Your computer does meet the security policy?

Well, this is not a police state, but if you don’t meet the policy, you’re in a bit of a pickle. Several users have reported issues when publishing Remote Desktop applications with UAG. This can happen when using one of the new Remote Desktop application templates:

For some customers, trying to launch these applications on the UAG portals shows the following message:

“Your computer does not meet the security policy requirements of this application” sounds a lot like you have configured the access policy on the UAG application incorrectly, but the truth of the matter is that this error is being displayed by the remote desktop client (MSTSC) and has nothing to do with the application or trunk policy in UAG. In fact, this error is a very generic one, and can indicate several things, completely unrelated to the policy or each other.

The primary cause for this error is that the Certificate on the Remote Desktop Gateway on UAG has not been configured. To perform this type of publishing, UAG installed and configures the RDG service on Windows 2008 R2, but this does not include assigning a certificate to it. Without a certificate, the RDG cannot be trusted, and without being trusted, the Remote Desktop client cannot connect to it, giving this error, which actually means “could not connect to RDG server”.

Assuming you have already installed a certificate on your server, in order to publish your trunk, all you have to do is this:

1. From the Administrative tools on the UAG server, open Remote Desktop Gateway Manager

2. Right-click on your servers name, and click Properties

3. Switch to the SSL Certificate tab.

4. Import certificate, and select the appropriate one.

5. You will be asked to restart the service – go ahead and do so.

For the most part, this would take care of the problem. If you are running an array of server, keep in mind that this needs to be done on all of them. Also, check the certificate chain and CRL carefully, to make sure that both the UAG and the connecting client are able to trust it. This is especially tricky if the certificate has been issued by an internal Certificate Authority. You may have to import the issuing CA’s root certificate into the UAG server’s trusted root authority’s store, and perhaps the same on the client.

The same identical error, however, may pop-up if the UAG is unable to contact the back-end server. Here are some scenarios that can cause this:

1. You configured the “pre-defined” template with a server name that doesn’t really exist

2. There’s some problem with DNS that prevents UAG from resolving it’s name

3. You forgot to open the appropriate port (3389) on a router or firewall that’s between UAG and the servers that it is supposed to publish.

4. If publishing the “user defined” template, you may have configured it with an incorrect IP address or subnet.

To check the above, try to connect to your back-end server manually from the UAG server, by running MSTSC. If it cannot connect, then UAG will not be able to publish it, so proceed with standard Network configuration analysis. If UAG is able to connect, check the server settings. For example, if you are publishing a subnet, it should be in this format: