Let’s begin
For a Firewall like Forefront TMG or an Application Layer Firewall like Forefront UAG, administrators should always install the latest available Service Packs and Rollups to keep the Firewalls up to date to reduce the attack surface and to provide new and enhanced functionalities.
Attention:
Before you install Service Packs and Rollups for Forefront TM and UAG you should always create a working backup before you install the latest patches. The following articles explain how to back up your configuration: TMG Backup, UAG Backup.
Forefront TMG Standalone
The simplest way to install Service Packs and Rollups is a Forefront TMG Standalone installation. If you are not sure which TMG version is installed, open the TMG MMC, navigate to the System node, select the Servers tab and in the properties of the Forefront TMG Server object you will find the Forefront TMG version.
You can compare the installed version with the latest available Service Packs and Rollups on this website.
Next, create a backup of the Forefront TMG Server. After a successful backup of the Forefront TMG configuration or the entire Server, simple start the Service Pack or Rollup installation from an elevated command prompt and follow the instructions of the setup wizard.
During the Service Pack or Rollup installation, TMG service will be restarted, so if you install the Service Packs through a Remote Desktop connection, it will be likely that the RDP session freezes and you have to wait for an automatic reconnect or you must establish the RDP connection manually.
Forefront TMG Standalone Array
In a Forefront TMG Standalone Array, install the Service Pack or Rollup on the Array Manager first. The easiest way to determine the Array Manager is open the TMG MMC, navigate to the System node, and select the Servers tab and on the column Config. Manager you will find the Array Manager.
After the installation on the Array manager has been successfully completed, check if the configuration is working; check related Windows Event logs, the TMG Monitoring Dashboard and other relevant logs. If everything is working, install the Service Pack or Rollup on the additional Array members.
If your Forefront TMG or UAG Array is NLB enabled you have to do some additional configuration settings. I will show you these additional steps later on in this article.
Forefront TMG Enterprise Array with EMS
If you deployed a Forefront TMG Enterprise Array with a centralised Enterprise Management Server (EMS), you must first install the Service Pack or Rollup on the primary EMS Server and after that on the EMS Replica Server/s. If the installation has been successfully finished on the EMS Servers, install the Service Packs and Rollups on the Forefront TMG Array members.
If the installation has finished, check related Windows event logs, TMG monitoring dashboard and make sure that the TMG configuration has been synced with the EMS Server as shown in the following screenshot.
If your Forefront TMG or UAG Array is NLB enabled you have to do some additional configuration settings. I will show you these additional steps later in this article.
Forefront UAG Standalone
Because Forefront UAG uses Forefront TMG as the underlying Firewall Server, you must install Forefront TMG and UAG updates in the correct order. The following websites list the recommended installation order.
A typical Forefront UAG server has multiple products, each of which needs their own updates. These include:
- The Windows Operating system
- Forefront UAG
- Forefront TMG
- SQL Server 2008 Express
- Other Operating system components
As a general recommendation you should install Forefront TMG updates before installing Forefront UA Updates.
You should also keep in mind that for example, Forefront UAG Service Pack three (which is the latest Service Pack for UAG as I write this article) requires SP1, SP1 Update 1 and SP2 to be installed first, and for these three, this is also the update order. The same is true for Forefront TMG. Forefront TMG SP2 Rollup 4 supersedes SP2 itself, so you need to install the Service Pack before the latest TMG rollup.
As Ben Ari mentioned in his blog post, a typically installation is as follow:
Forefront UAG is distributed as a slipstreamed installation with TMG SP1 Update 1 and UAG SP1. You should also install any and all available OS updates (except the latest version of Internet Explorer which may cause problems if you open the TMG MMC when the TMG server has not been patched with the latest Rollups).
- Install Forefront TMG SP2
- Install Forefront TMG SP2 Rollup 4
On top of Forefront UAG SP1 you should install any and all UAG updates, in the following order:
- Forefront UAG SP1 Update 1
- Forefront UAG SP2
- Forefront UAG SP3
- Forefront UAG SP3 Rollup 1
- Forefront UAG SP4
Attention:
After installing a Forefront UAG Service Pack or Rollup, I recommend that you save and activate the Forefront UAG configuration BEFORE you install the next UAG Rollup or Service Pack. In the past I had some problems with a few customer Forefront UAG Servers where I installed the UAG Service Packs and Rollups without the step to save and activate the configuration. My colleague Karsten Hentrup and I expected some problems during Forefront UAG Service Pack and Rollup installations which we described in the following (German language) article.
Make sure also that you install any available updates to Microsoft SQL Server Express and other system components such as the .Net framework. These can be installed before or after other updates.
In addition to the checks in the TMG MMC, if the configuration has been successfully applied and synced, you must use the Forefront UAG Activation monitor to see if the configuration has been synchronized successfully.
Forefront UAG Array
Installing Forefront UAG Service Packs and Rollups in a Forefront UAG Array is the same procedure as for a Forefront TMG Standalone Array. During a Forefront UAG installation with UAG Array members, a Standalone Forefront TMG/UAG array will be created. So you have to install the Forefront UAG updates on the Array Manager first. You can determine the Forefront UAG Array Manager in the Forefront TMG MMC as mentioned above in this article or in the Forefront UAG MMC. Start the Forefront UAG MMC and click Admin – Array Management.
If your Forefront TMG or UAG Array is NLB enabled you have to do some additional configuration settings. I will show you these additional steps later in this article.
Forefront TMG and UAG in an NB Cluster
As mentioned above, if you are running Forefront TMG and UAG in an NLB cluster, Microsoft recommends the following steps before you install Service Packs and Rollups:
- Remove the server from the load-balancing configuration.
- Drain existing connections that are served by the server.
- Set NLB to “suspended” to prevent auto-rejoin when you restart.
- Install the update.
- Restart the server if it is required.
- Start NLB on the updated server.
Post installation notes
After installing Forefront TMG or UAG Service Packs you should immediately create a backup of the TMG and UAG configuration because an older Backup may be incompatible due to configuration or database updates
Conclusion
In this article I gave you some best practices information on how to install Forefront TMG and Forefront UAG Service Packs. We also covered the installation order of Forefront TMG and UAG Service Packs if the servers are members of a TMG or UAG array.