Hide UAG Search Application Tool

The UAG Search Application Tool is one of many new features in UAG.   It comes in handy when you have many applications published and need to find it quickly.    However, there are many customers who ask for it to be removed because they simply don’t have that many applications.  I don’t think it hurts to have it but there are times when the customer is attempting to go for a specific look and feel and the search tool gets in the way.  This was the case with one of my customers so I went ahead and helped them hide it.

UAG Search Application Tool

Figure 1.0 – A red arrow points to the UAG Search Application Tool for those of you who aren’t sure which tool I am refering to.

INSTRUCTIONS

1) Browse to this directory:

C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\UserControls\

2) Copy the “TilesViewApplicationList.ascx” file into the “CustomUpdate” folder.   Doing so will ensure that you have a backup of the original file and that the customization will be synchronized if you have a UAG array.

3) Open up the file with either notepad or with one of my favorite applications called “Textpad”.  http://www.textpad.com/

4) Scroll down to line number 56.

TextBox runat=”server” ID=”searchApplicationTxtBox” CssClass=”TilesView_SearchAppBox”>

5) Change the code above and add:   visible=”false”

<asp:TextBox runat=”server” visible=”false” ID=”searchApplicationTxtBox” CssClass=”TilesView_SearchAppBox”></asp:TextBox>

TIP

You may wonder why I didn’t just delete the whole reference to that search bar.   It’s because UAG needs that tool to exist because there is a lot of other code tied to it.  UAG will error out if you delete existence of the tool.

Save the change and activate your UAG configuration!   The UAG Search Application Tool should now be invisible to the user as shown below.

Hidden UAG Search Application Tool

Figure 1.1 – Shows what the UAG Portal Home Page looks like after you hidden the search tool.

Thank you again for following my blog.
 
Dennis Lee
Celestix Networks

Advertisements
Posted in UAG 2010 | Leave a comment

File Access – Failed to enumerate domains

File Access is one of the most useful but also most misunderstood technologies in Unified Access Gateway.  It was an application that was built into UAG predecessors E-GAP and IAG.  The application was created arguably in a time where internal firewalls, blocking NETBOIS traffic and personal client side firewalls and antivirus were not considered a security standard.  With that said, we need to keep that in mind when we start troubleshooting File Access in UAG.

If you reached my blog post then I’m assuming by now you know that File Access requires domain membership.  I am also assuming that you’ve installed UAG Update-1+ and maybe read some other blogs and forums.

So let’s discuss the most common error.  “Failed to enumerate domains, Please Check your permissions”.   I’ve came across a lot of great topics that mentioned fixes and problems… but what if the fix mentioned doesn’t work?    This is where my blog post comes in and tries to provide additional input because I will explain the topic in terms of “non-UAG” talk.

Are you able to browse to \\servername\  But, when you go under “My Computer” >> “Network” and nothing shows up?

TROUBLESHOOTING

First and foremost, let’s rule out any firewalls, network or environmental issues.  Take a Windows-XP laptop and assign it a static IP address that’s the same as UAG’s internal IP.  You should add the default gateway or copy UAG’s static routes.   Pull out the network cable that is plugged into the LAN adapter of the UAG server and plug it right into your laptop.   Fight off anyone that tells you to use a different cable etc… we need a 99.9% identical test with the only exception being the UAG server.   Try to browse to My Network Places; if it fails then there is certainly something on the network.  Apply the unofficial 15 minute IT waiting rule after plugging in the cable if you’d like.

Next

If the Windows XP laptop is able to browse to network places then the problem most likely exist on the UAG server.  Between TMG, corporate hardening, appliance hardening, group policies and so forth, there are many things that could be the root of the problem.

I will be discussing the “Computer Browser” service.   This service is one of those services that are considered required for File Access.  However, on more than one occasion, I’ve published File Access successfully without this service running. With that said, let’s troubleshoot how to start this service and keep it running.  You can start this service by going to the “services mmc” >> “Computer browser” >> click “run”.  But what happens if the service stops running after 3 to 60 seconds?

Goto “Network and Sharing Center” >> “Change Advanced Sharing Settings” >> under “Public (current profile)” >> Enable “Turn on file and print sharing”.   Believe it or not, this option controls whether or not the Network Browser service can stay running or not.

 

Consider applying the 15 minute waiting rule if this doesnt work right away.

I hope after reading my blog you can successfully enumerate the domains and start publishing your shares!

Dennis Lee
Celestix Networks

Posted in UAG 2010 | Tagged , , | Leave a comment

UAG Update 2 Installation

Microsoft has recently released UAG Update 2 and Celestix Networks is currently finishing up our quality assurance testing to make sure all the basic deployment scenarios are working fine. We also test a lot of the fixes that Microsoft includes in the update. With that said, Celestix customers should be on the lookout for the update release on our website http://celestix.com or using the Update mechanism that’s built into the appliance.

This purpose of my blog post to share my experience recently deploying UAG Update 2 and pointing out all the cool things and a small problem I encountered.

    – UAG Update 2 did not replace my login.asp.
    – UAG Update 2 did not ask me to reboot the server on one occasion.
    – UAG Update 2 provides Windows 7 64-bit support.
    – UAG adds some fixes and additional endpoint detection products.

UAG UPDATE 2 Patch Installation

First, you can download the Update 2 from the following website:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9dcccebc-accb-4229-901a-792cc66791de

*Quick Tip* Regardless if you are using a Celestix UAG appliance or not, you should take a “Snapshot” of your current UAG Server state. If you have a white box deployment then I suggest that you take your UAG backup file and SSL certificate and put it somewhere for safe keeping. With virtualization, you can just take an image snapshot.

Make sure you run the installation as the administrator. Once the install is complete, reboot if you need to, but the first thing you should do before making any UAG changes is to Activate UAG and create a backup. Remember, once you’re using UAG Update 2, you cannot restore UAG using the old Update 1 back up files.


As a security tip, you should never download patches from unknown sources.

 

 

 

 

Screen 1 after running the .MSP            Screen 2 after the installation is complete

Generally, I like to check the event viewer to see what happened with the installation.  There was an issue with Update-1 however when the installation fails, and the event viewer shows that the Update-1 installation has failed.

TROUBLESHOOTING:

If after you rebooted your appliance and you get the following error:

Failed to connect to TMG storage [800706D9]. An unrecoverable error has occured. The application will close.

  • Either you didn’t wait long enough for the TMG and UAG services to start.
  • Or your services are stuck in a services starting loop

*Quick Tip*   You do not necessary need to have installed any patches to get this error.  This may happen anytime you restart your UAG Server or maybe even the first time you run the UAG Administrator Console.  This blog post will help you solve this error.

Let’s assume you went to lunch for an hour after you rebooted the appliance and came back, then obviously you waited long enough so something must be wrong.
The first thing you should do is open up the services mmc and look for which services related to UAG and TMG aren’t running. The screenshots below show some problems because services that should have started automatically like the UAG Storage and TMG Firewall aren’t running.

 1. This image shows that many of the required TMG and UAG services are not running.

 

2.  This image shows the almighty TMG Firewall services not running.

3.  This image is one of the most IMPORTANT images believe it or not.  The Network Connections service is required to run in order for all the UAG and TMG services to start properly.  If after 15 minutes (depending on how fast your service is), this service isnt running along with your UAG and TMG services.  Start this service first, then manually start the UAG and TMG services.

Done!  You should not proceed to opening up the UAG administrator console successfully and performing your first backup and activation.

Good luck!
Dennis Lee
Celestix Networks

Posted in UAG 2010 | Leave a comment

Client side UAG endpoint detection error

Greetings!

I recently had a customer report that after updating to IAG Service Pack 2 Update 3 they started receiving the following error:

ForeFront UAG endpoint components could not run on this computer, since the script signature could not be verified. Your user experience while using the site may vary, depending on your organization’s security policy.

While deep diving and trying to replicate the issue I noticed a few things. The error occurred on my test box with the same exact setup but with Update 2. While looking for the source of the issue I noted that the only customization done on the IAG configuration was a customized endpoint detection scripts designed to check for IE7+, and some WMI processes running checking for Peer-2-Peer software.

How could this be??? We suspected Update-3 was the problem but yet Update 2 still gives me the same error. That told me two things, the problem was either the script or with the endpoint components that were installed on my test client. My test client actually had the components previously pushed by a Unified Access Gateway site that I visited earlier in the week. These components are completely backwards compatible with IAG’s endpoint components. I then uninstalled the UAG Endpoint components and got the old ones pushed by my IAG SP2 U2 appliance and the error went away.

With process of elimination, on my customers 2 customized endpoint scripts, I discovered that after removing the PSPSoftwareDetection.vbs and related Detect.inc entry, the error also doesn’t exist. That told me that something was wrong with this script because the latest EP components are triggering the error. I then renamed PSPSoftwareDetection.vbs to PSPSoftwareDetect.vbs and updated the detect.inc entry >> activated my IAG SP U3 configuration and everything was working!

Summary:
This error may occur if you’ve developed a customized endpoint detection policy. The fix is to rename any files that end with detection.vbs to something else and change any corresponding entries pointed to the old name.

This error can occur if your customer received endpoint components from another organization even if you did not update to IAG SP2 U2. UAG customers should also avoid naming any customized endpoint detection scripts with *Detection.vbs.

Regards,

Dennis Lee
Security Consultant
Celestix Network

Posted in UAG 2010 | Leave a comment

Welcome to my Blog!

Welcome to my blog titled “Dennis Lee’s Microsoft Forefront” blog.  I chose this title because my passion for Microsoft security products includes server side technologies such as FOBE (Exchange), FSC (SharePoint), server products like FIM (Identity), TMG (Firewall, Gateway security), UAG (Remote  Access) and even Forefront Client Security for home users.

I am probably more known for my work with UAG and TMG because the company I work for, Celestix Networks, INC. specializes in building the best security appliances for these two products.  My job at Celestix is to work with our customers to ensure they are making the right decisions when choosing our products and to help them from start to end with the deployment process.

The purpose of the blog is to share my story with everyone.  And with my stories, I hope you can build the best and most secure network out there using Microsoft Forefront Security and related Microsoft Server products.

As my first post in my blog, let me first thank all my colleagues at Celestix, our great partners and resellers, the people at Microsoft, my family and friends and most of all our Microsoft Forefront customers!

Posted in General | 1 Comment