14 December 2009

$1000 off a Microsoft Forefront Appliance Upgrade!

The Christmas present that lasts until Valentine’s Day: $1000 off a Microsoft Forefront Appliance Upgrade!

Need to replace your ISA, IAG or Whale appliance?

Act now to reserve your $1000 voucher redeemable on 4000, 7000 or 9000 series… ISA and IAG appliances … or …TMG and UAG appliances when released.

Register for your voucher here:

8 December 2009

Forefront appliances now available on HP G6 platform

Winfrasoft are pleased to announce the available of the 7000 and 9000 series of ISA and IAG Appliances on Hewlett-Packard (HP) G6 servers. The HP G6 range now supports up to 144Gb RAM with 18 memory modules and 15k RPM SAS drives as standard.

A 1st for the NHS - Using CfH Smartcards for Remote Access

Winfrasoft have successfully deployed their Smartcard Access Services (SAS) for IAG solution with BEHHIS NHS Trust. The solution allows NHS Trusts to utilise the existing Connecting for Health (CfH) smartcard as a 2 factor token for Internet based remote access purposes into the trusts network. This is a 1st for the NHS to utilise the cards in this way as the deployment does not involve deploying PKI or certificates.

The NHS are able to make substantial time and money saving on this solution as SAS utilises the certificate that is already on the smartcard. Furthermore, the built in self-provisioning features enable a user to automatically link their smartcard with their Active Directory user account, giving them single sign-on to Trust based applications using the smartcard.

To quote Perry Meyer, Senior Project Manager for BEHHIS, “I’m pleased to announce we have successfully installed and tested the Remote Access CfH smartcard solution today”…“Many thanks to the Winfrasoft team; Darren and Satbir as well as Thomas and Neil from network support who all participated in this successful deployment.”

Smartcard Access Services (SAS) for IAG is part of Winfrasoft’s Health Access System which incorporates various customisations for the NHS.

4 November 2009

VPN-Q 2009 SP1 Update 1 now available

SP1 Update 1 includes a rollup of minor updates to the VPN-Q client based on customer feedback. This update includes:

  • Improved Anti-Virus detection algorithm to improve detection of some AV vendors, e.g. Symantec.
  • Correct issue where the 2nd Wednesday of a month is before the 2nd Tuesday of the month. In this case 3rd Wednesday is chosen.
  • Correct issue detecting secure screen saver settings when the local user account has a blank password.

29 October 2009

Winfrasoft IAG Appliances on Hyper-V and VMware

Winfrasoft are pleased to announce the immediate availability of IAG 2007 based appliances on both Microsoft Hyper-V and VMware virtualisation platforms. The new virtual appliances are built on the same solution orientated foundation as the physical Winfrasoft appliances - this includes many features not found in Microsoft’s own vanilla Hyper-V only offering.

Separating IAG from traditional hardware appliances allows IAG to leverage failover and redundancy technology offered by the virtualisation platforms, such as Live Migration and VMotion. It also helps with the green credentials by fitting in with server consolidation plans.

Winfrasoft currently produce physical IAG and ISA server appliances based on HP hardware, with Dell and Fujitsu coming shortly. Extending the platform line-up by adding Hyper-V and VMware gives IT administrators greater choice and flexibility when looking for a deployment vehicle.

4 September 2009

Security Advisory Notification on X-Forwarded-For for ISA Server

Severity: High

Problem: A security vulnerability has been discovered in Winfrasoft Winfrasoft X-Forwarded-For for ISA Server which could result in a denial of service. A successful delivery of the attack could leave the ISA Server Firewall service in a stopped state preventing ISA Server from serving traffic. No nauthorised access is gained or compromised.

Affected versions:
All versions of Winfrasoft X-Forwarded-For for ISA Server up to and including 2.0.4. This also includes prior version 1.x builds.

The risk of attack is greatest where ISA Server is being used as a reverse proxy as inbound access from the Internet is allowed. If ISA Server is being used as a forward proxy server then the attack could only be launched from the internal network which poses a much lower risk. The only method of mitigating the issue without upgrading to the new version is to disable or ninstall X-Forwarded-For for ISA Server.

An updated version of Winfrasoft X-Forwarded-For for ISA Server has released which corrects the issue. The security fix is included in all builds from, and including version 2.0.6.

More information:
Winfrasoft was privately notified about the issue, and under "responsible disclosure guidelines" we shall not be detailing exact attack methodology. The attack has been publically exploited in the wild although it is not known if this was specifically an attack targeted against Winfrasoft X-Forwarded-For for ISA Server.

1 September 2009

IAG SP2 update 2 notice

A quick warning about IAG SP2 Update 2 which may impact some customer deployments.

This update installs a NEW version of login.asp which provides support for Windows 7 and IE8. However, if you have existing customised versions of login.asp from pre-update 2 then these pages will no longer function once update 2 is installed. After installing SP2 Update 2 you will need to create a new customised version of login.asp using the update 2 version as a template.

You may have a customised version of login.asp if you are using a 2 factor authenticaiton solution with IAG.

20 August 2009

IAG SP2 update 2 now available

Microsoft have released update 2 for IAG 2007 SP2. You will need to have at least IAG SP2 installed to make us of this update - which all Winfrasoft appliances already have!

Please check the Winfrasoft KB for the latest information and download details: http://www.winfrasoft.com/kb-31.htm

This update includes many significant fixes for existing and new IAG customers. The major fixes/features in this update are:

  • For trunks which do not publish an AAM application, the IAG Session cookie will be a site cookie instead of a domain cookie.
  • Fixed erroneous IAG behavior when headers contain blank characters.
  • Fixed bug for supporting Citrix XenApp5 application.
  • Fixed parsing of text/html response Content-type (not binary) body using Chunked encoding type.
  • Fixed a failure occurring when using IAG’s Socket Forwarding client component on a Citrix terminal Server, when the browser accesses a web site for the 2nd time.
  • Fixed a IAG server fault in WhlCppInfra.dll.
  • Fixed a SharePoint Persistent Cookie Name Race Condtion.
  • Fixed an Authorization Key Header memory Corruption while using an "Authorization Key" header.
  • Fixed a failure in the endpoint detection policy of AVG on the client computer (mistyped value in the detection policy expression).
  • Fixed an Incorrect header removal when header is substring of another header.
  • Fixed Day Light Saving change Deletes Internalsite rules and Portal rules and some parameters from these rules.
  • The communication between Windows Mobile 6.1 and Exchange 2007 SP1 has changed slightly due to the updating of the EAS protocol to EAS v12.1 – added support/fix for it.
  • Enabling above 2KB http header request by modifying the following registry key (MaxAllHeadersLen), to prevent SNT from throwing the following error to the client: "Allow http header block of a request to exceed 2KB and avoid SNT throwing an error".
  • Fixed non English locals inconsistent encoding/decoding detection.
  • Fixed a few issues related to FormLogin.
  • Modified the rule-set that broke Java SSL Wrapper.
  • Added support to recognize iPhone as "macintosh". iPhone now belongs to “Other OS”. To allow iPhone access, policy should be configured accordingly.
  • Fixed non-IE security issues detection.

12 July 2009

IAG to UAG Migration tool - you will need IAG SP2

The upcoming IAG to UAG Migration Tool from Microsoft enables customers to migrate their existing IAG SP2 deployments to UAG easily and in a predictable manner. The migration tool automates almost every aspect of IAG/UAG configuration migration. As a result, the time, cost, and risks associated with migrating to UAG are greatly reduced.

The IAG to UAG Migration tool supports configuration migration from IAG 3.7 SP2 only. Customers with IAG 3.7 and IAG 3.7 SP1 systems wishing to migrate to UAG will need to perform first configuration migration to IAG SP2 (using export-import functionality). There is no migration path to UAG from IAG 3.6 or earlier releases. Backward migration (UAG to IAG SP2) will not be supported as well.

The IAG to UAG Migration Tool consists of the following major components:

  • Migration Analyzer – evaluates the complexity of the migration project, produces the list of potential issues.
  • Data Converter – performs IAG SP2 configuration conversion.
  • Configuration Import – applies converted IAG SP2 data into UAG configuration.

Note: Unlike other vendors, all Winfrasoft IAG appliances ship with SP2 installed making for the easiest migration to UAG possible.

Winfrasoft launches new ISA and IAG Appliance Range

The Winfrasoft Appliances Series is SOLUTION focused, not hardware focused. With our background of an ISV (Microsoft Gold Certified) we are uniquely positioned to deliver appliances that solve real world problems by working with best of breed partners like HP, Microsoft, Websense and others.

New to the range is the entry level 3000 Series appliance built on an HP DL120 server. The 3000 Series is available with both ISA Server and IAG. This appliance is designed to be the best value for money on the providing superiour hardware quality and spec, a high value software stack and the lowest retail price on the market.

The 4000, 7000 and 9000 have had a software refresh and bring new features are standard, inclusing VPN-Q 2009 and X-Forwarded-For.

VPN-Q 2009 Service Pack 1 now available

Service Pack 1 includes various fixes and new features based on customer
feedback. In order to benefit from all the new features in SP1 the server
installation must be upgraded and a new client setup package must be created and

Service Pack 1 Fixes / Updates

  • Correct issues controlling the "Winfrasoft VPN-Q 2009 Management
    Service" from VPN-Q 2009 Server Manager.
  • Windows Vista SP2 correctly detected.

Service Pack 1 Enhancements

  • Full Windows 7 Support including policy control.
  • Updated Anti-Virus and Personal Firewall detection algorithm to improve
    detection on Vista SP1 and higher.
  • Updated OS detection algorithm to better cater for future Windows
    Service Pack releases.
  • Built in demonstration mode.
  • OEM / Appliance ready.
  • French language support added to VPN client.

14 June 2009

New KB: VPN-Q does not detect Windows Vista with Service Pack 2

Problem: When running the VPN-Q 2006 or 2009 Client on Windows Vista with Service Pack 2 installed you receive one of the following errors:

Fail - VPN-Q 2006 Client requires Windows XP SP2 (i386), Windows XP (x64) or Windows Vista but detected Microsoft Windows Vista {your edition} 6.0.6002.

Fail - Winfrasoft VPN-Q 2009 requires Windows XP SP2 (i386), Windows XP (x64) or Windows Vista but detected Microsoft Windows {your edition} 6.0.6002.

The full KB article is available here: http://www.winfrasoft.com/kb-30.htm