“RPC Server Unavailable” error while requesting IP-HTTPS certificate on UAG

by Shijaz Abdulla on 09.01.2011 at 20:30

If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:

“RPC Server Unavailable 0x800706ba”

This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.

To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.

However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:

1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=uag1.contoso.com" ; (Replace the subject name with the external FQDN of your UAG server)
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

[RequestAttributes]
CertificateTemplate = WebServer2008

Replace WebServer2008 with the name of your IP-HTTPS certificate template.

1. Run Command Prompt as Administrator

2. Convert the INF file to a request file (.req)
certreq  –new  ip-https.inf  ip-https.req

3. Copy the request file to your CA server (or any server that has unrestricted access to the CA machine)

4. Go to the CA server, open Command Prompt as Administrator

5. Submit the REQ file to the CA
certreq  –submit  IP-HTTPS.req

6. Choose the CA in the popup window.

select-CA

7. Save the file as IP-HTTPS.CER when prompted.

10. Copy the IP-HTTPS.CER file back to the UAG machine.

11. On the UAG machine, open the Command prompt as Administrator

12. Type:
certreq  –accept  IP-HTTPS.cer

This will add the certificate to the local store.

13. (optional) Open the Certificates MMC for Local Computer. Open Properties for the uag1.contoso.com certificate. Give a Friendly Name “IP-HTTPS Certificate” and click OK.

If you’re looking to test DirectAccess scenarios, I highly recommend that you check out Dr. Tom Shinder’s test lab guides published on the Microsoft website.

TechEd 2010 Video: Secure Remote Access with UAG and DirectAccess

by Shijaz Abdulla on 06.01.2011 at 20:04

I realized that the video of my TechEd 2010 session on Forefront Unified Access Gateway and DirectAccess is available online.

You can watch it on the TechEd website. As of now the video doesn’t seem to load, so there is the option to download the WMV video.

I will back again at TechEd this year insha Allah with another session on UAG. Stay tuned Smile

In pictures: TechEd MiddleEast 2010, Dubai

by Shijaz Abdulla on 04.03.2010 at 17:28

TechEd was awesome. 1500 techies under one roof. Amazing.

I could not agree more with fellow TechEd speaker Andy Malone, who wrote in his blog:

The feedback has been amazing and for that you have my thanks. TechEd is a unique worldwide event, now running in ten locations worldwide. One thing that really stands out is its ability to bring people from different countries, backgrounds, religions together. The relationships formed both personal and business can last a lifetime.

Special thanks goes to Arif, Amory and the team at Microsoft Gulf for putting together a spectacular event – which is also the first TechEd in the Gulf region. I also want to thank the delegates for attending this event and also for their feedback.

As promised, here are additional resources that will help you move forward with UAG:

Here are pictures from the event. The moments below were captured by David Maskell, Security Solutions SSP at Microsoft Gulf, who is also the Security, Identity & Access (SIA) track owner at TechEd ME.

 

 

TechEd session: Your evaluation is important!

by Shijaz Abdulla on 04.03.2010 at 16:13

I would like to thank those of you that attended my session on Microsoft Forefront Unified Access Gateway and DirectAccess yesterday at TechEd Middle East 2010. If you heard about this blog from my session, please take a moment to subscribe by email or RSS.

I cannot stress enough on how important your session evaluations are. If you attended my session, please take a moment to complete the evaluation online.

I would like to thank those who have already completed the feedback for giving me high ratings. It is your support that keeps me going. With all respect, let me also request the only one person who rated me low to re-evaluate the session open-mindedly:-). Honest feedback in the evaluation is important to me.

The presentation slide deck is now available for download on the TechEd website. You will have to login with your TechEd username and password.

Q&A

I have tried my best to answer all questions onsite. However, if you still have questions based on my session, feel free to post them below as a comment to this post. I will try my best to have them answered.

Thank You.

image

PS: Pictures will be uploaded soon.

Learn about DirectAccess and Forefront UAG at TechEd

by Shijaz Abdulla on 24.02.2010 at 23:58

Countdown to TechEd – 4 days to go.

T minus 4 for the biggest tech event in Dubai — TechEd Middle East 2010.

Here’s a reminder of the session that I will be speaking at. Hope to see you there!

Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access

Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager, Network Administrator

Here’s what I will be covering:

  • Overview of Microsoft Forefront Unified Access Gateway
  • Demo of Unified Access Gateway features:
    • Remote access with SSL-VPN,
    • Secure Application Publishing,
    • Secure File Access,
    • Endpoint security
    • Publishing RemoteApp and Remote Desktop Services
  • Overview of DirectAccess
  • Demo: Enabling Windows 7 DirectAccess feature with UAG

Recommended Pre-requisites:

There are no prerequisite sessions that you need to attend before my session. However, if you have an interest in understanding the darkest depths of DirectAccess and IPv6, I recommend that you also attend the following sessions by John Craddock.

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.

SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.

I will be recapping some of the content covered in these sessions, but as my session focuses on Unified Access Gateway, I will not go in to the depths of how DirectAccess works.

 

Technical Learning Centre (TLC)

I will be available at the Technical Learning Centre at these times to attend to your questions around Microsoft Forefront products.

Monday, March 1: 11:45 to 15:45

Tuesday, March 2: 12:30 to 16:00

Feel free to drop in and ask your questions on ISA Server/Threat Management Gateway, Forefront Unified Access Gateway, Forefront Protection for Exchange/SharePoint/OCS, Forefront Endpoint Protection, Forefront Hosted Filtering for Exchange, Rights Management Services.

See you there!

 

teched

Security session at TechEd Dubai

by Shijaz Abdulla on 12.02.2010 at 23:14

I’m doing a breakout session at the Microsoft TechEd in Dubai. Here are the details:

Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access

Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager

Here’s what I will be covering:

  • Overview of Microsoft Forefront Unified Access Gateway
  • Overview of DirectAccess
  • Demo: Enabling Windows 7 DirectAccess feature with UAG
  • Unified Access Gateway features: Remote access with SSL-VPN, Secure Application Publishing, Secure File Access, Endpoint security
  • Demo: Unified Access Gateway features

See you there!

teched