Archive
Mastering Microsoft Forefront UAG 2010 Customization
Recently my good friends Ben (Erez) Ben-Ari and Rainier Amara announced their new book Mastering Microsoft Forefront UAG 2010 Customization, which is scheduled for release early next year. As many of you know, Ben is the author of the Microsoft Forefront UAG 2010 Administrator’s Handbook, an essential reference for anyone working with Forefront UAG 2010. The new book focuses on customization, which is one of the features that make Forefront UAG 2010 a powerful and compelling remote access solution. I have the tremendous privilege of serving as the book’s technical reviewer, and as I am getting an advanced look at Ben and Rainier’s work I can tell you this book will be a must-have for anyone working with Forefront UAG 2010. The book will be available in print and e-book formats and can be pre-ordered here.
Installing Forefront TMG 2010 SP2 on Enterprise Arrays
July 4,2012 – Update: A script is now available on ISATools.org that will identify the exact order in which to install TMG SP2 for your environment. You can download the script here.
To successfully install Service Pack 2 (SP2) for Forefront TMG 2010, you must first install Service Pack 1 (SP1), then Software Update 1 for SP1 (SP1U1) as I indicated in a previous blog post. None of the other hotfix rollups available for Forefront TMG are required to upgrade to SP2. For Forefront TMG 2010 enterprise arrays, these updates must be installed in a specific order to eliminate potential conflicts. The proper sequence is as follows:
First, install SP1 for Forefront TMG 2010 on the…
- Enterprise Management Server (EMS)
- Reporting server in each array
- Remaining array members in each array
Next, install Software Update 1 for Forefront TMG 2010 SP1 on the…
- EMS
- Reporting server in each array
- Remaining array members in each array
Lastly, install SP2 for Forefront TMG 2010 on the…
- EMS
- Reporting server in each array
- Remaining array members in each array
For standalone arrays, treat the array manager as the EMS and follow the order outlined above. In addition, if you are adding a new array member to an existing array, install Forefront TMG 2010 and apply the updates in order before joining the array. Make certain that the new array member is at the same update level as the EMS and other array members. Also, consider slipstreaming SP2 with your installation media to save yourself some time.
Special thanks to Jim Harrison for clarification on the installation order.
Updating SQL Server on Forefront TMG 2010
Keeping the base operating system of your Forefront TMG 2010 firewall up to date is vitally important to the overall security of your edge security solution. To manage system updates, many administrators will configure their Forefront TMG 2010 firewalls to use Windows Update or WSUS, or manage them using System Center Configuration Manager (SCCM) or another third-party systems management platform.
In my experience, SQL server running on the Forefront TMG 2010 firewall is often overlooked and commonly not updated. I believe this happens because updates for SQL server are classified as optional.
So, as a reminder, don’t overlook updates for SQL server on Forefront TMG 2010 firewalls or UAG 2010 servers! Using the Windows Update control panel application, select the option to install the latest service pack for Microsoft SQL Server 2008, which at the time of this writing is Service Pack 3. You can install the service pack directly if you choose; SQL Server 2008 Express SP3 can be downloaded here. After applying the latest service pack you can confirm that SQL has been updated by opening an elevated command prompt and entering the following commands:
osql -E -S .\msfw select @@version [press enter] go [press enter]
The output of the command should indicate that the installed SQL version is Microsoft SQL Server 2008 (SP3) – 10.0.5500.0 (X64).
Note: Applying service packs and updates to SQL is highly recommended to maintain the most secure Forefront TMG 2010 firewall possible. Upgrading the version of SQL installed on the TMG firewall is not supported and definitely not recommended, so don’t attempt to upgrade to SQL Server 2008 R2 Express.
Microsoft Security Bulletin MS11-083 and Forefront TMG 2010
Included in the November Microsoft security bulletin release was security update MS11-083 (KB2588516) that addresses a critical vulnerability in TCP/IP that could allow remote code execution. Forefront TMG 2010 firewalls are protected from this vulnerability, as the firewall engine’s kernel mode driver processes packets even before the operating system sees them. More information about how the Forefront TMG 2010 firewall engine and service work can be found here [this document is for ISA, but TMG is similar]. Although the underlying operating system’s TCP/IP networking stack is protected by the Forefront TMG firewall engine driver, TMG administrators are still strongly encouraged to install the MS11-083 update as soon as possible.
Deploying IPv6 and Forefront UAG 2010 DirectAccess Technical Deep Dive
On Tuesday, September 20 2011, join me and Ed Horley at the Pacific IT Professionals Los Angeles event where we will be presenting a Technical Deep Dive on IPv6 and DirectAccess. During the first session, Ed will discuss in detail how to deploy IPv6 in a Microsoft enterprise network. During the second session I’ll dig in to Microsoft DirectAccess with Forefront Unified Access Gateway (UAG) 2010. The event begins at 6:00PM PDT and is being held at the Microsoft offices in downtown Los Angeles. For more information and to register for the event, click here.
Hope to see you there!
Connect
Richard Hicks' Forefront TMG Blog 