Tag Archives: UAG

KB: ForeFront UAG returns “An unknown error occurred while processing the certificate” error when the backend application server SSL certificate fails CRL check

UAG willl validate backend application server’s SSL certificate and the error may happens with self signing certificate for testing purpose.

Solution:
1) Use certificate which can pass CRL validation
2) Disable CRL check by changing the following registry key in UAG HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL
Change “ValidateRwsCertCRL” from 1 to 0

What you can do with the TMG that installed with UAG?

ForeFront TMG is installed together with UAG to support certain UAG functionalities but it’s not intended to be used as a full product TMG. Good to know what are the supported usages of the TMG running on UAG.

From: http://technet.microsoft.com/en-us/library/ee522953.aspx 

Forefront TMG running on Forefront UAG

By default, Forefront Threat Management Gateway (TMG) is installing during Forefront Unified Access Gateway (UAG) Setup. Forefront TMG is installed as a complete product, and is not modified to run on a Forefront UAG server.

Forefront UAG uses Forefront TMG, as follows:

  • Forefront TMG acts as a firewall, protecting the Forefront UAG server.
  • Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios.

Although you can configure Forefront TMG running on Forefront UAG using the Forefront TMG Management console, Forefront TMG is intended for use of the Forefront UAG infrastructure only. Specifically, the following is not supported:

  • Forefront TMG is installed automatically during Forefront UAG Setup, and removed automatically if Forefront UAG is uninstalled. Installing and uninstalling only Forefront TMG is not supported.
  • Forefront TMG as a forward proxy for outbound Internet access.
  • Forefront TMG application publishing, except for the publishing scenarios listed in the Supported Forefront TMG configurations section that follows.
  • Forefront TMG as a site-to-site VPN.
  • Forefront TMG as an intrusion protection system.
  • Forefront TMG as a network perimeter firewall. Forefront TMG running on Forefront UAG is only intended to protect the Forefront UAG local host server.
  • Publishing Forefront TMG via Forefront UAG.
  • Any other scenarios not specifically listed in the Supported Forefront TMG configurations section below.

Supported Forefront TMG configurations

You can use Forefront TMG running on the Forefront UAG server, as follows:

  • Creating access rules using the Forefront TMG Management console, for the purpose of limiting users, groups, and networks for granular access when deploying Forefront UAG for VPN remote network access.
  • Monitoring with the Forefront TMG Management console.
  • Limiting users, groups, sources and destinations on Forefront TMG system policy rules, with the purpose of enabling access to corporate servers and remote management to and from the Forefront UAG local host server.
  • You can publish the following applications via Forefront TMG:
    • Exchange SMTP/SMTPS
    • Exchange POP3/POP3S
    • Exchange IMAP/IMAPS
    • Office Communications Server (OCS)—Only Communicator Web Access should be published using Forefront UAG. Other OCS features should be published using the Forefront TMG console running on the Forefront UAG server.