Archive

Archive for the ‘Threat Management Gateway’ Category

Installing Forefront TMG 2010 SP2 on Enterprise Arrays

December 1, 2011 Leave a comment

To successfully install Service Pack 2 (SP2) for Forefront TMG 2010, you must first install Service Pack 1 (SP1), then Software Update 1 for SP1 (SP1U1) as I indicated in a previous blog post. None of the other hotfix rollups available for Forefront TMG are required to upgrade to SP2. For Forefront TMG 2010 enterprise arrays, these updates must be installed in a specific order to eliminate potential conflicts. The proper sequence is as follows:

First, install SP1 for Forefront TMG 2010 on the…

  1. Enterprise Management Server (EMS)
  2. Reporting server in each array
  3. Remaining array members in each array

Next, install Software Update 1 for Forefront TMG 2010 SP1 on the…

  1. EMS
  2. Reporting server in each array
  3. Remaining array members in each array

Lastly, install SP2 for Forefront TMG 2010 on the…

  1. EMS
  2. Reporting server in each array
  3. Remaining array members in each array

For standalone arrays, treat the array manager as the EMS and follow the order outlined above. In addition, if you are adding a new array member to an existing array, install Forefront TMG 2010 and apply the updates in order before joining the array. Make certain that the new array member is at the same update level as the EMS and other array members.  Also, consider slipstreaming SP2 with your installation media to save yourself some time.

Special thanks to Jim Harrison for clarification on the installation order.

Categories: Forefront TMG 2010, Unified Access Gateway, Forefront UAG 2010, Threat Management Gateway Tags: , , , , , , , , , , , ,

Updating SQL Server on Forefront TMG 2010

November 28, 2011 Leave a comment

Keeping the base operating system of your Forefront TMG 2010 firewall up to date is vitally important to the overall security of your edge security solution. To manage system updates, many administrators will configure their Forefront TMG 2010 firewalls to use Windows Update or WSUS, or manage them using System Center Configuration Manager (SCCM) or another third-party systems management platform.

In my experience, SQL server running on the Forefront TMG 2010 firewall is often overlooked and commonly not updated. I believe this happens because updates for SQL server are classified as optional.

So, as a reminder, don’t overlook updates for SQL server on Forefront TMG 2010 firewalls or UAG 2010 servers! Using the Windows Update control panel application, select the option to install the latest service pack for Microsoft SQL Server 2008, which at the time of this writing is Service Pack 3. You can install the service pack directly if you choose; SQL Server 2008 Express SP3 can be downloaded here. After applying the latest service pack you can confirm that SQL has been updated by opening an elevated command prompt and entering the following commands:

osql -E -S .\msfw

select @@version [press enter]
go [press enter]

The output of the command should indicate that the installed SQL version is Microsoft SQL Server 2008 (SP3) – 10.0.5500.0 (X64).

Note: Applying service packs and updates to SQL is highly recommended to maintain the most secure Forefront TMG 2010 firewall possible. Upgrading the version of SQL installed on the TMG firewall is not supported and definitely not recommended, so don’t attempt to upgrade to SQL Server 2008 R2 Express.

Categories: Forefront TMG 2010, Unified Access Gateway, Forefront UAG 2010, Threat Management Gateway Tags: , , , , , , , , , , , , ,

Discussing Forefront TMG 2010 SP2 on Security Talk

November 17, 2011 4 comments

Recently I had the privilege to appear with my good friends Tom Shinder and Yuri Diogenes on their video series Security Talk. We spent most of the time discussing new features and capabilities provided by Service Pack 2 (SP2) for Forefront TMG 2010. Click here to watch. Enjoy!

Categories: Forefront TMG 2010, Security Updates, Threat Management Gateway

Forefront TMG 2010 Turns Two Years Old

November 16, 2011 3 comments

Today marks the second anniversary of the release to manufacturing (RTM) for Microsoft Forefront Threat Management Gateway (TMG) 2010. In the two years since its release Microsoft has provided two major service packs that have increased stability, improved performance and scalability, and also added some helpful new functionality. During this time the product also achieved Common Criteria (level EAL4+) certification. As we approach the end of mainstream support for Microsoft ISA Server 2006 SP1, now is a good time to begin evaluating Forefront TMG 2010 and to start planning your migration!

Categories: ISA 2006 Enterprise, ISA 2006 Configuration, ISA 2006 General, ISA 2006 Standard, Forefront TMG 2010, Threat Management Gateway Tags: , , , , , , , , , , , ,

Bug in Forefront TMG 2010 Service Pack 2

November 14, 2011 7 comments

Today I confirmed a bug in Service Pack 2 (SP2) for Forefront TMG 2010 that was discovered by Jason Jones. If you have deleted the default Internet Access network rule and replaced it with something else, installing SP2 for Forefront TMG 2010 mysteriously restores this rule. Unfortunately it places the default Internet Access rule ahead of your custom rule which in most cases will cause serious problems. This bug only affects Forefront TMG 2010 configurations where the default Internet Access network rule has been specifically deleted. If you’ve altered this rule in any way, those changes are unaffected.

Before Forefront TMG SP2 installation…

After Forefront TMG SP2 installation…

Categories: Forefront TMG 2010, Networking, Threat Management Gateway, Troubleshooting
Follow

Get every new post delivered to your Inbox.

Join 35 other followers