I’ll start this by saying there is currently no fix for this issue! Microsoft are aware of it so expect a KB (and possibly event a hotfix) to come out soon.

The reason behind writing this post even if there is no fix is to hopefully stop anyone else experiencing this issue from re-installing UAG from scratch (like I did)!

Issue

When configuring UAG for DirectAccess NAP you need to specify the type of CA that will be issuing health certificates to the connecting client. In most scenarios the NAP-CA will be part of a larger internal certificate infrastructure so when presented with the choice of either “Use root certificate” or “Use intermediate certificate” on the last page of the “UAG DirectAccess Server Configuration” screen then it would make sense to select “intermediate” and choose the correct internal CA certificate.

image

The issue seems to be if you select “Use intermediate certificate” and then save your configuration, next time you come back to this screen to make any changes it will become un-responsive. If you check in task manager the process “configuration.exe” will be running at 50% and will never complete.

image

Unfortunately there are no fixes for this issue, however the good news is that even if you are issuing health certificates signed by an intermediate CA you can still select “Use root certificate” and it will correctly validate the connecting clients (although this could be a security risk depending on your CA hierarchy).

Workaround

Hopefully you will have a valid configuration that you can roll back to from inside UAG using its excellent auto-backup configuration. To check what you have saved take a look under the “File, import” menu item:

image

If you do not have a valid save that you can rollback to then you need to wipe the UAG configuration and start from scratch. To do this use the ConfigMgrUtil.exe (usually found  here – c:\Program Files\Microsoft Forefront Unified Access Gateway\uitls\ConfigMgr\). With the tool you can export / import or clear down the current configuration, in this instance you need to run “ConfigMgrUtil.exe –del –“ to remove the current running configuration (don’t forget that extra –dash- on the end)

image

Summary

Unfortunately either of these two workaround could (or will if you wiped everything) mean you will loose any Trunks or additional configuration you have made to UAG. As I said Microsoft apparently know about the issue so hopefully we will soon see a hotfix being produced for it.

In my mind this is a pretty serious issue as I have lost all the configuration I had created for my Trunks etc… and will have to set everything up again from scratch. In my case I could not restore to a previous configuration as I was re-visiting my UAG deployment so had made lots of changes to other parts of UAG.

I’d like to say thanks to Yaniv Naor from the Technet forums for his help with this earlier on yesterday, and you can see the full thread here. I will update the post when details of a fix become available.

On the positive side, I now have DirectAccess working with full NAP support and remediation. It really is great to watch & very powerful.