If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:

“RPC Server Unavailable 0x800706ba”

This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.

To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.

However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:

1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=uag1.contoso.com" ; (Replace the subject name with the external FQDN of your UAG server)
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

[RequestAttributes]
CertificateTemplate = WebServer2008

Replace WebServer2008 with the name of your IP-HTTPS certificate template.

1. Run Command Prompt as Administrator

2. Convert the INF file to a request file (.req)
certreq  –new  ip-https.inf  ip-https.req

3. Copy the request file to your CA server (or any server that has unrestricted access to the CA machine)

4. Go to the CA server, open Command Prompt as Administrator

5. Submit the REQ file to the CA
certreq  –submit  IP-HTTPS.req

6. Choose the CA in the popup window.

7. Save the file as IP-HTTPS.CER when prompted.

10. Copy the IP-HTTPS.CER file back to the UAG machine.

11. On the UAG machine, open the Command prompt as Administrator

12. Type:
certreq  –accept  IP-HTTPS.cer

This will add the certificate to the local store.

13. (optional) Open the Certificates MMC for Local Computer. Open Properties for the uag1.contoso.com certificate. Give a Friendly Name “IP-HTTPS Certificate” and click OK.

If you’re looking to test DirectAccess scenarios, I highly recommend that you check out Dr. Tom Shinder’s test lab guides published on the Microsoft website.

I realized that the video of my TechEd 2010 session on Forefront Unified Access Gateway and DirectAccess is available online.

You can watch it on the TechEd website. As of now the video doesn’t seem to load, so there is the option to download the WMV video.

I will back again at TechEd this year insha Allah with another session on UAG. Stay tuned

Of late, I have seen that a lot of customers and even partners are confused between the capabilities of Forefront Threat Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).

The most important difference is that TMG is an “inbound AND outbound” access gateway that includes a network level firewall with stateful packet inspection & application filtering, forward and reverse web proxy, VPN server (for users and site-to-site). TMG is more focused on keeping the bad guys out and to a certain extent, allowing good guys in. On the other hand, UAG is an “inbound-only” secure remote access gateway that enables you to allow "the good guys” in more securely.

I need TMG if:

• I need an inbound and outbound access gateway
• I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
• I need built-in IPS (Intrusion Prevention System) on that firewall
• I need a secure forward proxy for users on my network to access the internet
• I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
• I need to be able to monitor my user’s web activity and firewall logging.
• I need to be able to block unproductive websites and services (like IM, P2P, video sharing, etc)
• I need to protect my users from web-based threats (web antivirus, web antimalware, block malicious websites)
• I need Forward HTTPS inspection to protect users against web threats that are hidden inside HTTPS
• I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
• I need SSL bridging to protect my publish servers against threats embedded inside SSL
• I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
• I need site-to-site VPN
• I need a VPN server for my users in addition to all the above

I need UAG if:

• I need an ‘inbound only’ access gateway
• I need to enable my users to securely access internal resources remotely (while they are outside the company network)
• I need to enable Secure VPN access for users when they are outside my network
• I need to quickly and easily enable DirectAccess for my Windows 7 users
• I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
• I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
• I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
• I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
• I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
• I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
• I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
• I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.

As you can see, each product is specialized to deliver very focused capabilities. Hence it is quite possible that some organizations need both solutions while others need only one. For many smaller organizations which need a one-product solution to protect their network and provide reasonably secure remote access, TMG would be the answer. However, for designs that focus purely on inbound access, UAG needs to be considered. If an organization has separate TMG/ISA Server arrays – one for inbound access and another for outbound access – the solution is simple – use a UAG array instead for inbound access and continue using TMG for the outbound array.

I was chatting with Tom Shinder this evening when he started an interesting discussion on setting up a Windows VPN connection to use SSTP to connect to the corporate network via Forefront Unified Access Gateway (UAG). This would allow Windows 7 users to connect via SSTP without having to log in to the UAG portal.

So far, we’ve seen it only being done on the UAG Portal – where the user has to log in to the UAG portal and open the Remote Network Access application.

So I fired up my UAG lab VMs to see if this is do-able – and we were successful in getting it to work! Here’s how we did it.

1. Open the user’s properties in Active Directory Users & Computers. On the Dial-in tab, choose Allow Access under Network Access Permission. Alternatively, you can configure the NPS Network policy accordingly.

   

2. On the Windows 7 client machine, create a new VPN connection. (Hint: Network & Sharing Centre –> Set up a new connection or network –> Connect to workplace)
3. For the newly created connection, set the connection properties as below. The host name will be the same that’s configured on your UAG trunk.

   

4. On the Security tab of the VPN connection properties, set the Type of VPN as Secure Socket Tunneling Protocol (SSTP). Select the option to automatically use te Windows logon name and password.

   

5. You’re good to go. Make that connection!

TechEd was awesome. 1500 techies under one roof. Amazing.

I could not agree more with fellow TechEd speaker Andy Malone, who wrote in his blog:

The feedback has been amazing and for that you have my thanks. TechEd is a unique worldwide event, now running in ten locations worldwide. One thing that really stands out is its ability to bring people from different countries, backgrounds, religions together. The relationships formed both personal and business can last a lifetime.

Special thanks goes to Arif, Amory and the team at Microsoft Gulf for putting together a spectacular event – which is also the first TechEd in the Gulf region. I also want to thank the delegates for attending this event and also for their feedback.

As promised, here are additional resources that will help you move forward with UAG:

• UAG with DirectAccess – I will publish a step by step on my blog very soon. Stay tuned!
• UAG Hardware option – Vendors
• UAG Licensing
• Official forum – Ask questions about UAG
• UAG Team blog
• UAG homepage

Here are pictures from the event. The moments below were captured by David Maskell, Security Solutions SSP at Microsoft Gulf, who is also the Security, Identity & Access (SIA) track owner at TechEd ME.

View Full Album

View Full Album

View Full Album

I would like to thank those of you that attended my session on Microsoft Forefront Unified Access Gateway and DirectAccess yesterday at TechEd Middle East 2010. If you heard about this blog from my session, please take a moment to subscribe by email or RSS.

I cannot stress enough on how important your session evaluations are. If you attended my session, please take a moment to complete the evaluation online.

I would like to thank those who have already completed the feedback for giving me high ratings. It is your support that keeps me going. With all respect, let me also request the only one person who rated me low to re-evaluate the session open-mindedly:-). Honest feedback in the evaluation is important to me.

The presentation slide deck is now available for download on the TechEd website. You will have to login with your TechEd username and password.

Q&A

I have tried my best to answer all questions onsite. However, if you still have questions based on my session, feel free to post them below as a comment to this post. I will try my best to have them answered.

Thank You.

PS: Pictures will be uploaded soon.

Countdown to TechEd – 4 days to go.

T minus 4 for the biggest tech event in Dubai — TechEd Middle East 2010.

Here’s a reminder of the session that I will be speaking at. Hope to see you there!

Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access

Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager, Network Administrator

Here’s what I will be covering:

• Overview of Microsoft Forefront Unified Access Gateway
• Demo of Unified Access Gateway features:
  • Remote access with SSL-VPN,
  • Secure Application Publishing,
  • Secure File Access,
  • Endpoint security
  • Publishing RemoteApp and Remote Desktop Services
• Overview of DirectAccess
• Demo: Enabling Windows 7 DirectAccess feature with UAG

Recommended Pre-requisites:

There are no prerequisite sessions that you need to attend before my session. However, if you have an interest in understanding the darkest depths of DirectAccess and IPv6, I recommend that you also attend the following sessions by John Craddock.

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.

SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.

I will be recapping some of the content covered in these sessions, but as my session focuses on Unified Access Gateway, I will not go in to the depths of how DirectAccess works.

Technical Learning Centre (TLC)

I will be available at the Technical Learning Centre at these times to attend to your questions around Microsoft Forefront products.

Monday, March 1: 11:45 to 15:45

Tuesday, March 2: 12:30 to 16:00

Feel free to drop in and ask your questions on ISA Server/Threat Management Gateway, Forefront Unified Access Gateway, Forefront Protection for Exchange/SharePoint/OCS, Forefront Endpoint Protection, Forefront Hosted Filtering for Exchange, Rights Management Services.

See you there!

If you are publishing RemoteApp or Remote Desktop Services on Forefront Unified Access Gateway 2010, and have enabled Single Sign On (SSO) on the RDS application in UAG, you might find that UAG tries to perform user logon on the published server using computername\username instead of domain\username.

I’ve researched this issue and found that there’s nothing I can do about it, at least at the time of writing this, as it is listed as a known issue in UAG.

Workaround

A workaround would be to ask users to log in using “domainname\username” while logging on to the UAG portal instead of just “username”.

Just a thought – you might be able to automate the appending of “domainname\” to the username string by customizing the UAG login page code, although I haven’t attempted it.

If you’re trying to publish Remote Desktop Services or RemoteApp on Microsoft Forefront Unified Access Gateway 2010, and if you encounter the following error, read on:

“Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server. Contact your network administrator for assistance”.

Before we look into how to fix this, we need to understand how RDS publishing works with UAG:

1. A UAG client accesses a Forefront UAG portal using a Web browser and evaluating the endpoint compliance and session access policies defined on UAG by the administrator.
2. The end user launches a Remote Desktop application in the portal. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint. If the ActiveX component doesn’t exist, it is installed.
3. The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.
4. The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RD Gateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.
5. An RDP session is established from Forefront UAG to the backend RDS hosts.

As you can see in step 3 and 4, the HTTPS connection terminates on the Forefront UAG server, which also acts a Remote Desktop Gateway. The error appears because no SSL certificate is configured by default on the RD Gateway running on the Forefront UAG computer.

The Solution

1. On the computer running UAG, open the RD Gateway Manager (Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager)

   

2. You will see that “A server certificate is not yet installed or selected”. Click on View or modify certificate properties
   
   
3. Choose the option Select an existing certificate from the RD Gateway <computername>. Click the Import Certificate button.
4. Choose the certificate that matches the public DNS name of your UAG portal. In my case it is uag.tech.com – this is the URL that users connecting from outside your organization will type into the browser to get into the UAG portal. It can be the same certificate that you are using on your HTTPS trunk.

   

5. Click Import and OK.
6. Try to connect to the RDS Session Host from the UAG portal. It should work (if you have configured the application and your endpoint is compliant with the endpoint security policies that you defined).

Microsoft Qatar did a Security event yesterday at the Four Seasons Hotel, Doha. We started off with an enthusiastic audience of 70+ people.

• We kicked off with a presentation on Microsoft Business Ready Security by good ol’ David Maskell, Security SSP – Microsoft Gulf, followed by technical demos.

• Fadel Lubbos, Senior Consultant from Information & Communication Technology WLL (ICT) did a demo on Forefront Threat Management Gateway (TMG) – pictured below. ICT is Microsoft Gold Certified Security Partner.

• Below are pictures of me doing my demo on Microsoft Unified Access Gateway (UAG) and DirectAccess.

• Fazil Rahim, CEO of Entelyst, did a demo on Active Directory Rights Management Services (AD RMS). Entelyst is a Microsoft Gold Certified Partner specializing in security solutions.

Pictures from the Q & A session:

Photos: Lea Attieh