All events are written to Windows Event Log under Applications log under publisher "Microsoft Forefront UAG", and to the System Center Operations Manager DataWarehouse.

The following table describes the events in this management pack. Events marked with an asterisk also trigger alerts, which can be viewed on the Operations Manager Operations console in Forefront Unified Access Gateway (UAG)'s Active Alerts view.

Event Name Description Windows Event Log ID

Attempt to sneak authorization data

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak authorization info was detected."

66

Attempt to sneak negotiate header

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak negotiation info was detected".

20

Attempt to sneak source IP data

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "An attempt to sneak source IP was detected".

19

Concurrent authenticated sessions threshold reached*

This is a warning that the threshold of the number of sessions that can be open through the site at the same time was reached.

11

Concurrent unauthenticated sessions threshold reached*

This is a warning that the threshold of the number of unauthenticated sessions that can be open through the site at the same time was reached.

12

Configuration change

The Forefront UAG configuration was changed.

10

Configuration login failed

Alert symptom: when attempting to log in to the Forefront UAG Management console, the login fails and the following message is displayed: "Incorrect Password".

8

Connection established

A connection was established with the application.

72

Connection to non-Web application failed

Alert symptom: a remote user attempts to launch an SSL Wrapper application, either via the portal homepage, or by logging into a site that automatically launches the application. The application is launched, but fails to connect to the server.

73

Connection to Web application failed

Alert symptom: a remote user attempts to access an application. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed".

79

Filter shutdown

This event occurs when the IIS worker process unloads the ISAPI filter. This can occur when IIS is restarted or when IIS is stopped.

69

Filter startup

This event occurs when the IIS worker process loads the ISAPI filter, which happens when the first client request arrives at Forefront UAG.

68

Invalid method

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. You are trying to access the URL using an illegal method."

51

Invalid request

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed".

33

KCD protocol transition failed

The S4U2Self Kerberos token for a specific user cannot be retrieved.

120

Maximum number of concurrent authenticated sessions exceeded*

Alert symptom: a remote user attempts to log in to the site. Access is denied, and the following message is displayed in the browser window: "There are too many users on the Web site at the moment. Please try to access the site again in a few minutes."

15

Maximum number of concurrent unauthenticated sessions exceeded*

Alert symptom: a remote user attempts to access the site. Access is denied, and the following message is displayed in the browser window: "There are too many users on the Web site at the moment. Please try to access the site again in a few minutes."

16

Method not defined

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The page cannot be displayed. Ruleset configuration invalid."

50

No Web farm servers available*

Alert symptom: a remote user cannot access a published application due to misconfigured backend servers.

112

POST without content-type not allowed

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "The upload is blocked since the request does not contain a Content-Type header."

47

Service shutdown

Alert symptom: a Windows service running on Forefront UAG was stopped.

4

Service startup

Alert symptom: a Windows service running on Forefront UAG was started.

3

Session source IP not valid

Alert symptom: a remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

110

Successful configuration login

Logging in to the Forefront UAG Management console succeeded.

7

Unable to bind session source IP

Alert symptom: a remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

111

Unable to read configuration*

Alert symptom: the message is logged after you activate the Forefront UAG Management console. Forefront UAG is not functioning as expected, or is not functioning at all. Remote users might experience problems while working with the site, or might not be able to access the site at all.

29

Unable to retrieve information from LDAP server*

Alert symptom: a remote user logs in to the site. The login process is slower than usual.

108

Unable to retrieve session IP

Alert symptom: a remote user successfully logs in to the site. However, access to any of the applications that are enabled through the site is denied, and the following message is displayed in the browser window: "Could not access the site due to the following error: Failed to bind Source IP. Please try to access the site again in a few minutes. If the problem persists, contact your system administrator."

109

Unable to send message

Alert symptom: the Forefront UAG Event Logging mechanism failed to send a message to a reporter, even though, in the Message Definitions file, the message is configured to be sent to this reporter, and the reporter is activated in the Forefront UAG Management console.

25

Unable to start application

Alert symptom: a remote user attempts to launch an SSL Wrapper application, either via the portal homepage, or by logging into a site that automatically launches the application. The request is denied, and a message is displayed, informing the user that the server failed to start the application.

76

URL changed

Alert symptom: during URL verification, the Forefront UAG filter changes the URL. The remote user's experience is not affected.

26

URL path not allowed

Alert symptom: a remote user requests a page. The request is denied, and the following message is displayed in the browser window: "You have attempted to access a restricted URL. The URL you are trying to access contains an illegal path."

67