by
Shijaz Abdulla on 09.01.2011 at 20:30
If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:
“RPC Server Unavailable 0x800706ba”
This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.
To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.
However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:
1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=uag1.contoso.com" ; (Replace the subject name with the external FQDN of your UAG server)
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"
[RequestAttributes]
CertificateTemplate = WebServer2008
Replace WebServer2008 with the name of your IP-HTTPS certificate template.
1. Run Command Prompt as Administrator
2. Convert the INF file to a request file (.req)
certreq –new ip-https.inf ip-https.req
3. Copy the request file to your CA server (or any server that has unrestricted access to the CA machine)
4. Go to the CA server, open Command Prompt as Administrator
5. Submit the REQ file to the CA
certreq –submit IP-HTTPS.req
6. Choose the CA in the popup window.
7. Save the file as IP-HTTPS.CER when prompted.
10. Copy the IP-HTTPS.CER file back to the UAG machine.
11. On the UAG machine, open the Command prompt as Administrator
12. Type:
certreq –accept IP-HTTPS.cer
This will add the certificate to the local store.
13. (optional) Open the Certificates MMC for Local Computer. Open Properties for the uag1.contoso.com certificate. Give a Friendly Name “IP-HTTPS Certificate” and click OK.
If you’re looking to test DirectAccess scenarios, I highly recommend that you check out Dr. Tom Shinder’s test lab guides published on the Microsoft website.
by
Shijaz Abdulla on 06.01.2011 at 20:04
I realized that the video of my TechEd 2010 session on Forefront Unified Access Gateway and DirectAccess is available online.
You can watch it on the TechEd website. As of now the video doesn’t seem to load, so there is the option to download the WMV video.
I will back again at TechEd this year insha Allah with another session on UAG. Stay tuned 
by
Shijaz Abdulla on 04.03.2010 at 17:28
TechEd was awesome. 1500 techies under one roof. Amazing.
I could not agree more with fellow TechEd speaker Andy Malone, who wrote in his blog:
The feedback has been amazing and for that you have my thanks. TechEd is a unique worldwide event, now running in ten locations worldwide. One thing that really stands out is its ability to bring people from different countries, backgrounds, religions together. The relationships formed both personal and business can last a lifetime.
Special thanks goes to Arif, Amory and the team at Microsoft Gulf for putting together a spectacular event – which is also the first TechEd in the Gulf region. I also want to thank the delegates for attending this event and also for their feedback.
As promised, here are additional resources that will help you move forward with UAG:
Here are pictures from the event. The moments below were captured by David Maskell, Security Solutions SSP at Microsoft Gulf, who is also the Security, Identity & Access (SIA) track owner at TechEd ME.
by
Shijaz Abdulla on 04.03.2010 at 16:13
I would like to thank those of you that attended my session on Microsoft Forefront Unified Access Gateway and DirectAccess yesterday at TechEd Middle East 2010. If you heard about this blog from my session, please take a moment to subscribe by email or RSS.
I cannot stress enough on how important your session evaluations are. If you attended my session, please take a moment to complete the evaluation online.
I would like to thank those who have already completed the feedback for giving me high ratings. It is your support that keeps me going. With all respect, let me also request the only one person who rated me low to re-evaluate the session open-mindedly:-). Honest feedback in the evaluation is important to me.
The presentation slide deck is now available for download on the TechEd website. You will have to login with your TechEd username and password.
Q&A
I have tried my best to answer all questions onsite. However, if you still have questions based on my session, feel free to post them below as a comment to this post. I will try my best to have them answered.
Thank You.
PS: Pictures will be uploaded soon.
by
Shijaz Abdulla on 24.02.2010 at 23:58
Countdown to TechEd – 4 days to go.
T minus 4 for the biggest tech event in Dubai — TechEd Middle East 2010.
Here’s a reminder of the session that I will be speaking at. Hope to see you there!
Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access
Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager, Network Administrator
Here’s what I will be covering:
- Overview of Microsoft Forefront Unified Access Gateway
- Demo of Unified Access Gateway features:
- Remote access with SSL-VPN,
- Secure Application Publishing,
- Secure File Access,
- Endpoint security
- Publishing RemoteApp and Remote Desktop Services
- Overview of DirectAccess
- Demo: Enabling Windows 7 DirectAccess feature with UAG
Recommended Pre-requisites:
There are no prerequisite sessions that you need to attend before my session. However, if you have an interest in understanding the darkest depths of DirectAccess and IPv6, I recommend that you also attend the following sessions by John Craddock.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
I will be recapping some of the content covered in these sessions, but as my session focuses on Unified Access Gateway, I will not go in to the depths of how DirectAccess works.
Technical Learning Centre (TLC)
I will be available at the Technical Learning Centre at these times to attend to your questions around Microsoft Forefront products.
Monday, March 1: 11:45 to 15:45
Tuesday, March 2: 12:30 to 16:00
Feel free to drop in and ask your questions on ISA Server/Threat Management Gateway, Forefront Unified Access Gateway, Forefront Protection for Exchange/SharePoint/OCS, Forefront Endpoint Protection, Forefront Hosted Filtering for Exchange, Rights Management Services.
See you there!
by
Shijaz Abdulla on 12.02.2010 at 23:14
I’m doing a breakout session at the Microsoft TechEd in Dubai. Here are the details:
Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access
Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager
Here’s what I will be covering:
- Overview of Microsoft Forefront Unified Access Gateway
- Overview of DirectAccess
- Demo: Enabling Windows 7 DirectAccess feature with UAG
- Unified Access Gateway features: Remote access with SSL-VPN, Secure Application Publishing, Secure File Access, Endpoint security
- Demo: Unified Access Gateway features
See you there!
