Archive

Archive for June, 2012

Open Management Infrastructure (OMI) – open-source implementation of DMTF CIM/WBEM standards

June 29th, 2012 No comments

Microsoft and The Open Group have announced the release of Open Management Infrastructure (OMI), an open source project to further the development of a production quality implementation of the DMTF CIM and WBEM standards. The Windows Management team has a blog post covering the details of OMI and the goals of the project.

OMI (formerly known as NanoWBEM) is an implementation of the DMTF Common Information Model (CIM) standard, which defines the semantics of management information for networks, applications, and services. Here’s a high-level overview of OMI’s implementation of a CIM server:

Just as the Hardware Abstraction Layer (HAL) helped open up the x86 hardware ecosystem and enable rapid innovation across the industry, CIM-based tools such as OMI form a Datacenter Abstraction Layer (DAL) that provides a framework for interoperability between management tools across diverse platforms and devices. As noted on the Windows Server blog:

“… the growth of cloud-based computing is, by definition, driving demand for more automation, which, in turn, will require the existence of a solid foundation built upon management standards. For standards-based management to satisfy today’s cloud management demands, it must be sophisticated enough to support the diverse set of devices that are required and it must be easy to implement by hardware and platform vendors alike. The DMTF CIM and WSMAN standards are up to the task, but implementing them effectively has been a challenge. Open Management Infrastructure (OMI) addresses this problem.”

Keep an eye on The Open Group’s OMI project site for the latest news about OMI’s evolution. You can download OMI source code and documentation today (available under an Apache 2.0 open source license), and soon you’ll find information about more detailed documentation, contribution facilities, and OMI developer conferences.

Doug Mahugh
Senior Technical Evangelist
Microsoft Open Technologies, Inc.

TMG Services Stopping Unexpectedly

 

As of early AM June 28th 2012, there have been many reports of TMG services stopping unexpectedly. We are primarily seeing the issues in an SSL Publishing scenario. You may expect to see the following in the Application Event Logs coinciding with the service stopping:

Source: Service Control Manager
Event ID: 7034
Level: Error
Description:
The Microsoft Forefront TMG Firewall service terminated unexpectedly. It has done this <times>.

And\Or

Source: Microsoft Forefront TMG Firewall
Event ID: 14057
Description:
The Firewall service stopped because an application filter module C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll generated an exception code C0000005 in address <hex_address> when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.

It has been determined that applying TMG SP2 Rollup2 will resolve the issue. To install Rollup 2 please refer to the following link:

Rollup 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
http://support.microsoft.com/kb/2689195

More information will be provided as it comes available. Thank you for your patience in this matter.

Categories: Uncategorized Tags:

Updates: Autoruns v11.32, Process Explorer v15.21, Process Monitor v3.02, PSKill v1.15, RAMMap v1.2

June 28th, 2012 No comments

Autoruns v11.32: This update fixes a bug that prevented Autoruns from correctly elevating when the Run as Administrator option is selected.

Process Explorer v15.21: This update fixes a bug related to the autostart functionality introduced in v15.2, a tooltip display bug, and a bug that prevented display of kernel stacks.

Process Monitor v3.02: This release fixes an external logging issue that prevented certain registry paths from display correctly when run with App-V and fixes a bug in the save logic.

PsKill v1.15: This fixes a bug in the remote kill functionality introduced  by the v1.14 update.

RAMMap v1.2: This release to RAMMap, a utility that displays a detailed map of a system’s physical memory usage, now supports systems with more than 16GB of RAM, Windows 8, and includes keyboard navigation improvements.

How do I know if I’m running the newest version of Internet Explorer?

June 28th, 2012 No comments

Alan asks:

“How do I know if I’m running the latest version of Internet Explorer?”

To check which version of Internet Explorer you’re using:

  1. Open Internet Explorer by clicking the Start button  and then clicking Internet Explorer.
  2. Press ALT+H, and then click About Internet Explorer.

The latest version of Internet Explorer is available at Microsoft.com/IE. At the time of this writing, the latest version is Internet Explorer 9. Once you’ve downloaded Internet Explorer 9 you can get all the latest updates for this browser (as well as updates for the Windows operating system and other Microsoft software) by turning on automatic updating.

Learn more about security in Internet Explorer 9.  

Categories: Internet Explorer 9, Microsoft, security Tags:

When configuring the Array Manager, you see multiple Array Managers

 

This sounds quite strange, but the possibility exists. We know that a UAG array consists of one Array Manager and one or more Array Members. So how can we have multiple Array Managers? Well of course, we cannot. But under certain circumstances, you may find that the Array Management Wizard informs you that you have multiple Array Managers…and possibly even Array Members that you’re not aware of.

Symptoms:

When preparing to create your array, the first step is to specify the Array Manager. On the UAG server that will be the Array Manager, you start the Array Management Wizard. In the wizard, you select “Set this server as the array manager” and then specify the Array Credentials. However, in “Step 3 – Defining Array Member Computers”, you may see that there is more than one Array Manager listed.

Capture1

You also find that you’re unable to remove the “rogue” Array Manager that’s listed. The possibility also exists that you may see an Array Member listed that you have not added yourself. Although you will be able to remove this “unknown” array member in this screen, it’s best to cancel the Wizard at this point.

If you discover such a situation, you should not continue through the Array Management Wizard. Who knows what condition you may end up in?

More information:

During the UAG installation, TMG (Threat Management Gateway) is also installed. TMG is a Firewall and is installed to “protect” the UAG deployment and only allows traffic designated by the UAG configuration. When you configure UAG’s Network Interfaces via the “Network Configuration Wizard”, TMG is automatically configured with the appropriate Network settings to support the UAG configuration. Likewise, when you configure Portals/Applications in UAG, TMG is configured with the appropriate Firewall Policy rules.

There are certain situations where you may need to manually configure TMG settings directly (i.e. allow RDP connections, etc.)…but for the most part, you should not need to make many configuration changes directly in TMG.

Cause:

The issue described above can happen if the TMG “Managed Server Computers” Computer Set contains inadvertent/invalid entries. For example:

clip_image002

 

In this scenario, UAG01 is the name of the UAG server that is our intended Array Manager. If the TMG “Managed Server Computers” Computer Set contains other entries with the same IP address, they will most likely appear as additional Array Managers in UAG’s Array Management Wizard. Additionally, if the “Managed Server Computers” Computer Set includes other entries with different IPs, they will show up as unintended Array Members in UAG’s Array Management Wizard.

On a “Stand Alone” UAG server that you intend to promote to an Array Manager, TMG’s “Managed Server Computers” Computer Set should only contain itself.

Resolution:

On the “stand alone” UAG server that you intend to promote to an Array Manager, edit TMG’s “Managed Server Computers” Computer Set by removing all entries but the intended UAG Array Manager. Then apply the change in TMG and wait for TMG to Sync…then Activate UAG.

Now, when you run the UAG Array Management Wizard, Step 3 should only show your intended Array Manager server. You can then safely add your intended Array Members.

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

When configuring the Array Manager, you see multiple Array Managers

 

This sounds quite strange, but the possibility exists. We know that a UAG array consists of one Array Manager and one or more Array Members. So how can we have multiple Array Managers? Well of course, we cannot. But under certain circumstances, you may find that the Array Management Wizard informs you that you have multiple Array Managers…and possibly even Array Members that you’re not aware of.

Symptoms:

When preparing to create your array, the first step is to specify the Array Manager. On the UAG server that will be the Array Manager, you start the Array Management Wizard. In the wizard, you select “Set this server as the array manager” and then specify the Array Credentials. However, in “Step 3 – Defining Array Member Computers”, you may see that there is more than one Array Manager listed.

Capture1

You also find that you’re unable to remove the “rogue” Array Manager that’s listed. The possibility also exists that you may see an Array Member listed that you have not added yourself. Although you will be able to remove this “unknown” array member in this screen, it’s best to cancel the Wizard at this point.

If you discover such a situation, you should not continue through the Array Management Wizard. Who knows what condition you may end up in?

More information:

During the UAG installation, TMG (Threat Management Gateway) is also installed. TMG is a Firewall and is installed to “protect” the UAG deployment and only allows traffic designated by the UAG configuration. When you configure UAG’s Network Interfaces via the “Network Configuration Wizard”, TMG is automatically configured with the appropriate Network settings to support the UAG configuration. Likewise, when you configure Portals/Applications in UAG, TMG is configured with the appropriate Firewall Policy rules.

There are certain situations where you may need to manually configure TMG settings directly (i.e. allow RDP connections, etc.)…but for the most part, you should not need to make many configuration changes directly in TMG.

Cause:

The issue described above can happen if the TMG “Managed Server Computers” Computer Set contains inadvertent/invalid entries. For example:

clip_image002

 

In this scenario, UAG01 is the name of the UAG server that is our intended Array Manager. If the TMG “Managed Server Computers” Computer Set contains other entries with the same IP address, they will most likely appear as additional Array Managers in UAG’s Array Management Wizard. Additionally, if the “Managed Server Computers” Computer Set includes other entries with different IPs, they will show up as unintended Array Members in UAG’s Array Management Wizard.

On a “Stand Alone” UAG server that you intend to promote to an Array Manager, TMG’s “Managed Server Computers” Computer Set should only contain itself.

Resolution:

On the “stand alone” UAG server that you intend to promote to an Array Manager, edit TMG’s “Managed Server Computers” Computer Set by removing all entries but the intended UAG Array Manager. Then apply the change in TMG and wait for TMG to Sync…then Activate UAG.

Now, when you run the UAG Array Management Wizard, Step 3 should only show your intended Array Manager server. You can then safely add your intended Array Members.

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

When configuring the Array Manager, you see multiple Array Managers

 

This sounds quite strange, but the possibility exists. We know that a UAG array consists of one Array Manager and one or more Array Members. So how can we have multiple Array Managers? Well of course, we cannot. But under certain circumstances, you may find that the Array Management Wizard informs you that you have multiple Array Managers…and possibly even Array Members that you’re not aware of.

Symptoms:

When preparing to create your array, the first step is to specify the Array Manager. On the UAG server that will be the Array Manager, you start the Array Management Wizard. In the wizard, you select “Set this server as the array manager” and then specify the Array Credentials. However, in “Step 3 – Defining Array Member Computers”, you may see that there is more than one Array Manager listed.

Capture1

You also find that you’re unable to remove the “rogue” Array Manager that’s listed. The possibility also exists that you may see an Array Member listed that you have not added yourself. Although you will be able to remove this “unknown” array member in this screen, it’s best to cancel the Wizard at this point.

If you discover such a situation, you should not continue through the Array Management Wizard. Who knows what condition you may end up in?

More information:

During the UAG installation, TMG (Threat Management Gateway) is also installed. TMG is a Firewall and is installed to “protect” the UAG deployment and only allows traffic designated by the UAG configuration. When you configure UAG’s Network Interfaces via the “Network Configuration Wizard”, TMG is automatically configured with the appropriate Network settings to support the UAG configuration. Likewise, when you configure Portals/Applications in UAG, TMG is configured with the appropriate Firewall Policy rules.

There are certain situations where you may need to manually configure TMG settings directly (i.e. allow RDP connections, etc.)…but for the most part, you should not need to make many configuration changes directly in TMG.

Cause:

The issue described above can happen if the TMG “Managed Server Computers” Computer Set contains inadvertent/invalid entries. For example:

clip_image002

 

In this scenario, UAG01 is the name of the UAG server that is our intended Array Manager. If the TMG “Managed Server Computers” Computer Set contains other entries with the same IP address, they will most likely appear as additional Array Managers in UAG’s Array Management Wizard. Additionally, if the “Managed Server Computers” Computer Set includes other entries with different IPs, they will show up as unintended Array Members in UAG’s Array Management Wizard.

On a “Stand Alone” UAG server that you intend to promote to an Array Manager, TMG’s “Managed Server Computers” Computer Set should only contain itself.

Resolution:

On the “stand alone” UAG server that you intend to promote to an Array Manager, edit TMG’s “Managed Server Computers” Computer Set by removing all entries but the intended UAG Array Manager. Then apply the change in TMG and wait for TMG to Sync…then Activate UAG.

Now, when you run the UAG Array Management Wizard, Step 3 should only show your intended Array Manager server. You can then safely add your intended Array Members.

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

When configuring the Array Manager, you see multiple Array Managers

 

This sounds quite strange, but the possibility exists. We know that a UAG array consists of one Array Manager and one or more Array Members. So how can we have multiple Array Managers? Well of course, we cannot. But under certain circumstances, you may find that the Array Management Wizard informs you that you have multiple Array Managers…and possibly even Array Members that you’re not aware of.

Symptoms:

When preparing to create your array, the first step is to specify the Array Manager. On the UAG server that will be the Array Manager, you start the Array Management Wizard. In the wizard, you select “Set this server as the array manager” and then specify the Array Credentials. However, in “Step 3 – Defining Array Member Computers”, you may see that there is more than one Array Manager listed.

Capture1

You also find that you’re unable to remove the “rogue” Array Manager that’s listed. The possibility also exists that you may see an Array Member listed that you have not added yourself. Although you will be able to remove this “unknown” array member in this screen, it’s best to cancel the Wizard at this point.

If you discover such a situation, you should not continue through the Array Management Wizard. Who knows what condition you may end up in?

More information:

During the UAG installation, TMG (Threat Management Gateway) is also installed. TMG is a Firewall and is installed to “protect” the UAG deployment and only allows traffic designated by the UAG configuration. When you configure UAG’s Network Interfaces via the “Network Configuration Wizard”, TMG is automatically configured with the appropriate Network settings to support the UAG configuration. Likewise, when you configure Portals/Applications in UAG, TMG is configured with the appropriate Firewall Policy rules.

There are certain situations where you may need to manually configure TMG settings directly (i.e. allow RDP connections, etc.)…but for the most part, you should not need to make many configuration changes directly in TMG.

Cause:

The issue described above can happen if the TMG “Managed Server Computers” Computer Set contains inadvertent/invalid entries. For example:

clip_image002

 

In this scenario, UAG01 is the name of the UAG server that is our intended Array Manager. If the TMG “Managed Server Computers” Computer Set contains other entries with the same IP address, they will most likely appear as additional Array Managers in UAG’s Array Management Wizard. Additionally, if the “Managed Server Computers” Computer Set includes other entries with different IPs, they will show up as unintended Array Members in UAG’s Array Management Wizard.

On a “Stand Alone” UAG server that you intend to promote to an Array Manager, TMG’s “Managed Server Computers” Computer Set should only contain itself.

Resolution:

On the “stand alone” UAG server that you intend to promote to an Array Manager, edit TMG’s “Managed Server Computers” Computer Set by removing all entries but the intended UAG Array Manager. Then apply the change in TMG and wait for TMG to Sync…then Activate UAG.

Now, when you run the UAG Array Management Wizard, Step 3 should only show your intended Array Manager server. You can then safely add your intended Array Members.

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

There’s still time to participate in the Data Classification Toolkit for Windows Server 8 Beta review!

The Data Classification Toolkit for Windows Server 8 Beta (DCT) review period will soon close, but there is still time to participate. Thanks to all of you who have already downloaded the beta release and provided us with your feedback. Your input helps…(read more)

There’s still time to participate in the Data Classification Toolkit for Windows Server 8 Beta review!

The Data Classification Toolkit for Windows Server 8 Beta (DCT) review period will soon close, but there is still time to participate. Thanks to all of you who have already downloaded the beta release and provided us with your feedback. Your input helps…(read more)

There’s still time to participate in the Data Classification Toolkit for Windows Server 8 Beta review!

The Data Classification Toolkit for Windows Server 8 Beta (DCT) review period will soon close, but there is still time to participate. Thanks to all of you who have already downloaded the beta release and provided us with your feedback. Your input helps…(read more)

Newly added Network adapter not showing up in RRAS with Forefront TMG

 

Recently I came across a situation where one of our customers using Forefront TMG could not add a static route in RRAS based on a newly added network adapter.

In this post, I will describe the steps required to get the adapter available in RRAS.

Symptom

After adding a new network adapter (called LAN2 in this blog) to a server with Forefront TMG 2010 installed, the new adapter is listed in “Control Panel\Network and Internet\Network Connections” but it does not appear in “Network Interfaces” of the Routing and Remote Access (RRAS) console.

Therefore, it is not possible to add a new static route using the new interface (LAN2) as it is not available in the Interface list box (Figure 1).

image

Figure 1

Any other setting using the new added interface will not be possible in the RRAS.

How to get the new network adapter to show up?

Here is an example (Windows 2008 R2 / TMG 2010 SP2)

1. Before adding the extra network adapter, we have 2 NICs (LAN and WAN) (Figure 2)

image3

Figure 2

2. Right after adding the new LAN2 adapter and restarting the TMG server, LAN2 is showing up in the “Network Connections” (Figure 3) but not in the RRAS Network Interfaces (Figure 4).

image6

Figure 3

image

Figure 4

Note that you can see the 3 NICS in the TMG console (Networking\Network adapters).

To make the new network adapter LAN2 available in RRAS, follow the steps below.

3. Disable Routing and Remote Access (Figure 5)

image

Figure 5

4. Configure and Enable the Routing and Remote Access (Figure 6)

image

Figure 6

5. Then choose “Custom configuration” and “LAN routing” (Figure 7)

Note: What you choose is actually not really important as it is going to be overwritten by TMG later on.

image

Figure 7

image

Figure 8

6. If prompted agree to Start the service

image

Figure 9

7. The new network interface LAN2 is now available in the RRAS (Figure 10)

Therefore, adding a static route using LAN2 is possible.

image

Figure 10

8. The Routing and Remote Access is back online but the RRAS configuration was reset. Therefore we have to reapply the stored TMG RRAS settings.

As you may know, Forefront TMG takes over the Routing and Remote Access settings with its own configuration. (To know more about this behavior: http://technet.microsoft.com/en-us/library/ee796231.aspx#hbsdfghserrty5)

The trick here is to modify any setting in TMG configuration and then apply the change. For instance, you can just add a description to an Access rule.

Forefront TMG will overwrite the Routing and Remote Access settings with its own “good” configuration.

Now we have the “good” RRAS configuration and the possibility to use the new added interface in RRAS.

Author

Olivier Bertin

Support Engineer

Microsoft CSS Forefront Security Edge Team

Technical Reviewers

The “Escalation Engineers team”

Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

Cannot connect to SharePoint on Windows Phones

If you try to configure your Windows Phone to connect to a SharePoint server via UAG, as discussed in my blogs (1,2), you might find yourself getting connection errors, like “Can’t connect. We’re having trouble connecting to the server. This typically occurs when the address is incorrect or when you’re not connected to either the internet or your workplace network”. Screenshot:

clip_image002

If this is the 1st time you’re trying this, it may be quite frustrating, as you are going through variations of URLs and addresses. The error itself, though, can be misleading, as it globally represents many possible issues. Here are a few that you should consider:

1. When you specify the SharePoint server name, make sure you use the INTERNAL name of the server. This would be the same name you use to visit the SharePoint site on your internal network, and also, typically, the same name you specified in the UAG’s Web Server settings tab:

clip_image004

2. When specifying the URL above, make sure you use HTTP or HTTPS based on the configuration of your SharePoint server. If the server is listening on HTTP, then that’s what you use. If it’s only listening on HTTPS…well…you know the drill.

3. If your UAG trunk is an HTTPS trunk (as it probably is), make sure that the phone has the certificate for the CA that created the HTTPS certificate used by the trunk. If this is a public CA, then it should be built into the phone, but if it’s your organizations internal CA, you will need to import it into the phone (see below). If your SharePoint server is published with HTTPS, then the same concept applies as well.

4. If you have a complex AAM configuration and in doubt regarding the URL that needs to be used, simply connect to that URL from UAG. If it works from UAG, then it should work from the phone through UAG.

Importing a certificate into a phone

This is rather simple – just send an Email to the account that is in use on the phone, with the certificate as an attachment. Then, open the email and tap the attachment, and the phone will offer you to install it:

clip_image006

Blog post written by Erez Ben-Ari

Categories: Uncategorized Tags:

Cannot connect to SharePoint on Windows Phones

If you try to configure your Windows Phone to connect to a SharePoint server via UAG, as discussed in my blogs (1,2), you might find yourself getting connection errors, like “Can’t connect. We’re having trouble connecting to the server. This typically occurs when the address is incorrect or when you’re not connected to either the internet or your workplace network”. Screenshot:

clip_image002

If this is the 1st time you’re trying this, it may be quite frustrating, as you are going through variations of URLs and addresses. The error itself, though, can be misleading, as it globally represents many possible issues. Here are a few that you should consider:

1. When you specify the SharePoint server name, make sure you use the INTERNAL name of the server. This would be the same name you use to visit the SharePoint site on your internal network, and also, typically, the same name you specified in the UAG’s Web Server settings tab:

clip_image004

2. When specifying the URL above, make sure you use HTTP or HTTPS based on the configuration of your SharePoint server. If the server is listening on HTTP, then that’s what you use. If it’s only listening on HTTPS…well…you know the drill.

3. If your UAG trunk is an HTTPS trunk (as it probably is), make sure that the phone has the certificate for the CA that created the HTTPS certificate used by the trunk. If this is a public CA, then it should be built into the phone, but if it’s your organizations internal CA, you will need to import it into the phone (see below). If your SharePoint server is published with HTTPS, then the same concept applies as well.

4. If you have a complex AAM configuration and in doubt regarding the URL that needs to be used, simply connect to that URL from UAG. If it works from UAG, then it should work from the phone through UAG.

Importing a certificate into a phone

This is rather simple – just send an Email to the account that is in use on the phone, with the certificate as an attachment. Then, open the email and tap the attachment, and the phone will offer you to install it:

clip_image006

Blog post written by Erez Ben-Ari

Categories: Uncategorized Tags:

Cannot connect to SharePoint on Windows Phones

If you try to configure your Windows Phone to connect to a SharePoint server via UAG, as discussed in my blogs (1,2), you might find yourself getting connection errors, like “Can’t connect. We’re having trouble connecting to the server. This typically occurs when the address is incorrect or when you’re not connected to either the internet or your workplace network”. Screenshot:

clip_image002

If this is the 1st time you’re trying this, it may be quite frustrating, as you are going through variations of URLs and addresses. The error itself, though, can be misleading, as it globally represents many possible issues. Here are a few that you should consider:

1. When you specify the SharePoint server name, make sure you use the INTERNAL name of the server. This would be the same name you use to visit the SharePoint site on your internal network, and also, typically, the same name you specified in the UAG’s Web Server settings tab:

clip_image004

2. When specifying the URL above, make sure you use HTTP or HTTPS based on the configuration of your SharePoint server. If the server is listening on HTTP, then that’s what you use. If it’s only listening on HTTPS…well…you know the drill.

3. If your UAG trunk is an HTTPS trunk (as it probably is), make sure that the phone has the certificate for the CA that created the HTTPS certificate used by the trunk. If this is a public CA, then it should be built into the phone, but if it’s your organizations internal CA, you will need to import it into the phone (see below). If your SharePoint server is published with HTTPS, then the same concept applies as well.

4. If you have a complex AAM configuration and in doubt regarding the URL that needs to be used, simply connect to that URL from UAG. If it works from UAG, then it should work from the phone through UAG.

Importing a certificate into a phone

This is rather simple – just send an Email to the account that is in use on the phone, with the certificate as an attachment. Then, open the email and tap the attachment, and the phone will offer you to install it:

clip_image006

Blog post written by Erez Ben-Ari

Categories: Uncategorized Tags:

Cannot connect to SharePoint on Windows Phones

If you try to configure your Windows Phone to connect to a SharePoint server via UAG, as discussed in my blogs (1,2), you might find yourself getting connection errors, like “Can’t connect. We’re having trouble connecting to the server. This typically occurs when the address is incorrect or when you’re not connected to either the internet or your workplace network”. Screenshot:

clip_image002

If this is the 1st time you’re trying this, it may be quite frustrating, as you are going through variations of URLs and addresses. The error itself, though, can be misleading, as it globally represents many possible issues. Here are a few that you should consider:

1. When you specify the SharePoint server name, make sure you use the INTERNAL name of the server. This would be the same name you use to visit the SharePoint site on your internal network, and also, typically, the same name you specified in the UAG’s Web Server settings tab:

clip_image004

2. When specifying the URL above, make sure you use HTTP or HTTPS based on the configuration of your SharePoint server. If the server is listening on HTTP, then that’s what you use. If it’s only listening on HTTPS…well…you know the drill.

3. If your UAG trunk is an HTTPS trunk (as it probably is), make sure that the phone has the certificate for the CA that created the HTTPS certificate used by the trunk. If this is a public CA, then it should be built into the phone, but if it’s your organizations internal CA, you will need to import it into the phone (see below). If your SharePoint server is published with HTTPS, then the same concept applies as well.

4. If you have a complex AAM configuration and in doubt regarding the URL that needs to be used, simply connect to that URL from UAG. If it works from UAG, then it should work from the phone through UAG.

Importing a certificate into a phone

This is rather simple – just send an Email to the account that is in use on the phone, with the certificate as an attachment. Then, open the email and tap the attachment, and the phone will offer you to install it:

clip_image006

Blog post written by Erez Ben-Ari

Categories: Uncategorized Tags:

Parents: kids want to talk with you about online bullying

June 26th, 2012 No comments

Online bullying is a popular topic on the news and in schools, but according to a recent Microsoft study, it’s not a popular topic at home.

Microsoft just released the results of a global youth online behavior survey to examine a range of online behaviors among youth – from “meanness” (least severe) to online bullying or cruelty (most severe), and everything in between.

The study found that kids are worried about online bullying and want to talk about it.  However, according to the study, only 29 percent of kids say their parents have talked to them about the issue.

Read more about the Microsoft Global Youth Online Behavior Study.

Get online bullying prevention resources

Kids need to know that adults can and will help them. To assist parents and educators with these conversations, Microsoft has created some new resources:

  • Stand Up to Online Bullying Quiz: Take this online quiz or post it on your school’s website or blog as a teaching tool. The quiz is designed to walk adults through a series of scenarios where, upon answering, delivers immediate guidance about how to talk about, identify, and respond to online behaviors from online meanness to bullying and beyond. 
  • Digital Citizenship in Action Toolkit: Kids mirror adult behavior – the good, the bad, and the ugly. This interactive educational guide helps teach you and others how to foster responsible use of technology in today’s digital world. Teaching digital citizenship in our schools helps young people learn to be responsible, respectful, and informed online citizens.  

 

Categories: Uncategorized Tags:

Requests sent to UAG array member return “Access is denied”

 

This is a very interesting issue that can be difficult to recognize and diagnose as everything seems to be “OK”. Let’s outline this simple scenario. You have a standalone UAG server. The server may be configured with one or more portals, each containing one or more web applications. Everything is working fine with this deployment. You then decide to create an array. You configure the existing UAG server as the Array Manager and specify the member that will join. You then join the new UAG server to the array. Everything looks good. Then you find the following…

Symptoms:

After successfully adding a new member to a UAG array, you may find that all client requests that are directed to the new array member receive the following error:

Server Error

403 – Forbidden: Access is denied

You do not have permission to view this directory or page using the credentials that you supplied

More information:

The reason this issue can be difficult to diagnose is that you may be hard pressed to find anything actually “wrong”. When you added the new member to the array, there were no errors during the joining process. Everything looked good.

After the “seemingly” successful array join, you can Activate the configuration on the Array Manager and there are no apparent errors. Additionally, if you launch the TMG Management console and check the Configuration Status of the node, they show as “Synced”.

Checking the TMG Configuration Status on the new member also shows the nodes as “Synced”. However, after a closer inspection of the new member server, you may find that the Portal web site is missing in IIS. The ‘Web Monitor’ site and all required virtual directories under ‘Default Web Site’ are in place, but the Portal site…and the associated Application Pools…are not there.

Cause:

The “SSL Network Tunneling Server” (Network Connector) settings and configuration may be invalid for the servers’ network configuration.

Resolution:

To test for this condition, temporarily disable the Network Connector as follows:

 

  • In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
  • On the “Network Segment” tab, uncheck “Activate SSL Network Tunneling” and click OK.
  • Activate the configuration.

After activating the configuration, check IIS on the new member server and make sure the Portal web site has been configured. If the site is now there, you need to determine the configuration issue with the Network Connector. For more information on the Network Connector in UAG, please see the following TechNet article:

http://technet.microsoft.com/en-us/library/ee809096.aspx

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

Requests sent to UAG array member return “Access is denied”

 

This is a very interesting issue that can be difficult to recognize and diagnose as everything seems to be “OK”. Let’s outline this simple scenario. You have a standalone UAG server. The server may be configured with one or more portals, each containing one or more web applications. Everything is working fine with this deployment. You then decide to create an array. You configure the existing UAG server as the Array Manager and specify the member that will join. You then join the new UAG server to the array. Everything looks good. Then you find the following…

Symptoms:

After successfully adding a new member to a UAG array, you may find that all client requests that are directed to the new array member receive the following error:

Server Error

403 – Forbidden: Access is denied

You do not have permission to view this directory or page using the credentials that you supplied

More information:

The reason this issue can be difficult to diagnose is that you may be hard pressed to find anything actually “wrong”. When you added the new member to the array, there were no errors during the joining process. Everything looked good.

After the “seemingly” successful array join, you can Activate the configuration on the Array Manager and there are no apparent errors. Additionally, if you launch the TMG Management console and check the Configuration Status of the node, they show as “Synced”.

Checking the TMG Configuration Status on the new member also shows the nodes as “Synced”. However, after a closer inspection of the new member server, you may find that the Portal web site is missing in IIS. The ‘Web Monitor’ site and all required virtual directories under ‘Default Web Site’ are in place, but the Portal site…and the associated Application Pools…are not there.

Cause:

The “SSL Network Tunneling Server” (Network Connector) settings and configuration may be invalid for the servers’ network configuration.

Resolution:

To test for this condition, temporarily disable the Network Connector as follows:

 

  • In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
  • On the “Network Segment” tab, uncheck “Activate SSL Network Tunneling” and click OK.
  • Activate the configuration.

After activating the configuration, check IIS on the new member server and make sure the Portal web site has been configured. If the site is now there, you need to determine the configuration issue with the Network Connector. For more information on the Network Connector in UAG, please see the following TechNet article:

http://technet.microsoft.com/en-us/library/ee809096.aspx

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

Requests sent to UAG array member return “Access is denied”

 

This is a very interesting issue that can be difficult to recognize and diagnose as everything seems to be “OK”. Let’s outline this simple scenario. You have a standalone UAG server. The server may be configured with one or more portals, each containing one or more web applications. Everything is working fine with this deployment. You then decide to create an array. You configure the existing UAG server as the Array Manager and specify the member that will join. You then join the new UAG server to the array. Everything looks good. Then you find the following…

Symptoms:

After successfully adding a new member to a UAG array, you may find that all client requests that are directed to the new array member receive the following error:

Server Error

403 – Forbidden: Access is denied

You do not have permission to view this directory or page using the credentials that you supplied

More information:

The reason this issue can be difficult to diagnose is that you may be hard pressed to find anything actually “wrong”. When you added the new member to the array, there were no errors during the joining process. Everything looked good.

After the “seemingly” successful array join, you can Activate the configuration on the Array Manager and there are no apparent errors. Additionally, if you launch the TMG Management console and check the Configuration Status of the node, they show as “Synced”.

Checking the TMG Configuration Status on the new member also shows the nodes as “Synced”. However, after a closer inspection of the new member server, you may find that the Portal web site is missing in IIS. The ‘Web Monitor’ site and all required virtual directories under ‘Default Web Site’ are in place, but the Portal site…and the associated Application Pools…are not there.

Cause:

The “SSL Network Tunneling Server” (Network Connector) settings and configuration may be invalid for the servers’ network configuration.

Resolution:

To test for this condition, temporarily disable the Network Connector as follows:

 

  • In the Forefront UAG Management console, on the Admin menu, click Remote Network Access, and then click SSL Network Tunneling.
  • On the “Network Segment” tab, uncheck “Activate SSL Network Tunneling” and click OK.
  • Activate the configuration.

After activating the configuration, check IIS on the new member server and make sure the Portal web site has been configured. If the site is now there, you need to determine the configuration issue with the Network Connector. For more information on the Network Connector in UAG, please see the following TechNet article:

http://technet.microsoft.com/en-us/library/ee809096.aspx

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags: