For some reason I have a lot of people use non-valid certificates on backend servers they’re connecting to through UAG.  This is because they don’t want to spend the money and/or time on a cert, it’s used for testing, work needs to continue with UAG while waiting for a valid cert, or whatever reason.  It’s as simple as this, if you don’t have a valid trusted cert on a backend server that UAG is connecting and trusts it’s not going to work!  Sure everyone expects to get an invalid cert error in UAG and click continue but it doesn’t work that way.  If UAG doesn’t trust a cert on a backend server it’s connecting to you’ll get an error in UAG and you just can’t continue with a mouse click. 

Either put a  valid cert on that backend server that UAG trusts or tell UAG to ignore invalid certs(FOR TESTING ONLY).  The TechNet article below explains how to disable cert checking.  Do not roll this into your production environment.  Use it for testing only. 

Another option would be to setup your backend server NOT to use SSL.  I recommend this because if you have UAG and a backend server both using certs the client is doing encryption/decryption, the UAG server is doing encryption/decryption to/from the client AND UAG is doing encryption/decryption to the backend server, then the backend server is doing encryption/decryption also!  So you have 4 boxes doing encryption/decryption.  That’s just silly!  Just do SSL offloading on UAG so only the client and UAG is doing all the work.  Of course this also depends on your security for your LAN.


HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL DWORD VALUE (0 or 1) By default Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, backend users are denied access to that given backend server. If a Forefront UAG administrator wishes to disable those validation tests, set the ValidateRwsCert and ValidateRwsCertCRL key values to 0, and then restart the IIS service on the Forefront UAG server.