about standard build configuration as this blog post was meant to be dedicated to tools and scripts, but I think they are actually hugely relevant when deploying TMG/UAG server. Hence I have included two key baseline configuration tasks for any TMG/UAG implementation

In addition to installing the above tools and scripts, it is also vital to configure TMG and UAG server network adapter settings and bind order appropriately. More information on this particular aspect is provided in the following TechNet Wiki articles:

Recommended Network Adapter Configuration for Forefront TMG Standard Edition Servers

Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Recommended Network Adapter Configuration for Forefront UAG Servers

And finally, make sure you have applied the latest updates and service packs for TMG and/or UAG; at the time of writing, this is Forefront TMG Service Pack 2 (build version 7.0.9193.500) and Forefront UAG Service Pack 1 Update 1 (build version 4.0.1773.10100).

I hope you find these tools and scripts useful and have learned something new to improve your own TMG/UAG deployments. If you have other tool and scripts recommendations, please drop me a comment below and I will endeavour to add these to the list.