Configuring update settings

  • Article

Microsoft Forefront Threat Management Gateway uses the Microsoft Update service to update malware definition updates on the Forefront TMG server. The following table provides a summary of how the update mechanisms are used.

Update types Windows Update Microsoft Update Windows Server Update Services (WSUS)

Malware definition updates

No

Yes

Yes

Operating system updates

Yes

Yes

Yes

Operating system and product updates

No

Yes

Yes

For easy access the Microsoft Update service can be enabled in the Forefront TMG Management console in addition to the Windows Control Panel. To update Forefront TMG malware definitions, you must join the Microsoft Update service in the Forefront TMG Management console.

You can configure malware definition updates using the procedures described in this topic. You can also run the Getting Started Wizard at any time to specify update settings. For more information, see Configuring initial deployment settings.

Configuring Forefront TMG to use Microsoft Update consists of the following steps:

  1. Join the Microsoft Update service in the Forefront TMG Management console.
  2. Configure malware definition update settings.
  3. Then use any of the following methods:
    • Method 1. Configure Web proxy browser settings on the Forefront TMG server to point at Local Host. Then verify that the predefined system policy rule "Allow HTTP/HTTPS from to specified Microsoft Updates sites" is enabled.
    • Method 2. Use WSUS for update distribution. If you are using WSUS ensure that you have two access rules. Create one rule to allow HTTP access from the Local Host network to the WSUS server. Create a second rule to allow access from the WSUS server to the external Microsoft Update sites. A WSUS server provides a centralized update source for computers in your organization. For more information, see Windows Server Update Services 3.0 Overview, at Microsoft TechNet.
    • Method 3. In addition to the predefined system policy rule Allow HTTP/HTTPS from to specified Microsoft Updates sites", create an access rule allowing only the HTTPS protocol to the external network.
  4. Check and install updates. Enable automatic updates, or check periodically for updates and install manually.

Configuring malware definition update settings

  1. In the Forefront TMG Management console tree, click the **Update Center **node.
  2. On the Tasks tab, click Configure Update Settings.
  3. On the Definition Updates tab, do the following:
    • In Automatic Update Action, configure automatic update settings. We recommend that you select Check and install to specify that Forefront TMG should check and install new updates when available. If you select Check only, Forefront TMG provides an alert to inform you that new updates are available but will not install them. If you select Do nothing, Forefront TMG does not check for new updates.
    • In Automatic Update Action Polling frequency, specify how often Forefront TMG polls for updates and applies the specified automatic update action. Note that following installation, there is an evaluation period of a year for installing malware definition updates. Following the evaluation period, a subscription license is required.

Enabling Microsoft Updates

  1. In the Forefront TMG Management console tree, click the **Update Center **node.
  2. On the Tasks tab, click Configure Microsoft Update Settings.
  3. On the Microsoft Update Setup tab, click Use the Microsoft Update service to check for updates (recommended) to specify that the Microsoft Update Service should be used to obtain malware definition updates and other updates provided by Microsoft Update, including operating system updates and Forefront TMG updates. Otherwise, select I do not want to use the Microsoft Update service.

Note

If the Forefront TMG server is configured to receive updates from Windows Server Update Services (WSUS), this configuration is not affected by settings on this page. If you stop using WSUS, settings on this page will be applied.

Method 1

Configuring Web proxy settings

This procedure specifies how to enable the Local Host network to listen for Web proxy requests and how to configure Web proxy settings in Internet Explorer.

  1. In the Forefront TMG Management console tree, click the Networking node.
  2. In the details pane, right-click Local Host, and then click Properties. On the Web Proxy tab, ensure that the setting Enable Web Proxy client connections for this network is enabled. Either keep the default port of 8080, or specify a different port.
  3. On the Forefront TMG server, open Internet Explorer and click the Tools menu.
  4. Click Internet Options, click the Connections tab.
  5. Click LAN settings, and do the following:
    • Select Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connections).
    • In Address, specify the IP address of the Local Host network. Web proxy requests to this address are then handled by the Web proxy filter, which handles name resolution and routing.
    • In Port, specify the same port number that you specified in the Web Proxy properties for the Local Host network.
    • Select Bypass proxy server for local addresses to ensure that Web requests for local resources are not proxied.

Verifying the system policy rule

  1. In the Forefront TMG Management console tree, right-click the Firewall Policy node, and then click Edit System Policy.
  2. In the Various configuration group, select Microsoft Update Sites.
  3. On the General tab, ensure that Enable this configuration group is selected.

Method 2

Creating an access rule

  1. In the Forefront TMG Management console tree, click the Firewall Policy node.
  2. On the Tasks tab, select Create Access Rule.
  3. On the Welcome page of the wizard, specify a name for the rule. For example, Microsoft Update Access Rule.
  4. On the Rule Action page, select Allow.
  5. On the Protocols page, in This rule applies to, select Selected protocols, and then click Add.
  6. Click to expand the Web protocols group. Select HTTPS, click Add, and then click Close.
  7. On the Malware Inspection page, select Enable malware inspection for this rule.
  8. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click to expand Networks, and then click Local Host. Click Add, and then click Close.
  9. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click to expand Networks, and then click External. Click Add, and then click Close.
  10. On the User Sets page, leave the All Users default setting.

Checking and installing updates manually

  1. To check for updates immediately, click Configure Update Settings.
  2. To install updates, click Install New Updates.