Forefront TMG 2010 Service Pack 2 Now Available
Service Pack 2 for Microsoft Forefront TMG 2010 is now available. In addition to numerous fixes released since SP1 and SP1 hotfix rollup 4, this service pack also includes the following new features:
New reports – A new site activity report that provides details about requests made to specific web sites for individual users.
New error pages – TMG SP2 provides the option to use new error pages that feature a whole new look and feel. In addition, these new error pages are more easily customized and can now include embedded objects.
Kerberos authentication for NLB – TMG SP2 includes the ability to leverage Kerberos authentication for clients accessing enterprise arrays via the NLB virtual IP address (VIP).
You can download Forefront TMG 2010 service pack 2 here. Please note that this update requires that Forefront TMG 2010 SP1 and software update 1 for TMG SP1 be installed prior to installing Forefront TMG 2010 SP2. Once TMG SP2 has been installed successfully the build number will be 7.0.9193.500.
For information regarding the installation of SP2 for Forefront TMG 2010 on enterprise arrays, click here.
Connect
Richard Hicks' Forefront TMG Blog 
I dont find any exact list of what has been fixed in SP2, only those 4-5 “new” features, that does not really mean any big improvement for me (new error pages, c’mon! some dev guy was forced to sit down and write a couple of lines of HTML code, and tadam, new error pages).
Is there such a comprehensive list, so I have a better view to decide in production whether I should risk the upgrade, or it does not worth?
Hi Richard, thanks for information.
I was reading about TMG SP2, but I can´t find about fixes realated?
You know where I can found that?
any idea what the bug fixes are? MS links to a non-existent KB article.
The KB article has now been published. A complete list of fixes included in Forefront TMG 2010 SP2 can be found here.
Hi Richard,
After install SP2 something goes wrong with our TMG. When a user open a teamviewer session to transfer files, TMG 2010 does not respond. It’s impossible to login from console, and if a previous session in console was open then you cannot view any traffic. Any kind of log, or warning appears in eventvwr or TMG alerts. It seem to be like TMG detects a attack and block himself, the internal NIC, I dont know….. A reboot is needed to solve the issue.
With SP1 + Software Update 1 we can transfer files using teamviewer…
Maybe SP2 has a bug…?
Hi Jose,
That does sound odd, for sure. I’ve no heard anyone else reporting serious issue with the update. It certainly is possible that it could be a bug with Forefront TMG 2010 SP2, but only detailed troubleshooting will determine that. Remember that if you open a case with Microsoft support and they determine that indeed it is a bug, you will not be charged.
Hi,
I have a Qs about SP2 for which I haven’t found As anywhere in the release notes neither in the KB article.
1. Does SP2 contain fixes released in SP1-U1-Rollup4?
2. Do I need to uninstall SP1-U1-Rollups prior to SP2’s installation (to have just SP1 + SP1-U1 and then SP2)?
Thanks…
Hi Jan,
This is a bit confusing, I agree. The installation prerequisites for installing service pack 2 (SP2) for Forefront TMG 2010 are TMG SP1 and software update 1 (SU1) for TMG SP1. Once you have those installed you can install SP2 and it will include all updates and hotfixes included since SU1 for TMG SP1. There is no need to install any of the post SU1 hotfix rollups to install Forefront TMG 2010 SP2.
Still no IPv6 support in TMG?
No, not at this time. IPv6 support wouldn’t be included in a service pack though. Look for IPv6 in the next release of Forefront TMG.
Hi there.
After SP2 my logqueue is increasing and the Logging Status says disconnected. If i change to flat file it works fine, change to the SQL Server Express Database and it returns to being disconnected.
Any ideas?
As long as the SQL services are up and running I would expect this to work without issue. I’ve not heard anyone else reporting this issue, so unfortunately I don’t have a lot of advice for you.
IPv6 is not supported in TMG? I thought for sure I saw IPv6 IP addresses flying by in the live logging window…
Do you know when/where we can find a walk-through on how to enable Kerberos authentication for NLB, which is a new feature in SP2?
Found this URL on how to go about setting-up Kerberos authentication on the NLB VIP.
http://technet.microsoft.com/en-us/library/hh454304.aspx
However, their example is invalid: setSPN -U -A http/
Any idea what the -U switch is and what’s its used for? Or can it simply be ignored? Looking at the SetSPN switches I suspect that this is an error.
What way do you recommend to see if Kerberos authentication to the VIP is working correctly?
One thing that I’ve noticed is that I’m no longer seeing any HTTP 407 authentication required responses in my Wireshark traces.
I suppose this would make sense because with Kerberos authentication the client is handing the authentication token directly to the TMG array member so authentication is handled right away. This would be much different than what I’m used to seeing with the HTTP 407 authentication required response from the TMG array member.
You may have seen some IPv6 traffic in the Forefront TMG 2010 access logs, but if you look closely it is being denied. Although the Windows operating system on which Forefront TMG 2010 is installed fully supports IPv6, the Forefront TMG 2010 firewall software itself does not, unfortunately. You can configure TMG to tunnel IPv6 traffic through the firewall without inspection, if necessary. This is required if you want to use TMG to publish a DirectAccess server.
Working on one. Stay tuned… 🙂
The syntax in that article is most certainly accurate. The -U switch is required to register the SPN for the user. -A is used to register the SPN for the computer. If you use -A, don’t forget to specify the user account in the format domain\user.
Use klist to view the Kerberos tickets obtained by the client. You should see one corresponding to your Forefront TMG 2010 proxy array. You can also observe the Kerberos authentication taking place using a protocol analyzer. When Kerberos authentication is use instead of NTLM, you won’t see the authentication challenge coming form the Forefront TMG 2010 firewall. Instead you’ll see a single HTTP 407 response and the client will make the request again, this time including the appropriate Kerberos ticket.
I have the same issue. Did you find a solution?
Ok, I think I see the problem. the SetSPN utility that comes with Windows Server 2003 R2 does not include the edit mode modifier of -U. I see that only Windows Server 2008 R2 has this new feature.
What would be the SetSPN command that we use to issue running on a domain controller running Windows Server 2003 R2?
I answered my own question above.
Simply log onto the TMG server itself or the EMS server itself, which should be running Windows Server 2008 R2. There you will find the updated version of SetSPN, which understands the -U switch.
What’s interesting is that if you accidentally unregister the SPN with the following command:
SetSPN -D http/array.contoso.com SvcTMG2010
within 5 seconds you will see the EMS server unable to communicate with the proxy array members…
I’ve only heard a few people complain about this, so I don’t believe it is an issue with the service pack itself. I’ll let you know if I hear anything though.
Thanks Mike. You’re making my job easier here. 😉
That should only happen when you use the domain account for intra-array authenticaiton as well. I’d recommend leaving the default to use computer account authentication and only using the domain account for the firewall service.
I am still seeing strange behavior on the EMS after enabling Kerberos authentication for NLB. I am seeing this event in the event log on the EMS:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server tmgsvc. The target name used was [email protected]. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CONTOSO.COM) is different from the client domain (CONTOSO.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Hi Mike,
This is an anomaly that happens when you make the change to support Kerberos authentication with NLB. I’ve created a blog post with a detailed explanation here:
https://tmgblog.richardhicks.com/2011/12/13/unable-to-retrieve-data-from-array-member-fails-after-enabling-kerberos-authentication-with-nlb-on-forefront-tmg-2010/
Thanks!
I also have a problem with disconnected SQL express log database. Please help.
I’d be happy to answer any questions you might have regarding SQL logging on Forefront TMG 2010, but unfortunately providing technical support is outside the scope of this blog. Thanks! 🙂
Thanks. We can all benefit from your help here on blog. Well the issue starts after the TMG SP2 installation. TMG connection to SQL server express logging database is lost. After i uninstall SP2 everything works as usual. Is there a way to manually attach SQL server express logging database to TMG after it is disconnected? This looks like a bug on SP2.
I’m sure there is. Can you tell me what the specific error message and event ID is?
Richard, i needed to resolve the issue as soon as possible.
I haven’t found the reason why i had this problem but the workaround for this problem:
0. Export all policy settings and configuration (beware if you have SP2 installed while exporting that you need SP2 installed again if you want to import, uninstall everything (TMG, SQL server and components).
1. Downloaded the TMG from Microsoft MVLS website
2. Install TMG
3. Install TMG SP1
4. Install TMG SP1 Update 1
5. Install TMG SP2
6. Import configuration data and settings from exported XML
it took about 30 minutes to do this six steps. Much less than to investigate. Sorry we didn’t learn anything about the SP2 bug, but here is a link with a post that have some great ideas to resolving this issue:
http://social.technet.microsoft.com/Forums/en-IE/Forefrontedgegeneral/thread/5cccfc29-dab2-4e35-aba8-6df48bbb460b a
I’ll let you know if I hear more about this issue in the future.
I am having the same issue anybody have any ideas?
We just fixed it by:
1. Installing all windows updates and service packs. Reboot.
2. Setting logging to text on C: drive. Services restart (firewall and sql)
3. Setting logging to SQLExpress on C: drive. Services restart (firewall and sql)
4. Setting logging of SQLExpress back to D: drive. Services restart (firewall and sql)
I can confirm that Vidar’s fix works…. followed the steps exactly and it appears to be operating as expected.
Thx
Use caution when enabling Kerberos authentication as this is not supported with some 3rd party web filters…
Thanks for pointing this out, Mike. As you discovered, the Cisco ScanSafe plug-in for Forefront TMG 2010 requires NTLM authentication to work correctly, which is a serious bummer!
I can also confirm that Vidar’s fix works…. followed the steps exactly and it appears to be operating as expected.
For those of you experiencing logging issues after installing Forefront TMG 2010 SP2, please review this KB article for more information.
http://support.microsoft.com/kb/2662548
After I have installed SP2, Log to SQL Server shows disconnected!
what’s wrong!!!
but It’s working after uninstall sp2
Are you using a localized version of Forefront TMG 2010? If so, have a look at the following Microsoft KB:
http://support.microsoft.com/kb/2662548/en-us
I had the same issue log disconnect after applying SP2, kb2662548 does not work. I used the post by vidar to fix the issue– thank you very much!