Release Notes for Forefront TMG 2010 SP1

Published: June 15, 2010

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

These release notes provide information and describe late-breaking issues that relate to Microsoft Forefront Threat Management Gateway (Forefront TMG) 2010 Service Pack 1 (SP1). It is important that you read the information that is contained in this document before you install Forefront TMG SP1.

Acquiring the service pack

The Forefront TMG service pack is available for download from the Microsoft Download Center (, and as an optional update via Microsoft Update.

Features available in Forefront TMG 2010 SP1

Forefront TMG 2010 SP1 adds several new features to the already robust set of Forefront TMG 2010 features. For information about these features, see What's new in Forefront TMG 2010 SP1.

Support for Forefront Unified Access Gateway (UAG)

It is recommended that you install this service pack on computers running Forefront UAG. Forefront TMG SP1 has been tested and is fully supported on Forefront UAG. For more information, see Installing Forefront TMG Service Pack 1 in the Forefront UAG online documentation.

Installing Forefront TMG 2010 SP1

It is recommended that you install the service pack in the order described in Installing Forefront TMG SP1.

You should be aware of the following installation and deployment issues before and after installing Forefront TMG SP1:

  • It is recommended that you complete the upgrade of all Enterprise Management Servers (master and replicas) and all the array members of an array before you configure the new SP1 features in the array.

  • In a mixed environment, in which some array members have been upgraded to SP1 and others have not, the servers that are running the original release version of Forefront TMG 2010 (also known as RTM servers) continue to run with the same policy and do not receive policy updates. Note that RTM servers also:

    • Process and log traffic as normal.

    • Produce data for reports.

    • Can be monitored from the Management console of an SP1 array member, an SP1 Enterprise Management Server, or via SP1 remote management.

    • Do not show upgraded arrays or array members in the Management console.

  • In most cases, you are not required to restart the computer after upgrade.

  • If you are logging to a remote SQL database, you are required to migrate the log database to the new schema. For instructions, see “Upgrading a remote SQL database for Forefront TMG SP1” on the TechNet Wiki (

  • The build number for Forefront TMG SP1 is 7.0.8108.200. To verify that SP1 has been installed on a specific server, in the Forefront TMG Management console, click Help and select About Forefront Threat Management Gateway. The build number appears after Version.

Known issues

The following issues relate to the configuration and operation of Forefront TMG SP1:

BranchCache alert on Windows Server 2008 SP2

  • BranchCache alert



    After installing SP1 on Windows Server 2008 SP2, the BranchCache Initialization Failure alert is registered.


    By default, the BranchCache service (PeerDistSvc) is started after the installation of SP1, but BranchCache is supported on Windows Server 2008 R2 only.


    You can safely ignore this alert.

Deny rule user override

  • Accessing sites from non-browser applications



    When requesting access to a blocked site from a non-browser application, the user receives an error message such as “Unable to open,” and no option to override the block is displayed.


    Non-browser applications cannot display the access denied HTML page, therefore the user cannot click the Override Access Restriction button.


    Copy the link, paste it into the address of a browser, and then click Override Access Restriction.

  • User override does not support redirect to HTTPS site



    A user requests access to a blocked site and is presented with the user override option. After clicking Override Access Restriction, the request is passed to the site, only to be redirected to a secure (HTTPS) page. Instead of accessing the site, the user receives an access denied message.


    User override supports HTTP sessions only.



  • Two-letter domains not supported



    When attempting to override the access restriction to a URL with a two-letter domain name, clicking Override Access Restriction has no effect.


    User override information is stored in a cookie on the client computer. However, for security reasons, Internet Explorer does not allow setting a cookie for URLs with two-letter domains. Other browsers may have similar security in place.


    See Internet Explorer does not set a cookie for two-letter domains (

  • User override with URL category overrides



    A user attempting to access a blocked web destination via user override will receive an error if the following conditions occur:

    1. The default URL category for this destination was overridden by the administrator.

    2. The URL pattern for the URL category override does not end with a final closing slash mark (/) and wildcard character (*).


    Direct the user to add a final closing slash mark to the web address before clicking the Override Access Restriction button, or add the wildcard character to the URL pattern with the category override.

  • User override from unauthenticated users



    User override requests appear to be emanating from a single IP address only.


    When using Web proxy chaining, the identity of each client is known to the downstream server but is not propagated to the upstream server. As a result, all requests from users behind the downstream server share the same IP address.


    If, for reasons of security, you want to allow only authenticated users to override access restrictions, add a rule blocking access to unauthenticated users before the user override rule, or add this IP address to the source exceptions of the user override rule.

Disjoining a server from an array



After installing SP1, in some circumstances, disjoining a server from an array appears to fail with an error.


This issue can be resolved by running the Repair operation, as described in the following procedure:

  1. Click Start, type appwiz.cpl and press ENTER.

  2. Right-click Microsoft Forefront Threat Management Gateway and select Uninstall/Change.

  3. In the Microsoft Forefront TMG Installation wizard, select Repair, click Next, and then click Install.

Importing an RTM configuration on multiple server arrays



Importing an array-level backup configuration for a multiple server array generates an Import failed error.


The transformation process of the RTM configuration to SP1 fails when more than one server is included in the export file.


The solution is to edit the XML file, removing all references to multiple servers. The edited file should contain one server element only.

The server object information is not necessary for the array-level import.

  1. Open the exported .XML file in Notepad or a similar editor. It should look similar to the following:

    <fpc4:Root xmlns:fpc4="" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">
           <fpc4:Arrays StorageName="Arrays" StorageType="0">
                  <fpc4:Array StorageName="{GUID1}" StorageType="1">
                         <fpc4:Servers StorageName="Servers" StorageType="1">
                               <fpc4:Server StorageName="{GUID2}" StorageType="1">
                               <fpc4:Server StorageName="{GUID3}" StorageType="1">
  2. In the section that begins <fpc4:Servers StorageName="Servers" StorageType="1">, remove all references beginning with <fpc4:Server>, except for one. The file should resemble this:

    <fpc4:Root xmlns:fpc4="" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">
           <fpc4:Arrays StorageName="Arrays" StorageType="0">
                  <fpc4:Array StorageName="{GUID1}" StorageType="1">
                         <fpc4:Servers StorageName="Servers" StorageType="1">
                               <fpc4:Server StorageName="{GUID2}" StorageType="1">
  3. Save the file and import.

Installing in a workgroup scenario



User activity reports appear empty.


In workgroup deployments, the Report Server cannot gather user activity information from other members of the array because the SQL Server instance that generates the report runs as the Local System account, and thus is denied RPC access to other array members.


The ISARS SQL Server service (MSSQL$ISARS) should run with an actual user account with administrative privileges, and this user account should be mirrored to all array members. This service can be found only on the machine that acts as a Report Server. Do the following:

  1. Create a new user account and grant this account administrative privileges on all machines in the array. From the command prompt, type:

    net user <username> <Password> /add

    net localgroup administrators <username> /add

  2. Configure the MSSQL$ISARS service on the Report Server to log on with this user account. From the command prompt, type:

    sc config MSSQL$ISARS obj= <reportservername>\<username> password=<Password>

  3. Restart all relevant services. From the command prompt, type:

    net stop MSSQL$ISARS

    net start MSSQL$ISARS

    net stop ReportServer$ISARS

    net start ReportServer$ISARS

Installing SP1 on Forefront Unified Access Gateway (UAG)



When installing Forefront TMG SP1 on Forefront UAG, the Installation wizard indicates that there are Files in Use.


You can safely click Ignore. When the wizard finishes the installation, restart the computer to complete the installation.

Microsoft OneNote web preview

  • Publishing Microsoft SharePoint 2010



    Attempting to open a Microsoft OneNote file using Microsoft Office Web Apps hosted on Microsoft SharePoint 2010 results in an error stating that the file cannot be opened.


    Wait one to two minutes and then try to open the file again from the same computer.

Uninstalling SP1

  • Uninstalling SP1 via Control Panel generates an error



    If User Account Control is enabled, attempting to uninstall SP1 via the Control Panel generates an error and does not remove the service pack.


    To uninstall SP1, see Uninstalling Forefront TMG SP1.

  • User Activity reports remain visible



    After uninstalling SP1, User Activity reports that were created while SP1 was installed remain visible in the list of available reports. Attempting to generate or view one of these reports is unsuccessful.



SP1 software updates

Forefront TMG SP1 includes bug fixes that were released subsequent to the original release version of Forefront TMG 2010. The following table lists the Microsoft Knowledge Base (KB) numbers that are associated with some of the fixes that are included in Forefront TMG SP1:


KB Article



The IP address filter conditions of the filter do not work in Forefront TMG 2010


The application initialization fails after you build a Forefront TMG 2010 appliance if the computer does not have a valid IP address


FIX: You cannot import an XML file that was exported from an enterprise that includes a Forefront TMG 2010 Standard Edition-based server


FIX: You cannot enable the malware inspection for an access rule in Forefront TMG 2010 EMS


FIX: You cannot add an e-mail address that contains special characters to the list of block senders in Forefront TMG 2010


FIX: You cannot create a report in Forefront TMG 2010 after you publish an SMTP server


"NLB Stopped - Configuration Failure" error when you try to enable NLB on an array that has multiple Forefront TMG 2010 members


An IPsec VPN site-to-site tunnel or a PPTP VPN site-to-site tunnel does not work if you enable integrated NLB on a Forefront TMG 2010 array


FIX: Error message when you use the New-MoveRequest task to move a mailbox from Exchange 2007 to Exchange 2010: "Error: MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80040115, ec=-2147221227)"


FIX: High CPU usage occurs when you back up or export configuration information for ISA Server 2006


FIX: You cannot download a message attachment from the OWA server if the OWA server is published by using ISA Server 2006


FIX: You cannot change an expired password in an intranet Web application that is published by using Forms Based Authentication and LDAP authentication in ISA Server 2006


FIX: ISA Server 2006 does not detect a TCP reset response when you enable HTTP compression


FIX: There is a long delay when you try to view another policy rule in ISA Server 2006 if the array contains multiple ISA servers


FIX: An expired user certificate can log on to OWA in TMG 2010


FIX: You cannot download a message attachment from the OWA server if the OWA server is published by using TMG 2010


FIX: RSA SecurID client cannot log on to OWA in TMG 2010 if the user name contains an apostrophe


FIX: TMG 2010 does not recognize a Subject Alternative Name certificate on a non-English Windows operating system


FIX: Transparent proxy: non-CERN proxy clients make a request for a URL, in TMG logging you would see the IP address of the website requested and not the entire URL


FIX: Cannot access web sites which require client certificate if HTTPS inspection is active


FIX: Remote management of TMG fails if a GPO enforces Restrictions For Unauthenticated RPC Clients and RPC Endpoint Mapper Client Authentication


FIX: TMG 2010 may fail to generate reports if installed in a disjoint name space environment

Other fixes included are:

  • ISA Web Publishing with KCD or Negotiate delegation generates Kerberos ticket request for every request

  • Various chunk encoding improvements for OWA publishing

  • FIX: DsCrackNames fails with 'Invalid Handle' error if connection to GC breaks

  • FIX: Crash in rare conflict scenarios between PPTP and GRE traffic

Related Topics