How to enable RDP access to Microsoft UAG 2010

Some time ago we found that the Microsoft UAG installation in our lab does not allow RDP access. The server itself was fine and the RDP service inside worked as expected – it was clearly visible on the VM console, – but the RDP connections were silently ignored. It looked strange and we spent the significant amount of time looking for the reason of this behavior over the internet, until we realized that the UAG server does allow us to connect via RDP from one of the remote computers – the one it was installed from. This gave us a clue on what’s going on and finally led us to the right direction.

The solution is simple and well-documented – but only if you know what to look for, as usual. It appears that Microsoft TMG (the product that Microsoft UAG is based on) allows remote access from predefined set of computers only. In order be allowed to open RDP to UAG server, the computer should be added to the list of Forefront TMG Remote Management Computers. The detailed instructions can be found at the bottom of this TechNet article, and I’ll quote the relevant part here also for future reference:

«Open the Forefront TMG Management console from the Start menu. In the console tree, click the Firewall Policy node. On the Toolbox tab, click Network Objects. Click Add, and then click Computer. Specify the details of the computer from which you will remotely manage Forefront UAG. … After adding the computer to the set, activate the changes in the Forefront TMG Management console.»

How to upgrade Microsoft UAG 2010 SP1 to SP2

How do you upgrade from UAG 2010 SP1 to UAG 2010 SP2? Well, it appears that such upgrade is not as trivial as expected.

First, Microsoft UAG is based on another Microsoft product – Microsoft TMG, – which has to be upgraded separately. Besides that, there is no direct upgrade package for the UAG itself. Thus, the correct upgrade path would be as follows: UAG SP1 => UAG SP1 Update 1 => TMG SP2 => UAG SP2. Of course, the whole process is documented in TechNet – but you have to be aware about this upgrade path first…

There is another caveat in this upgrade. In case you have some UAG trunks configured (and I assume you have some, since what do you need UAG for otherwise?), you have to active UAG configuration after each step in the upgrade process, otherwise you’ll end up without configured trunks – they will disappear silently during the process. Thanks to TechNet forums for solving this one for me!