June 2011 - Posts

Forefront Endpoint Protection 2010 Update Rollup 1
29 June 11 10:04 AM | forefrontsecurity | with no comments

The Forefront Endpoint Protection Team announce the Update Rollup 1 for FEP 2010. What’s new in this release :

  1. Support for Windows Embedded 7 platforms: With this update, the FEP client software is supported on certain Windows Embedded 7 platforms and Windows Server 2008 Server Core. For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
  2. Signature Update Automation Tool used with Configuration Manager Software Update: This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates. This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule. The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
  3. Two new preconfigured policy templates for the following server workloads:
    1. Microsoft Forefront Threat Management Gateway
    2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the Technet site. Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks to the FEP Team. You can find this announcement here : http://blogs.technet.com/b/clientsecurity/archive/2011/06/28/forefront-endpoint-protection-2010-update-rollup-1.aspx

Published by Olivier DETILLEUX

Filed under: , , , ,
Want to display a disclaimer when accessing your UAG Portal Home Page ?
15 June 11 05:08 PM | forefrontsecurity | with no comments

This is a request of one of my customer. Can I show a popup containing a disclaimer after the authentication on the UAG Portal ? The answer is yes of course, because you can do whatever you want with UAG Clignement d'œil. Here is the way I have solved this request.

My idea is to show the popup during the access to the portal HomePage. To add some content to the portal homepage, you need to customize the standard.master file.

  • Create a dedicated html page (for example disclaimer.html) in the von\PortalHomePage\CustomUpdate directory. This file will contain the text of your disclaimer. “The information contained in this Portal is the property of …”. You can also add an “OK” button or other feature.

image

  • Copy the standard.master file from the von\PortalHomePage to the von\PortalHomePage\CustomUpdate directory.
  • At the end of the file, in the ResizeContent() function, add the following line :

window.open(‘CustomUpdate/disclaimer.html’, ‘disclaimer’)

image

Don’t forget to add a specific URL Set for your disclaimer.html page :

image

The regular expression is something like that, depending of your URL :

/(secure)?[^/]+portalhomepage/(customupdate/)?(disclaimer\.html)

Published by Olivier DETILLEUX

Filed under: , , ,
UAG and ADFS v2.0 : Transparent authentication inside and outside of your corporate network
15 June 11 02:08 PM | forefrontsecurity | with no comments

My colleague Hicham has already write about the implementation of the transparent logon against the UAG portal using ADFS v2.0 and UAG SP1. Have a look here : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/01/07/uag-sp1-transparent-logon-with-adfs-v2.aspx

This scenario is well when your are inside the intranet. But what happened when you are outside your corporate network ? Does this transparent authentication always work ? And what happens if I try to connect from a non corporate computer (home workstation for example) ?

By design, it is not working. You can only have a transparent logon from the inside of your corporate network, when you are using a corporate workstation. To do that, you have to add the URL of your ADFS logon page to the local intranet security zone.

image

When you are outside with your workstation, you are experiencing this issue : Nothing happens, but a blank page. If you make a trace with httpWatch, you can see the 401 request, but no response from the web browser.

image

The way to solve this problem is to change the order of the providers on the LS site of the ADFS server :

image

To summary :

  • Add your adfs url to the local intranet zone
  • Change the order of the providers to set NTLM as first provider

You can now authenticate transparently inside and outside your network with a corporate workstation. During logon from a non corporate workstation, you will be prompted to authenticate.

Published by Olivier DETILLEUX

Filed under: , , , , , , , ,

This Blog

News

    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.

Syndication