Client side UAG endpoint detection error

Greetings!

I recently had a customer report that after updating to IAG Service Pack 2 Update 3 they started receiving the following error:

ForeFront UAG endpoint components could not run on this computer, since the script signature could not be verified. Your user experience while using the site may vary, depending on your organization’s security policy.

While deep diving and trying to replicate the issue I noticed a few things. The error occurred on my test box with the same exact setup but with Update 2. While looking for the source of the issue I noted that the only customization done on the IAG configuration was a customized endpoint detection scripts designed to check for IE7+, and some WMI processes running checking for Peer-2-Peer software.

How could this be??? We suspected Update-3 was the problem but yet Update 2 still gives me the same error. That told me two things, the problem was either the script or with the endpoint components that were installed on my test client. My test client actually had the components previously pushed by a Unified Access Gateway site that I visited earlier in the week. These components are completely backwards compatible with IAG’s endpoint components. I then uninstalled the UAG Endpoint components and got the old ones pushed by my IAG SP2 U2 appliance and the error went away.

With process of elimination, on my customers 2 customized endpoint scripts, I discovered that after removing the PSPSoftwareDetection.vbs and related Detect.inc entry, the error also doesn’t exist. That told me that something was wrong with this script because the latest EP components are triggering the error. I then renamed PSPSoftwareDetection.vbs to PSPSoftwareDetect.vbs and updated the detect.inc entry >> activated my IAG SP U3 configuration and everything was working!

Summary:
This error may occur if you’ve developed a customized endpoint detection policy. The fix is to rename any files that end with detection.vbs to something else and change any corresponding entries pointed to the old name.

This error can occur if your customer received endpoint components from another organization even if you did not update to IAG SP2 U2. UAG customers should also avoid naming any customized endpoint detection scripts with *Detection.vbs.

Regards,

Dennis Lee
Security Consultant
Celestix Network

Advertisements
This entry was posted in UAG 2010. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s