These release notes address late-breaking issues for Forefront Unified Access Gateway (UAG). Before installation, it is essential that you read the information contained in this document, and review System requirements for Forefront UAG servers. If you are installing Forefront UAG SP1, review the Release notes for Forefront UAG SP1 (

If you are reading this help from the Forefront UAG Management console, the latest version of the Product Evaluation guide is available in the Forefront UAG TechNet library.

The following sections describe issues that relate to:

Update and service pack issues

  1. For a complete list of SP1 issues, see Release notes for Forefront UAG SP1 (

  2. Forefront TMG Service Pack 1 (SP1) can be installed on Forefront UAG servers. For more information, see Installing Forefront TMG SP1 on Forefront UAG. Note the following:

    1. Before installing Forefront TMG SP1, review known issues described in the Forefront TMG SP1 release notes.

    2. When installing Forefront TMG SP1 on Forefront UAG, the installation wizard indicates that there are files in use. You can safely ignore this warning.

    3. After installing Forefront TMG SP1, you might experience issues when removing a server from a Forefront UAG array. For a workaround procedure, see Installing Forefront TMG SP1 on Forefront UAG.

  3. Before installing Update 1, ensure the following on Forefront UAG RTM servers:

    • Custom Update files should not be set as read-only.

    • Do not include spaces in the names of custom update files, or in the names of folders in which custom update files are located.

    • Ensure that Forefront UAG rules do not contain excluded rule parameter sets.

  4. When installing Update 1 or Update 2 in a load-balanced array, follow the instructions in Installing Update 1 on an array using NLB, and Installing Update 2 on an array using NLB.

  5. After installing Update 1 and activating the configuration, you might see an error message in the Activate Configuration dialog box that the Web sites WebMonitor and Default Web Site could not be started. To resolve this issue, activate the configuration a second time.

  6. After installing Update 1, you can no longer repair the installation using the Repair feature.

  7. When publishing SharePoint in Update 1, legitimate HTTP requests for SharePoint resources might be blocked. To workaround this issue manually modify Forefront UAG rules as follows:

    1. On rule 51 of SP14AAM, change “/_layouts/[^"#&/:<>?\\{|}~]*\.(js|htm)” to “/_layouts/[^"#&/:<>?\\{|}~]*\.(js|htm|aspx)”,  and add the HEAD method.

    2. On rule 39 of SP14AAM, add the HEAD method.

    3. On rule 59 of SP14AAM, add the DELETE method.

RTM issues fixed in post-RTM updates and service packs

  1. A number of RTM issues with Remote Desktop Services (RDS) published are fixed by updates and service packs:

    1. The RTM limitation that did not support RDS RemoteApp and Remote Desktop access for clients running Windows Vista and Windows XP was fixed in Update 1.

    2. An issue that caused the Remote Desktop (RD) Gateway certificate might be deleted when activating the configuration that publishes RemoteApps on a server running DirectAccess or SSL Network Tunneling (SSTP) was fixed in Update 1.

    3. An issue that caused DirectAccess GPOs to be applied to the Authenticated Users security grrroup, thus creating a configuration conflict, was fixed in Update 1.

    4. An issue that caused icon problems when clients access RDS applications via an Internet Explorer 6.0 browser was resolved in Update 1.

    5. An issue that caused RDS sessions to fail if session cookies are longer than 800 characters is fixed in Forefront UAG SP1.

    6. An issue that required users to specify a login name in the format domain\user is fixed in Forefront UAG SP1.

    7. An issue that caused modifications to an RDS application name not to be updated in the Web portal is fixed in Forefront UAG SP1.

  2. The PPTP and L2TP/IPsec protocol options that appeared in the Forefront UAG RTM Management console (although they were not supported) have been removed in SP1.


  • Do not include double-byte character set (DBCS) characters in the Forefront UAG installation path.

  • When Forefront TMG is first started after Forefront UAG installation, a large number of Forefront TMG alerts might be issued. These can be ignored.

Arrays and Network Load Balancing (NLB)

  • You cannot join two servers concurrently to the same array; attempting to do so might corrupt the array storage. If this happens, restore the settings from a backed up configuration.

  • Deleting an IPv6 virtual IP address (VIP) in the Forefront UAG Management console might not remove the address completely. As a workaround, remove the address in the operating system properties, in addition to deleting it in the Forefront UAG Management console. Forefront UAG might not detect that an array member using integrated NLB loses network connectivity, and may continue to route traffic to the unavailable server. To make sure that this does not occur, disable the internal and external adapters of offline array members. Re-enable the adapters after connectivity issues are resolved. If you have Microsoft System Center Operations Manager 2007 deployed in your organization, you can monitor the status of array member network adapters, as follows:

    1. Make sure that the Windows Server Operating System and the Windows Server 2008 NLB management packs are installed on each array member.

    2. Use Operations Manager 2007 to detect disconnected network adapters on array members. Operations Manager 2007 will report issues as follows:

      • If there is a problem with the adapter that is connected to the internal network, Operations Manager 2007 reports that no heartbeat is detected.

      • If there is a problem with the adapter that is connected to the external network, Operations Manager 2007 reports a Windows NLB issue.

  • When you create a redirect trunk for an HTTPS trunk in an array on which load balancing is not enabled, you must manually assign the IP addresses of the redirect trunk for each array member.

Publishing and authentication

  • When creating trunks and publishing applications, using non-standard ports is not supported; servers must listen on port 80 for HTTP and port 443 for HTTPS.

  • By default the IIS WebDav role is not installed during Forefront UAG Setup. We recommend that you do not install the role following Forefront UAG installation, or application publishing might not work as expected.

  • The File Access application does not support use of Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality.

  • When you publish a backend application server via multiple trunks, the name that is specified for the server should be identical in the properties of each trunk.

  • After publishing a generic Web application via a portal, modifying the IP address of the Web application is not supported.

  • The following limitations apply when publishing Remote Desktop Services (RDS) via Forefront UAG:

    • Forefront UAG provides RDS access for client endpoints that support Remote Desktop Protocol (RDP) 7.0 (Remote Desktop client 6.1). RDP 7.0 is supported only on endpoints running Windows 7. Currently there is no support for clients running Windows Vista and Windows XP to access RDS RemoteApp; Remote Desktop (predefined); and Remote Desktop (user defined) resources published via Forefront UAG. If required, RDP client tunneling should be used for these clients. This issue was resolved in Update 1. See Enabling RDS on Windows Vista and Windows XP.

    • When you publish RemoteApps on a Forefront UAG server running DirectAccess or SSL Network Tunneling using SSTP, the Remote Desktop (RD) Gateway certificate might be deleted when the configuration is activated in the Forefront UAG Management console, and client access might not work as expected. If this occurs, reconfigure the RD Gateway certificate from the RD Gateway Management console. This issue was resolved in Update 1.

    • RDS sessions fail if session cookies are longer than 800 characters. This might occur if cross-site single sign-on (that allows users to log into a portal and then access additional portals without reauthentication) is configured. This issue was fixed in Forefront UAG SP1.

    • Client endpoints using an Internet Explorer 6.0 browser to access RDS applications published via a Forefront UAG trunk, might encounter overly large icons. This issue was resolved in Update 1.

    • To use single sign-on for RDS applications, users must specify their login name in domain\user format. This issue was fixed in Forefront UAG SP1.

    • Users accessing RDS published via Forefront UAG may receive a pop-up message that the Terminal Services ActiveX control must be installed, but the gold bar, that asks if they want to use the control, does not appear. To resolve this issue, after inputting credentials to access the portal, users should refresh the portal Web page (using Ctrl +F5).

    • When you modify the application name of an RDS application published via a trunk, the updated name might not appear as expected in the Web portal. This issue was fixed in Forefront UAG SP1.

  • The following limitations apply when publishing Exchange services via Forefront UAG:

    • When publishing Outlook Web Access 2010 via Forefront UAG, the application does not open in the portal as expected. As a workaround, make sure that the setting Open in a new window is enabled in the Portal Link tab of the Exchange application properties. This check box is enabled by default and should not be cleared.

    • When you publish Outlook Web Access via Forefront UAG, and apply an Outlook Web Access look and feel, the setting “This is a private computer” does not appear in the user interface. Instead, clients connecting from a private computer should select This site automatically identified the endpoint you are connecting from as a private computer.

    • Applying the Outlook Web Access look and feel trunk settings is not supported when publishing Exchange 2003.

  • When publishing Office Communications Server (OCS) 2007 R2, only Communicator Web Access can be published via Forefront UAG. Other OCS features should be published using the Forefront TMG console running on the Forefront UAG server.

  • The following limitations apply when publishing SharePoint via Forefront UAG:

    1. For endpoints accessing SharePoint 2010 via Forefront UAG, the Explorer view might not display as expected in the portal. As a workaround, make sure that the setting Open in a new window is selected in the Portal Link tab of the application properties. Alternatively, client endpoints can access the site directly using alternate access mappings (AAM). For more information, see Alternate access mappings.

    2. In some circumstances, requests for files in SharePoint 2010 published via Forefront UAG use the WebDAV user agent. This might result in the endpoint users being prompted multiple times for credentials before the requested file is opened. This affects only sessions initiated by Office client applications.

    3. When logging off from a SharePoint 2010 site and logging in again using the "Click here to log on again" link, an Error 500 might appear. To avoid this, wait a short time after logging off before you log in again.

  • Client endpoints might not be able to access Citrix XenApp published via Forefront UAG. This occurs because the Citrix XenApp application template is missing. To add it, do the following on the Forefront UAG server, or on each array member:

    1. Open the SSLVPNTemplates.xml file for editing. In a default Forefront UAG installation, this file is located in the %ProgramFiles%\Microsoft Forefront Unified Access Gateway/von/Conf folder.

    2. At the beginning of the Templates section, before the Remote Network Access application, add the following section:

        Copy Code
      ** Citrix Presentation Server (Web Interface 3)								**
      <!-- Auto-Sense mode														-->
      <template name="CitrixPresentationServer" wfehandler="yes" userrights="0" use-with-lsp="yes" default="yes"><!--All platforms-->
      <port id="0" remoteport="1494,2598" flags="73" default="yes"/><!--All Platforms--> </template>
    3. Close the file and save the changes. Then restart IIS with iisreset. Note that administrator privileges on the local computer are required to make these changes.

Remote network access (SSL network tunneling)

  • For this release, PPTP and L2TP/IPsec protocols for SSL network tunneling are not supported, although these options appear in the Forefront UAG Management console. These options were removed from the user interface in Forefront UAG SP1.


  • Forefront TMG system policy rules enable or disable traffic to the Forefront UAG server, and by default they drop IPv6 traffic destined for Forefront UAG from backend servers. To allow access to the Forefront UAG server for IPv6 monitoring servers and other services, modify system policy rules. To enable IPv6 traffic on a specific system policy rule, do the following:

    1. From the Start menu, open the Forefront TMG Management console.

    2. In the console tree, click the Firewall Policy node.

    3. On the Tasks tab, click Edit System Policy.

    4. In System Policy Editor, in the Configuration Groups tree, click the group that contains the rule for which you want to allow IPv6 traffic.

    5. On the To tab, click Add, and select Anywhere (IPv6). Click Close, and then click OK.

  • When using Forefront UAG DirectAccess, protocols that do not support NAT traversal might not work as expected if the published backend server supports IPv4 only; for example, the Real Time Streaming Protocol (RTSP).

  • Before installing Forefront UAG DirectAccess, delete existing DirectAccess group policy objects on the domain controller.

  • When using integrated Network Load Balancing in an array of Forefront UAG DirectAccess servers, multicast mode is not supported.

  • After running the exported configuration script to create general policy objects (GPOs), GPOs created in the domain might be applied to the Authenticated Users security group. This causes the GPOs to be applied to DirectAccess servers, creating a configuration conflict. This issue is fixed in Forefront UAG Update 1.

Client endpoint access

  • When authenticating using Basic authentication, client devices using languages that require the DBCS, require the following:

    1. The client device must be configured with a DBCS locale.

    2. The Forefront UAG server, and any backend servers to which the client device makes requests, must be configured with the same DBCS locale.

  • When client devices running a Firefox browser on a Macintosh computer log in to a portal over a slow connection, and select Quit Browser, the Endpoint Session Cleanup component does not wipe endpoint cache settings, even if it is configured to do so.

  • Client devices running a Windows 7 32-bit operating system might not be able to access non-Web applications published using socket forwarding. As a workaround, for each non-Web application, explicitly specify that the Socket Forwarding component should be activated on client endpoints. To do this, on the Client Settings tab of the non-Web application properties, enable the required socket forwarding mode. For more information, see About the Socket Forwarding component.


  • For a summary of known globalization issues in Forefront UAG, see Compliance notes.

  • When you export a Forefront UAG configuration, customized internal network ranges are not preserved. After importing the configuration, the internal network is defined according to the network ranges of the adapter that you associated with the internal network when you ran the Getting Started Wizard. In addition, you might have to reconfigure network load balancing after export and import.

  • When you configure and activate changes in the Forefront UAG Management console, changes are not applied to active sessions.

  • When you change the maximum number of concurrent connections to a trunk by modifying the Maximum field in the General tab of the trunk properties, changes will not take effect until IIS is restarted.

  • The SSL Protocol Settings dialog that appears in the Forefront UAG user interface does not work as expected, and should not be used to configure SSL cipher settings. To configure settings, use the instructions described in Prioritizing SChannel Cipher Suites (