Home > Forefront TMG 2010, Troubleshooting, Utilities > Security Configuration Wizard for Forefront TMG 2010 and Windows Server 2008 R2 SP1

Security Configuration Wizard for Forefront TMG 2010 and Windows Server 2008 R2 SP1

June 28, 2011

Security hardening and attack surface reduction is an important step in preparing a Forefront TMG 2010 firewall. To accomplish this task, the tool of choice is the Security Configuration Wizard (SCW). In one of my ISAserver.org articles I demonstrated how to use this tool to properly configure the underlying operating system to support the Forefront TMG 2010 firewall role. Since the native Windows SCW does not include support for the Forefront TMG role, the TMGRolesForSCW.exe utility included in the Forefront TMG Tools and SDK is required. This tool was released prior to service pack 1 for Windows Server 2008 R2 and does not include a template that works correctly out of the box. When you attempt to register the Windows Server 2008 R2 template on a system with SP1 installed you will receive the following error:

Command completed with error.
The parameter is incorrect.
Please check log file(s) under the following directory: 
%windir%\security\msscw\logs

To resolve this issue, create a copy of the template file SCW_TMG_W2K8R2_SP0.xml and name it SCW_TMG_W2K8R2_SP1.xml. Open this file with any text editor and navigate to the SCWKBRegistrationInfo node (line 2). Change the value of ServicePackMajorVersion from “0” to “1” and save the file. Register the template using the following command:

scwcmd register /kbname:TMG /kbfile:scw_tmg_w2k8r2_sp1.xml

Continue using the SCW to configure and apply a security template to your TMG firewall following the instructions in my ISAserver.org article.

Categories: Forefront TMG 2010, Troubleshooting, Utilities
  1. Marlen
    May 16, 2012 at 1:02 am

    Thanx mate! It helped me with my SQL policy with the same problem!!!!

  2. Richard Hicks
    May 16, 2012 at 8:01 am

    Nice! 🙂

  3. techierants
    August 28, 2012 at 2:19 pm

    hi,

    this workaround does not seem to work..is there any other way to do this?

    thanks

  4. Richard Hicks
    August 29, 2012 at 1:16 pm

    This has always worked for me, but it is possible that something has changed and now it doesn’t though.

  5. techierants
    August 29, 2012 at 3:05 pm

    Thanks Richard for your reply.

    Does it need any special permissions to work? i am a domain admin and tmg 2010 is installed, when it try to apply, it says,

    command completed with error
    failed to generate log file (log file path)

    any way to troubleshoot why this is not working..since it worked for most of the people 🙂

    thanks again! 🙂

  6. Richard Hicks
    August 29, 2012 at 8:21 pm

    Not to my knowledge, but running as a privileged user should eliminate any possible contention there. No real good way to troubleshoot this either that I’m aware of, but my experience is different than yours as it always worked for me. 🙂

  1. No trackbacks yet.
Comments are closed.