Jaa


Unable to Configure “File Access” Feature on Forefront Unified Access Gateway Server

 

 

Introduction

I am sure most of us will be aware of the “File Access” Functionality which can be configured through UAG. I find it a very cool feature as you can provide access of specific Servers/Shares to the Users connecting through Forefront UAG.

Scenario

The issue that I am going to discuss here is a typical one. We were trying to configure the “File Access” Option on UAG as shown below:

image

 

 

And after clicking on the “File Access” option shown above we were asked to provide Credentials. We provided Domain Credentials and then we got an Error as shown in the snippet below:

image

 

 

So, we checked the Basic stuff on UAG to make sure we have all the Pre-requisites are in place which are required to make “File Access” work, as per the Article below:

 

https://technet.microsoft.com/en-us/library/dd897168.aspx

 

Following points are most Important and can not be missed:

 

  1. Set a local security policy for a mixed-mode domain. For instructions, see To set a local security policy for a mixed-mode domain.

  2. On the Forefront UAG server, set the startup type for the following Windows services to automatic:

    • Computer Browser (optional, for performance enhancement).
    • Distributed Transaction Coordinator.
    • Workstation.
  3. Install Client for Microsoft Networks. For instructions, see To install Client for Microsoft Networks. You might be required to provide the operating system installation disk while completing this task.

  4. Join the domain. For instructions, see How to join your computer to a domain.

 

 

But even after following all the steps mentioned in the above Article, we were still getting the same Error and we were not able to Browse neither the Domain, nor any Machines there.

 

That's where I started looking into it from a different angle. We went to the Domain Controller and looked at the Event Viewer there. And to our Surprise we saw the following Events there:

image

 

 

 

image

Now after looking at the above Events we got some Direction. The First Event(8021) showed a Machine as the Master Browser and when we checked about that machine we came to know that it was some MAC Client. Now that was strange. How can a MAC client be acting as a Master Browser in the Domain.

So, we followed the following Action Plan then:

1) Stop and disable the “Computer browser” on all the machines and except for the UAG . (if possible please stop and disable the computer browser service on as many machines in the domain if possible all the computers.

2) please make the following registry changes on the UAG

3) \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Browser\Parameters

4) Unless the computer is configured as the preferred master browser, the value of the IsDomainMaster entry is always set to False or No . Make the value TRUE

5) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Browser\Parameters >>> MaintainServerList set to Yes or Auto

6) Reboot the UAG server

And after following the above steps we could see the machines getting enumerated in the “File Access” Option on the UAG console.

 

Blog Written By

NITIN SINGH

SUPPORT ESCALATION ENGINEER, FOREFRONT EDGE SECURITY, MICROSOFT