Archive for the ‘UAG 2010 SP1’ Category

Forefront Unified Access Gateway 2010 SP1 Is Available For Download

December 7th, 2010 Comments off

We are proud to announce that Forefront Unified Access Gateway (UAG) 2010 was released and is available now for download as an upgrade from UAG 2010 or for a clean install. SP1 includes a leap forward in DirectAccess deployments, ADFS 2.0 support and investments in quality. You can learn more on our TechNet Library and SP1 blog posts.

You can download SP1 here:

Categories: UAG 2010 SP1 Tags:

DirectAccess Policy Management – Have it your way!

November 22nd, 2010 Comments off

Forefront UAG 2010 makes extensive use of group policy objects for client provisioning, corporate servers, and the gateway itself. Customers familiar with this capability asked for more. More flexibility defining objects, and more control over their naming, placement and creation. Here are a couple of enhancements we’ve made in SP1 to meet these requests.

Organizational Units

Prior to SP1, you could define security groups that contained applicable end-users for DirectAccess. With the service pack are able to choose organizational units (OUs) instead.


Support Multiple Domains

In some scenarios the end-user’s machine is joined to a different domain than the one that user is authenticating against. For example, Bob is authenticating against CORPUSER domain while his machine belongs to domain CONTOSO. This scenario is now possible with UAG SP1, because you can define separate domains for clients’ computers and authentication.


Control Policy Names & Creation

Some customers use their own naming conventions for objects, so with SP1 you can not only change the name of the GPO, but also pre-create it, and let UAG fill in the designated containers. This can be useful when edge and GPO management responsibilities are handled by different administrators.


Categories: DirectAccess, UAG 2010 SP1 Tags:

UAG 2010 SP1: DirectAccess Always Managed & Managed Only

November 14th, 2010 Comments off

Always managed

One of the reasons I really like DirectAccess is that client computers can always be managed, regardless of location. This means that whenever a user turns the laptop on and connects to the Internet, management agents on the client laptop can synchronize with corporate management servers, report on their health status, and download updates.

The user doesn’t have to be in the office in order for the laptop to have the latest patches, the most updated software, and the current policy settings. Desktop managers always know what the state of the laptop is, and don’t have to wait until the user explicitly connects to the corporate network with her credentials.

In addition to these things happening in the background, the user can also perform self-help actions remotely, such as changing an expired password.

Manage Only

For some customers, having the clients always managed is the trigger for installing DirectAccess, and they aren’t initially interested in the availability of a seamless connection to internal application servers on the internal network. In fact, they want a way of blocking users from connecting to the application servers over the second (intranet) tunnel, allowing only the first (infrastructure) tunnel to connect.

In SP1 we’ve created a simple step in the DirectAccess wizard which enables the admin to select “manage only”. Furthermore, the admin can select to only accept connections from agents or services running under the machine account, while dropping connections from the logged on user. This is configured by selecting a single checkbox.


Note that some functionality is affected by not having the second tunnel. For example, while NAP monitoring will work, NAP enforcement will not. Force tunneling of client Internet traffic also will not work in the “manage only” mode, because there is no second tunnel to send the user traffic through. Similarly, user authentication with username/password; one time password (OTP), and smartcard authentication is not supported. This is because user authentication takes place when creating the second tunnel, which is not created in this mode.

Auto-detecting management servers

Managing the list of servers on the infrastructure tunnel becomes all the more important in the “always managed” scenario. In SP1 we added auto-detection of NAP Health Registration Authority (HRA) servers and of System Server Configuration Manager (SCCM) servers, so that you can refresh the list and any change in the servers is detected.


We have already received some positive feedback from our early adopter customers around these features, and we hope you find them useful as well.

Noam Ben-Yochanan

Categories: UAG 2010 SP1 Tags:

UAG DirectAccess monitoring and troubleshooting in UAG 2010 SP1

November 10th, 2010 Comments off

After deploying your UAG DirectAccess environment, you need to ascertain that it’s up and running, and is providing the remote access as planned. There are a few things you’ll want to check:

  • Are all the relevant services up and running? Were there any failures?
  • Are there users currently connected to the system? Are they hitting any errors?
  • A user reports that he or she had trouble connecting yesterday evening – how can you know what happened?

Fortunately, the new DirectAccess logging and monitoring functionality provides answers to these questions. Starting from SP1, UAG supports out-of-the-box logging and monitoring functionality for DirectAccess user activity, based on the TMG SQL logging infrastructure.

What’s new in UAG DirectAccess logging & monitoring?

In SP1, we augmented the existing UAG monitoring tool (Web Monitor), with real-time DirectAccess monitoring information. Two new screens were added: DirectAccess Monitor – Current Status, and DirectAccess Monitor – Active Sessions.

DirectAccess Current Status screen displays a “SCOM-like” health indication of UAG DirectAccess servers and relevant DirectAccess sub-components. On this screen, you can see whether the UAG DirectAccess servers in your deployment are configured for DirectAccess, and that all relevant sub-components (DNS64, IP-HTTPS, etc.) are up and running. Everything is presented at the array level so that the admin can access all the information from the console of any array node.


Figure 1: DirectAccess server health status screen

DirectAccess Active sessions screen presents the list of DirectAccess sessions currently connected via all UAG DirectAccess array nodes. You can see a list of currently logged on users, access level (infrastructure or intranet), NAP health status, machine account, user account, and other fields.


Figure 2: DirectAccess active sessions

Web Monitor is useful for monitoring the current state of your DirectAccess deployment. In order to search across DirectAccess sessions that occurred in the past, you can use either the user monitoring PowerShell snap-in or the TMG SQL log viewer. The user monitoring PowerShell snap-in now presents the user and server monitoring information at the array-level, without enabling the Security Auditing event logs.


Figure 3: TMG log viewer displaying DirectAccess events

How does it work?

At the beginning of a DirectAccess session, the DirectAccess client and UAG DirectAccess server establish security associations (SAs). This is a security agreement with which both computers agree on how to exchange and protect information transferred during the DirectAccess session. You can see the configured and currently opened SAs on the “Windows Firewall with Advanced Security” screen.

The UAG DirectAccess logging mechanism monitors the currently opened SAs, and uses the SA info to log and monitor DirectAccess user activity. Changes in session state are written to the SQL log for persistency. Errors encountered during the session (e.g., “a smartcard wasn’t provided”) are also monitored and written to the SQL log. In this way the logging mechanism collects and stores information about DirectAccess sessions that can be subsequently viewed on the Web Monitor DirectAccess Active Sessions screen, or via the PowerShell snap-in or TMG log viewer.

What else?

What happened to DirectAccess user monitoring mechanism supported in earlier UAG releases? What is the difference between the new mechanism and the old one?

The DirectAccess user monitoring mechanism supported in Forefront UAG 2010 RTM (TechNet article here) was based on IPSec logging messages printed to the Security event log. The new SP1 implementation doesn’t require IPSec logging to be enabled, but rather collects the required SA information programmatically. The PowerShell snap-in was re-designed to work over the new infrastructure for both current and historic sessions. The snap-in was also augmented to include server health info.

How do I enable the new DirectAccess logging and monitoring feature?

DirectAccess logging and monitoring functionality is on by default. It collects DirectAccess events from the moment DirectAccess is configured and running on a UAG SP1 machine. Note that SQL logging is mandatory for DirectAccess monitoring functionality, so make sure it’s not disabled on your system.

Where can I find more info on this feature?

See for more info on UAG DirectAccess logging and monitoring, including information on the different PowerShell snap-in parameters.


We appreciate your feedback: please post comments for any questions you have, or for issues you might encounter with the new DirectAccess monitoring mechanism.

Categories: DirectAccess, UAG 2010 SP1 Tags:

UAG 2010 SP1: The New and Improved DirectAccess Features

October 27th, 2010 Comments off

We received some great feedback from customers about deploying DirectAccess in their organizations. One notable quote was “it works like magic!” Our customers also told us how we can make the product better by adding features and making existing features easier to manage.

After discussions and prioritization we are now proud to present the DirectAccess enhancements in service pack 1:

  • One-time-password support including: Integrated RSA SecurID agent and support for other 3rd party RADIUS based OTP products
  • Added optional settings in each step for advanced deployment scenarios
  • Support for deploying DirectAccess Group Policy across multiple domains, and pre-created GPOs
  • Support for the “I only want to manage my computers” scenario using integrated UAG UI
  • Support for Force Tunneling scenario using integrated UAG UI
  • Integrated NAP for simplified endpoint policy enforcement with simple “for dummies” setup of NAP+DA and integrated NAP troubleshooting tools included in Web Monitor
  • Improved monitoring and troubleshooting


One Time Password Integration

We’ve been hearing this request a lot from customers and potential customers – so we’ve gone ahead and did it.

Server side

On the server side UAG now provides a choice between smartcards and OTP. We did this by adding support for OTP in the UAG UI as part of the UAG DA Wizard’s optional settings. UAG comes out-of-the-box with an RSA SecureID agent so you can be up and running in no time if you have SecurID tokens.


Figure 1: UAG DA UI with OTP

You can use OTP solutions from other 3rd party vendors as long as they are RADIUS based (OATH compliant).

Client side

On the client side the users are given the same experience and look & feel as the smartcard authentication “pop-up”. Our implementation is not based on credential provider so that requiring OTP for authentication in the UAG DA server UI does not enable the user to login to Windows on the client using an OTP token.


Figure 2: OTP authentication balloon


Figure 3: OTP authentication popup


When deploying OTP you need to set up a dedicated Certificate Authority server (CA) and cannot use an existing CA. UAG makes life easier by generating a script which you can apply on the dedicated CA for use with OTP instead of performing CA configuration manually. Another bonus is that you do not need to make changes to the existing RSA ACE servers.


NAP Integration

NAP setup

NAP integration in UAG 2010 seemed easy enough. All you had to do was select a checkbox and NAP was enforced. In reality, there is more to it than that. Someone needs to install and configure an NPS, HRAs and CAs. This is not a simple task. In SP1 we decided to ask a few more questions, but have UAG do the bulk of the work for you. We did this by installing and configuring NAP roles on the UAG server, and by adding the NAP settings to the client GPO. You still need to set up a dedicated CA server and health template, and point to them in the UAG UI.

In the wizard you can choose between enforcing and monitoring health. If you select to enforce, client machines cannot create the second (intranet) tunnel until they can obtain a health certificate. Monitor only, on the other hand, will make sure that client health is checked and reported, but unhealthy clients will not be blocked.

NAP client health troubleshooting

Another non-trivial task that administrators face when using NAP is trying to understand why a particular client machine is considered unhealthy. Although the data exists, it is buried in the Windows EventLog and the actual events are not very clear. We’ve decided to add NAP troubleshooting to the UAG DA UI, specifically to the Web Monitor. You can query the last event for a specific machine, the last five events, or all of the events in a range of dates.

Existing NAP infrastructure

If you already have a NAP infrastructure or just want to have separate NAP and UAG servers, you can select not to use the internal NAP server, no questions asked. You then have to:

  • Setup the NPS, HRA and CA server
  • Create your own client GPO to turn on NAP client settings
  • Use Event Viewer on your NPS server to troubleshoot client health problems
  • Replicate the NPS configuration if you have more than one deployed

Integrated Multi Domain Support

Many of our customers have more than one domain. We have added support for managing DirectAccess in a multi domain deployment.

Using the UAG DirectAccess UI you can specify which domains the DirectAccess GPOs will be applied to. You can also specify which GPO the UAG will use, allowing for better role separation between the DirectAccess admin and the UAG admin. In addition, the GPOs can now be linked to OUs, not only to whole domains.



Figure 4: Selecting client computer domains

Figure 5: Selecting OUs/Security groups



Figure 6: Selecting Preconfigured/New GPO

Domain controller auto-discovery has also been extended to discover DCs across all selected domains.


Always managed

Some customers wanted to deploy DirectAccess for the purpose of managing remote client machines, but do not wish to have users connect to application servers on the intranet. Using a new setting located on the first page of the client wizard, the admin can now choose to enable only the first (infrastructure) tunnel, without enabling the second (intranet) tunnel.


Force tunneling

Some customers want to enable client machines to connect via DirectAccess, but while connected they do not want the clients to connect to anywhere else (i.e. creating a split tunnel). The UAG DirectAccess UI enables you to specify force tunneling in one of two flavors:

  • Web-only through the intranet web proxy
  • All traffic, using DNS64 and NAT64 to translate every IPv4 address returned in DNS

If you are thinking of utilizing this feature, please read Tom Shinder’s blog post ( in full prior to deployment.


Improved monitoring and troubleshooting

Server side

Since UAG has a built in monitoring tool called Web Monitor, we’ve integrated DirectAccess information into it, providing a unified monitoring experience. The information is stored in an internal SQL database. You can display a list of currently logged on users, access level (infrastructure/intranet), NAP health status, machine account, user account and other fields.

At the array level, there is a “SCOM-like” health indication for each UAG array member. Everything is presented at the array level so that the admin can access all the information from the console of any node of the array.

The user monitoring PowerShell snap-in can now present the user and server monitoring information at the array-level, without enabling the Security auditing event logs.

Client side

DirectAccess Connectivity Assistant (DCA) is an application that runs on the DirectAccess clients. DCA enables the user to easily check the status of the DirectAccess connection to the corporate network and resources. It also provides troubleshooting features that will help in solving connectivity issues.

In SP1 you can centrally configure the DCA using the UAG DirectAccess UI. Configuration is propagated to clients via GPO. The DCA binary distribution is not done by UAG – you need to do it manually or automate it via GPOs, SCCM or other means.

We’ve added 7 new diagnostics to DCA, E.g. “IPv6 is disabled on the client” and now provide an HTML based troubleshooting summary.


Figure 7: HTML Summary with Hyperlinks

We are excited about this new release and we encourage you to share with us any feedback you have.


Categories: DirectAccess, UAG 2010 SP1 Tags:

Announcing Forefront UAG 2010 Service Pack 1

October 21st, 2010 Comments off

We are happy to announce Forefront UAG 2010 Service Pack 1 (SP1) and the availability of its final release candidate. This service pack includes many enhancements to the product, designed to ease DirectAccess deployments and to enable secure collaboration scenarios using Active Directory Federation Services (AD FS) 2.0.

Among the new features for DirectAccess:

  • One-time-password support for DirectAccess.
  • Simplified DirectAccess deployment with an improved admin UI, which includes new functionality that previously required scripting and manual tweaking.
  • Increased flexibility in creating and distributing DirectAccess Group Policy Objects (GPO)
  • Support for DirectAccess deployments which enable only the “always managed” functionality, allowing remote management of the DirectAccess client machines from the Corporate network without also enabling corporate access for the DirectAccess clients
  • Support for forced tunneling, which means that all of the traffic from DirectAccess clients is routed through the DirectAccess server to the corporate network, and from there, if needed, back to the Internet.
  • Integration of the DirectAccess Connectivity Assistant (DCA) configuration and deployment into the admin process.
  • Integrated NAP for simplified endpoint policy enforcement.
  • Improved monitoring and troubleshooting by adding new DCA diagnostics and server-side reports.

The new AD FS 2.0 secure collaboration scenarios in SP1 enable the following:

  • One-time-password support for DirectAccess.
  • Claims-based authentication to the UAG portal
  • Publishing of claims-aware applications
  • Claims-based authorization
  • SSO to legacy applications for users authenticated using claims
  • Single Sign-out
  • Publishing AD FS 2.0 server

SP1 is not only about features – it’s also about the user experience and the quality of the product. We addressed many customer requests and improved the stability and robustness of the system – not only for the new functionality but also for the existing scenarios. We also invested in completing the localization of the end-user experience. We are confident that you and your users will notice the improvement.

You can start experimenting with UAG 2010 SP1 RC right now by downloading the Release Candidate (RC). It includes all of the new features and is available both as an upgrade from a previous UAG 2010 releases, or as a clean install. You can find updated documentation that reflects all SP1 changes in our TechNet Library. We recommend you begin with the new installation guide.

We are eager to get your feedback and to assist with your deployments via our TechNet forum. Our team as well as our MVPs and partners monitor the forum. Please post any issues you might encounter. Compliments are also welcome 😉

Over the next few weeks we will publish a series of blog posts to introduce SP1. Stay tuned!

Categories: UAG 2010 SP1 Tags: