Installing Forefront TMG Service Packs

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to install and uninstall Forefront TMG service packs. You can install Forefront TMG service packs in a single server deployment, or in an array or enterprise deployment.

The following sections provide information on what you need to know before installing Forefront TMG service packs, the different deployment scenarios, and how to troubleshoot and uninstall the Forefront TMG service pack:

  • Acquiring the service pack

  • About service packs and updates

  • Before you upgrade

  • Installing Forefront TMG on a read-only domain controller

  • Upgrading a single server deployment

  • Upgrading an array or enterprise deployment

  • Troubleshooting the installation

  • Uninstalling Forefront TMG SP1

Acquiring the service pack

You can acquire Forefront TMG SP1 from two sources:

  1. The Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=193239).

    Note

    • When downloading the service pack, click Save to download to your computer. This is necessary in order to run the upgrade with administrator privileges.

    • The service pack is available in English and 10 other localized languages. There is a 64-bit and a 32-bit version:

      • The 64-bit version, for upgrading Forefront TMG, EMS or Remote Management running on 64-bit computers, is TMG-KB981324-amd64-<lang>.msp.

      • The 32-bit version, for upgrading Remote Management running on 32-bit computers, is TMG-KB981324-x86-<lang>.msp.

  2. Microsoft Update.

You can acquire Forefront TMG SP2 from two sources:

  1. The Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=225003).

    Note

    • When downloading the service pack, click Save to download to your computer. This is necessary in order to run the upgrade with administrator privileges.

    • The service pack is available in English and 10 other localized languages. There is a 64-bit and a 32-bit version:

      • The 64-bit version, for upgrading Forefront TMG, EMS or Remote Management running on 64-bit computers, is TMG-KB2555840-amd64-<lang>.exe.

      • The 32-bit version, for upgrading Remote Management running on 32-bit computers, is TMG-KB2555840-x86-<lang>.exe.

  2. Microsoft Update.

About service packs and updates

A service pack or update for a specific version of Forefront TMG contains all previously released updates and fixes for that version.

Note

Forefront TMG SP2 can be installed only on servers that have Forefront TMG SP1 and Forefront TMG Update 1 for SP1 installed.

Before you install a Forefront TMG service pack

Before you begin the installation, note the following:

  • When upgrading an array member (or standalone server), the Forefront TMG services are stopped and Forefront TMG enters lockdown mode. After installation, the services restart automatically unless a system restart is required.

  • In a mixed environment, in which some array members have been upgraded to the service pack and others have not, the servers that are running the previously released version of Forefront TMG 2010 continue to run with the same policy and do not receive policy updates. For this reason, it is recommended to limit the length of the transition period to the service pack. Note that the not yet updated servers also:

    • Process and log traffic as normal.

    • Produce data for reports.

    • Can be monitored from the Management console of an array member with a service pack, an Enterprise Management Server with a service pack, or via remote management from a server with the service pack.

    • Do not show upgraded arrays or array members in the Management console.

Installing Forefront TMG on a read-only domain controller

A new feature from Forefront TMG SP1 is the ability to install Forefront TMG on a read-only domain controller; this installation procedure is described in the article Installing Forefront TMG on a domain controller.

Upgrading a single server deployment

Before installing, it is recommended that you back up the Forefront TMG configuration, and save the configuration in a secure location. For more information, see Backing up and restoring the Forefront TMG configuration.

Note

Make sure that the latest Windows updates are installed on the computer running Forefront TMG.

To install Forefront TMG SP1 in a single server deployment

  1. If you downloaded the service pack from the Microsoft Download Center, do the following:

    1. Press the SHIFT key and right-click on the .MSP file, and then select Copy as path.

    2. Right-click the Command Prompt icon, and then select Run as administrator.

    3. Right-click the Command Prompt window and select Paste.

    4. Follow the instructions in the wizard.

  2. If you acquired the service pack via Microsoft Update, click Install Updates.

  3. When the installation is complete, open the Forefront TMG Management console and click Help, and then click About Forefront TMG. If the installation completed successfully, the build number will be 7.0.8108.200.

To install Forefront TMG SP2 in a single server deployment

  1. If you downloaded the service pack from the Microsoft Download Center, double click the relevant executable file (x64, or x86).

  2. If you acquired the service pack via Microsoft Update, click Install Updates.

  3. To check the version number, when the installation is complete, open the Forefront TMG Management console and click Help, and then click About Forefront TMG. The build number should match the version number on the Microsoft Download Center page.

Upgrading an array or enterprise deployment

These instructions are relevant if you have a standalone array or Enterprise Management Server (EMS). When upgrading Forefront TMG to SP1 or SP2, you must upgrade each of the following, if they exist in your deployment:

  • Enterprise Management Servers (master and replicas).

  • Array managers.

  • Array members.

There are two ways to roll-out the service pack in your deployment:

  • In-place upgrade—This is the straight-forward approach, which may be more suitable to smaller deployments.

  • Clone array upgrade—For roll-outs that are expected to take a longer period of time, or for customers who want to take additional cautionary measures, creating a clone array allows you to maintain management capability over RTM servers until the upgrade of all array members is complete.

The following sections describe:

  • Preinstallation notes

  • Order of installation

  • Installation steps for servers that use load balancing

  • Installing Forefront TMG SP1 in an enterprise deployment

  • Installing Forefront TMG SP2 in an enterprise deployment

  • Post installation notes

Preinstallation notes

Before installing, it is recommended that you:

  1. Back up the enterprise configuration. See Backing up and restoring the enterprise configuration for more information.

  2. Back up the Forefront TMG configuration for each array member. See Backing up and restoring the Forefront TMG configuration for more information.

  3. Save these configurations in a secure location.

Order of installation

It is recommended that you install the service pack on Forefront TMG computers in the following order:

  1. Install the service pack on the EMS master (or array manager).

    Note

    • Before you install the updates on Forefront TMG Enterprise Edition, you must log on to the EMS by using the same credentials that were used to install the EMS during the initial Forefront TMG setup. If you install the update by using a different administrator account, the installation may fail. In this case, you will receive a "Setup cannot initialize Forefront TMG settings" error message.

    • As an alternative to installing the service pack in-place on the EMS, you can create a clone EMS, as follows:

      1. Install Forefront TMG RTM Enterprise Management on a different computer.

      2. Import the saved enterprise configuration.

      3. Install the service pack.

      4. Start moving upgraded servers to the cloned EMS as described in the process below.

  2. Install the service pack on the EMS replicas.

  3. Install the service pack on the array members. Follow the instructions appropriate for your deployment:

    • For an in-place upgrade, for each array, upgrade first the reporting server and then the array members.

    • For a clone array upgrade, do the following:

      1. Create a new array and import the previously exported configuration.

        Important

        SP1 only: Importing an array-level backup configuration for a multiple server array generates an Import failed error. To resolve this issue, see Importing an RTM configuration on multiple server arrays in the Release Notes for Forefront TMG 2010 SP1.

      2. For each array, begin by disjoining the reporting server from the array, installing the service pack, and then joining it to the new array that is running the service pack. Continue the process with the other array members.

        Note

        To identify the reporting server, in the Forefront TMG Management console, click the Logs & Reports node. In the details pane, click the Reporting tab. On the Tasks tab, click Configure Reporting Settings, and then click the Report Server tab.

Installation steps for servers that use load balancing

If the server is load-balanced by using network load balancing (NLB) or any other load-balancing mechanism, do the following:

  1. Remove the server from the load-balancing configuration.

  2. Drain existing connections that are served by the server.

  3. Set nlb to "suspended" to prevent auto-rejoin when you restart.

  4. Install the update.

  5. Restart the server if it is required.

  6. Start NLB on the updated server.

Installing Forefront TMG SP1 in an enterprise deployment

  1. On each computer that you want to upgrade, begin the installation according to the method by which you acquired the service pack:

    • If you downloaded the service pack from the Microsoft Download Center, do the following:

      1. Press the SHIFT key and right-click on the .MSP file, and then select Copy as path.

      2. Right-click the Command Prompt icon, and then select Run as administrator.

      3. Right-click the Command Prompt window and select Paste.

      4. Follow the instructions in the wizard.

    • If you are upgrading via Microsoft Update, click Install Updates.

      Note

      In a Forefront TMG Enterprise deployment in which Forefront TMG array members are installed in workgroup mode and the EMS is part of a domain, installing Forefront TMG SP1 by using the Microsoft Update mechanism will fail. This problem occurs because there are no credentials available to access the EMS. In this scenario you must use the .MSP file from the Microsoft Download Center. You can provide credentials in the Setup wizard, or you can type the following at a command prompt:

      msiexec /p TMG-KB981324-amd64-ENU.msp REINSTALL=all REINSTALLMODE=omus STORAGESERVER_CONNECT_ACCOUNT=mydomain\mydomainpermitteduser STORAGESERVER_CONNECT_PWD=mypwd /qb /l*v msilogfilename.log

      If you are installing a non-English version of Forefront TMG SP1, substitute the relevant language code in place of ENU.

  2. When the installation is complete, open the Forefront TMG Management console and click Help, and then click About Forefront TMG. If the installation completed successfully, the build number will be 7.0.8108.200.

Installing Forefront TMG SP2 in an enterprise deployment

  1. On each computer that you want to upgrade, begin the installation according to the method by which you acquired the service pack:

    • If you downloaded the service pack from the Microsoft Download Center, double-click the relevant executable (x64, or x86).

    • If you are upgrading via Microsoft Update, click Install Updates.

      Note

      In a Forefront TMG Enterprise deployment in which Forefront TMG array members are installed in workgroup mode and the EMS is part of a domain, installing Forefront TMG SP2 by using the Microsoft Update mechanism will fail. This problem occurs because there are no credentials available to access the EMS. In this scenario you must use the .exe file from the Microsoft Download Center. You can provide credentials in the Setup wizard, or you can type the following at a command prompt:

      TMG-KB2555840-x64-ENU.exe REINSTALL=all REINSTALLMODE=omus STORAGESERVER_CONNECT_ACCOUNT=mydomain\mydomainpermitteduser STORAGESERVER_CONNECT_PWD=mypwd /qb /l*v msilogfilename.log

      If you are installing a non-English version of Forefront TMG SP2, substitute the relevant language code in place of ENU.

  2. To check the version number, when the installation is complete, open the Forefront TMG Management console and click Help, and then click About Forefront TMG. The build number should match the version number on the Microsoft Download Center page.

Post installation notes

  1. Forefront TMG services may not start after you install or remove a service pack. This problem may occur if the computer that is running the services is not synchronized with the EMS. In this case, use the Monitoring node of the Forefront TMG Management console to manually restart the services.

  2. It is recommended that you back up the configuration after completing the upgrade to the service pack. For more information, see Backing up and restoring the Forefront TMG configuration.

  3. If you are logging to a remote SQL database, you are required to migrate the log database to the new schema. For instructions, see “Upgrading a remote SQL database for Forefront TMG SP1” on the TechNet Wiki (https://social.technet.microsoft.com/wiki).

  4. If your Forefront TMG deployment is in a workgroup, there are a few steps required in order to enable the User Activity or Site Activity report functionality. For details, see “User Activity report” in Release Notes for Forefront TMG 2010 SP1

Troubleshooting the installation

By default, a log is not created when you install Forefront TMG SP1. You can specify that a log is to be created during the installation. You can then use this log together with Microsoft Customer Service and Support to troubleshoot installation problems. Logging is only useful if installation fails. If you install again after a successful installation, no useful information is logged. To specify that a log is to be created during the installation of Forefront TMG SP1, type the following at a command prompt:

Msiexec /p TMG-KB981324-amd64-ENU.msp REINSTALL=ALL REINSTALLMODE=omus /l*vx! Logfile_Name.log

The syntax for this command is as follows:

  • /p applies the update.

  • TMG-KB981324-amd64-ENU.msp is the file name and location of the service pack.

    Note

    -ENU indicates that this is the English language service pack. Forefront TMG is localized to ten other languages, and the localized service pack for each has a different language code.

  • REINSTALL=ALL reinstalls features that are already installed. Use this command together with REINSTALLMODE to indicate the type of reinstallation. REINSTALL uses all uppercase letters.

  • REINSTALLMODE=omus is used with REINSTALL to specify the type of reinstallation. REINSTALLMODE uses all uppercase letters. The omus option indicates the following:

    • o reinstalls a file if it is missing or if it is an older version.

    • m rewrites registry entries in the HKEY_LOCAL_MACHINE registry hive or in the HKEY_CLASSES_ROOT registry hive.

    • u rewrites registry entries in the HKEY_CURRENT_USER registry hive or in the HKEY_USERS registry hive.

    • s reinstalls all shortcuts and re-caches all icons.

  • /l turns on logging.

  • *vx indicates a wildcard character that logs all information by using verbose output. Logfile_Name.log is the name of the log file.

By default, the log file is created in the same folder in which you run the msiexec command.

You can also examine the event viewer for relevant information. After the installation is complete, an event indicates whether the installation was successful.

Uninstalling the Forefront TMG service pack

When uninstalling the Forefront TMG service pack, it is recommended that you uninstall the service pack from your deployment in the reverse order that you installed it. In other words, uninstall first from array members, then the report server, then array managers and finally the EMS replicas and master.

Note

Forefront TMG SP2 only allows you to uninstall the service pack from your deployment in the reverse order that you installed it.

Uninstalling the Forefront TMG service pack requires the following steps:

  • Creating the uninstall scripts

  • Uninstalling the service pack

Creating the uninstall scripts

To uninstall the service pack, you’ll need to create the following scripts:

Note

To uninstall SP2, you only need to create the waitforreload.vbs script.

  • Uninstall-TMG-SP1.cmd—Run this on the EMS, array manager, and each array member or standalone server.

    Note

    If User Account Control is disabled, you do not need to run this script. Instead, you can uninstall SP1 via the Control Panel.

  • waitforreload.vbs—Run this on each array member and standalone server.

  • fixsqlserverlogin.vbs—Run this on each array member and standalone server.

After you have created the scripts, follow the instructions in To uninstall Forefront TMG SP1.

Uninstall-TMG-SP1.cmd

To create the uninstall-tmg-sp1 script, do the following:

  1. Copy the text below to the Clipboard.

    @echo off
SetLocal 
for /F "usebackq tokens=2,*" %%f in (`reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Forefront Threat Management Gateway Service Pack 1" /v UninstallString 2^>NUL`) do set Uninstall_string=%%g
if "%Uninstall_string%"=="" (
    echo TMG SP1 is not installed on this computer.
    exit /b 1
)

set TEST_REGKEY=HKCR\TypeLib\{Uninstall-TMG-SP1-elevation-test}
REG ADD %TEST_REGKEY% /f>nul 2>&1
IF ERRORLEVEL 1 (
    echo This script must be run from an elevated command prompt.
    exit /b 1
)
REG DELETE %TEST_REGKEY% /f>nul 2>&1

set UNINSTALL_GEN=%temp%\Uninstall_TMG_SP1.cmd
echo %Uninstall_string% %*> %UNINSTALL_GEN%
call %UNINSTALL_GEN%
del %UNINSTALL_GEN%

EndLocal

  2. Open Notepad and paste the text.

  3. Save the file as %temp%\Uninstall-TMG-SP1.cmd.

waitforreload.vbs

To create the waitforreload script, do the following:

  1. Copy the text below to the Clipboard.

    set root = CreateObject("FPC.Root")

On Error Resume Next
currStorageName = root.ConfigurationStorageServer
On Error Goto 0

If len(currStorageName) = 0 Then
    wscript.echo "Please enter credentials to connect to configuration storage."
    wscript.echo "Computer name of the EMS or Array Manager:"
    ServerName = WScript.StdIn.ReadLine
    wscript.echo "Domain:"
    DomainName = WScript.StdIn.ReadLine
    wscript.echo "User name:"
    UserName = WScript.StdIn.ReadLine
    wscript.echo "Password:"
    Password = WScript.StdIn.ReadLine
    root.ConnectToConfigurationStorageServer ServerName, UserName, DomainName, Password
    Wscript.echo "Connected to '" & ServerName & "' with user '" & DomainName & "\" & UserName & "'"
Else
    Wscript.echo "Connected to configuration storage with the current user's credentials."
End If

set arr = root.GetContainingArray
wscript.echo "Waiting for reload on array " & arr.name
arr.WaitForReload
wscript.echo "Done reloading array " & arr.name

  2. Open Notepad and paste the text.

  3. Save the file as %temp%\waitforreload.vbs.

fixsqlserverlogin.vbs

To create the fixsqlserverlogin script, do the following:

  1. Copy the text below to the Clipboard.

    Dim adStateOpen
adStateOpen = 1

Set TypeLib = CreateObject("Scriptlet.TypeLib") 

wscript.echo "Type a new password to access the reporting database, and record it for later use. If you run this script on another array member, be sure to use the same password."
newPassword  = wscript.StdIn.ReadLine

Dim newConfigId
newConfigId = TypeLib.Guid
newConfigId = Left(newConfigId, Len(newConfigId)-2) 

set root = CreateObject("FPC.Root")

On Error Resume Next
currStorageName = root.ConfigurationStorageServer
On Error Goto 0

If len(currStorageName) = 0 Then
    wscript.echo "Please enter credentials to connect to configuration storage."
    wscript.echo "Computer name of the EMS or Array Manager:"
    ServerName = WScript.StdIn.ReadLine
    wscript.echo "Domain:"
    DomainName = WScript.StdIn.ReadLine
    wscript.echo "User name:"
    UserName = WScript.StdIn.ReadLine
    wscript.echo "Password:"
    Password = WScript.StdIn.ReadLine
    root.ConnectToConfigurationStorageServer ServerName, UserName, DomainName, Password
    Wscript.echo "Connected to '" & ServerName & "' with user '" & DomainName & "\" & UserName & "'"
Else
    Wscript.echo "Connected to configuration storage with the current user's credentials."
End If

Set arr = root.GetContainingArray
arr.Reports.ReportingServicesProperties.Credentials.Password = newPassword
arr.Reports.ReportingServicesProperties.ReportingServicesConfigurationId = newConfigId

wscript.echo "Changing Reporting Services Password (" & newPassword & "), and configuration id (" & newConfigId & ")"
arr.Save

wscript.echo "Waiting for reload on array " & arr.name
arr.WaitForReload

wscript.echo "Done reloading array " & arr.name

Set cnn = CreateObject("ADODB.Connection")
cnn.ConnectionString = "Provider=SQLOLEDB;Data Source='localhost\MSFW';Integrated Security=SSPI"
cnn.Open
If cnn.State <> adStateOpen Then
    wscript.echo "Failed to open SQL connection: " & cnn.ConnectionString
End If

Dim sqlCommand
sqlCommand = "use master;"
sqlCommand = sqlCommand & " DECLARE @sys_usr varchar(100);"
sqlCommand = sqlCommand & " SET @sys_usr = SYSTEM_USER;"
sqlCommand = sqlCommand & " EXEC sp_addlinkedsrvlogin 'RS_SRV', 'false', @sys_usr , 'ISA_RS_USER', '" & newPassword & "'"
wscript.echo "Will execute " & sqlCommand
Set rs = cnn.Execute(sqlCommand)

sqlCommand = "use master;"
sqlCommand = sqlCommand & " DECLARE @TableName varchar(200) = 'WebProxyLog'; "
sqlCommand = sqlCommand & " DECLARE SysDB_Cursor CURSOR FOR " 
sqlCommand = sqlCommand & "   SELECT [name] "
sqlCommand = sqlCommand & "   FROM [master].[dbo].[sysdatabases] "
sqlCommand = sqlCommand & "   WHERE ([name] LIKE 'ISALOG_%%_WEB_[0-9][0-9][0-9]') "
sqlCommand = sqlCommand & " OPEN SysDB_Cursor; "
sqlCommand = sqlCommand & " DECLARE @DBName varchar(50); "
sqlCommand = sqlCommand & " FETCH NEXT FROM SysDB_Cursor INTO @DBName; "
sqlCommand = sqlCommand & " WHILE @@FETCH_STATUS = 0 "
sqlCommand = sqlCommand & " BEGIN "
sqlCommand = sqlCommand & "   IF COALESCE(COL_LENGTH(@DBName + '..' + @TableName,'SoftBlockAction'),0) != 0 "
sqlCommand = sqlCommand & "     BEGIN "
sqlCommand = sqlCommand & "         EXECUTE ('ALTER TABLE ' + @DBName + '..' + @TableName + ' DROP COLUMN SoftBlockAction'); "
sqlCommand = sqlCommand & "     END "
sqlCommand = sqlCommand & "     FETCH NEXT FROM SysDB_Cursor INTO @DBName; "
sqlCommand = sqlCommand & " END "
sqlCommand = sqlCommand & " CLOSE SysDB_Cursor; "
sqlCommand = sqlCommand & " DEALLOCATE SysDB_Cursor; "

wscript.echo "Will execute " & sqlCommand
Set rs = cnn.Execute(sqlCommand)

cnn.Close

  2. Open Notepad and paste the text.

  3. Save the file as %temp%\fixsqlserverlogin.vbs.

Uninstalling the service pack

Uninstalling Forefront TMG SP1 requires that you:

  • Log in to the computer with a user account that belongs to the Local Administrators group and that has been assigned the Forefront TMG Array Administrator or Enterprise Administrator role.

  • Work from an elevated command prompt.

The following table describes the uninstall process.

Procedure Description and Steps Applies To

Uninstall service pack 1

Use uninstall-TMG-SP1.cmd to remove the service pack from any Forefront TMG SP1 deployment.

  1. Log on to the computer with a user account that belongs to the Local Administrators group.

  2. Type %temp%\Uninstall-TMG-SP1.cmd and press ENTER.

    Note

    Uninstalling Forefront TMG SP1 by specifying credentials at the command line is not supported. If your deployment requires that you enter credentials to uninstall, the service pack cannot be removed. In this case, you should export the configuration, uninstall Forefront TMG, reinstall Forefront TMG, and import the RTM configuration.

  3. When the uninstall process completes, open the Control Panel and verify that Forefront TMG SP1 does not appear in the list of Installed Updates.

Each array member, array manager, EMS replica and master, Remote Management

Uninstall service pack 2
  1. Log on to the computer with a user account that belongs to the Local Administrators group.

  2. Open Control Panel, under Programs, click Uninstall a program, in the left pane, click View installed updates, locate Forefront TMG SP2 in the list, and then click Uninstall.

  3. When the uninstall process completes, verify that Forefront TMG SP2 does not appear in the list of Installed Updates.

Each array member, array manager, EMS replica and master, Remote Management

Verify that FWSRV is running: relevant for SP1 and SP2

On each array member, verify that the Firewall service (FWSRV) is running by typing the following at an elevated command prompt:

sc query fwsrv

If the state is not RUNNING, do the following:

  1. At an elevated command prompt, type cscript.exe %temp%\waitforreload.vbs and press ENTER.

  2. When the message Done reloading array appears, start the Firewall service with this command:

    net start fwsrv

  3. If the Firewall service fails to start, and the Forefront TMG Management console displays the alert Service Initialization failure, do the following on each affected server:

    1. At a command prompt, type the following and press ENTER:

      reg add HKLM\SOFTWARE\Microsoft\Fpc\Storage\Cache /v InvocationID /t REG_BINARY /f /d 000000000000000000000000000000000000000000000000
    2. Restart the computer.

Array members

Restore reporting functionality: relevant only for SP1

On each array member use the fixsqlserverlogin.vbs script to restore the reporting functionality after uninstalling SP1:

  1. At an elevated command prompt, type cscript.exe %temp%\fixsqlserverlogin.vbs, and press ENTER.

    Important

    The script prompts you to type a new password to access the reporting database. Make sure to record this password, because if you run this script on another array member, you must use the same password.

  2. When the command prompt returns, verify that the script did not generate an error. If successful, summary generation will occur at the configured time. Run a report the following day to confirm that the fix has succeeded.

Array members

Concepts

Release Notes for Forefront TMG 2010 SP1
Release Notes for Forefront TMG 2010 SP2
What's new in Forefront TMG 2010 SP1
What's new in Forefront TMG 2010 SP2
Forefront TMG Deployment