Introduction
Installing and configuring Forefront Threat Management Gateway (TMG) 2010 can be a tedious and time consuming process. Add to that the time it takes to install service packs and updates after the installation is complete, a systems administrator or network engineer can invest a significant amount of time bringing a TMG firewall online. In addition, a manual installation and configuration process tends to be error prone, often resulting in integration issues due to mismatches in service pack or update levels. We can address some of these challenges using techniques such as service pack and update slipstreaming and unattended installation. As an extension of this, but outside the scope of this article, is the use of systems management software like Microsoft System Center Configuration Manager (SCCM) to perform an automated deployment of the TMG software. This could even include the bare-metal deployment of the underlying operating system as well. As you’ll see here, with some planning and preparation the Forefront TMG 2010 firewall can support the rapid, automated provisioning requirements of today’s modern datacenters.
Preparing the Installation Source
To start you’ll need to obtain the Forefront TMG 2010 installation media, which can be downloaded from the Microsoft Volume Licensing site. The process I’m going to describe will work with either Standard or Enterprise edition. At the time of this writing, the latest service pack for Forefront TMG 2010 is SP2, and the latest hotfix rollup is Hotfix Rollup 3 for TMG SP2. We’ll proceed to build an installation source that includes the latest service pack and hotfix rollup. Before we begin we’ll need to download the following additional software:
- Service Pack 1 for Forefront TMG 2010
- Software Update 1 for Forefront TMG 2010 SP1
- Service Pack 2 for Forefront TMG 2010
- Hotfix Rollup 3 for Forefront TMG 2010 SP2
Once you’ve downloaded these software packages, begin by mounting the Forefront TMG 2010 ISO and copying the entire contents to a temporary folder on your workstation. To support slipstreaming service packs and updates with the Forefront TMG 2010 installation media it will be necessary to extract the update file itself (.msp file) from the executable update downloaded from Microsoft. To make this confusing, Microsoft delivers some service packs and updates as .msp files, and others as .exe files. For example, TMG SP1 is an .msp file, so no extraction will be necessary. However, Software Update 1 for TMG SP1 is an .exe, as is TMG SP2. To extract the .msp files from these updates, open an elevated command prompt, navigate to the folder that contains the update or service pack and execute the following commands:
For Software Update 1 for Forefront TMG 2010 SP1…
TMG-KB2288910-amd64-ENU.exe /t C:\temp\SP1U1
For Service Pack 2 for Forefront TMG 2010…
TMG-KB2555840-amd64-ENU.exe /t c:\temp\SP2
To slipstream these service packs and updates with the Forefront TMG installation media, navigate to the \FPC folder in the temporary folder where you copied the original installation media to. From an elevated command prompt, execute the following commands:
For Service Pack 1 for Forefront TMG 2010…
msiexec /a MS_FPC_Server.msi /p c:\temp\sp1\TMG-KB981324-AMD64-ENU.msp
For Software Update 1 for Forefront TMG 2010 SP1…
msiexec /a MS_FPC_Server.msi /p c:\temp\SP1U1\TMG-KB2288910-amd64-ENU.msp
For Service Pack 2 for Forefront TMG 2010…
msiexec /a MS_FPC_Server.msi /p c:\temp\SP2\TMG-KB2555840-amd64-ENU.msp
For Hotfix Rollup 3 for Forefront TMG 2010 SP2…
msiexec /a MS_FPC_Server.msi /p c:\temp\SP2RU3\TMG-KB2735208-amd64-GLB.msp
Once complete, you can copy the updated TMG installation source to a shared folder on a file server, create a virtual hard disk drive, or create an ISO file using your favorite utility.
Unattended Installation
Prior to installing Forefront TMG 2010, the server must be prepared by installing any prerequisites required for Forefront TMG. This process is made easy with a prerequisite installation tool included with the TMG installation media. Which prerequisites are required depends entirely on the role the TMG installation will be used for. You can choose from Standalone, Enterprise Management Server (EMS), or Remote Management. For our purposes here we’ll select the option to install Forefront TMG prerequisites for a standalone implementation. From an elevated command prompt, navigate to the \FPC folder of the TMG installation media and execute the following command:
prerequisiteinstaller.exe /tmgsa /unattended
To complete an unattended setup for Forefront TMG itself, an unattended answer file is required. You’ll find sample files located in the \FPC\Unattended_Setup_Sample folder on the installation media for Standalone, EMS, and Remote Management installations. You’ll even find a sample file for an unattended uninstall. Since we’re preparing a standalone TMG firewall, copy InstallStandaloneServer.ini to another location, then right-click the file and choose Edit. Type Ctrl-F and search for the parameter ARRAY_INTERNALNET. By default, the answer file already includes the RFC1918 private IPv4 address blocks, which may be fine in some instances.
Figure 1
If you are using non-private IP addresses internally, or if you simply want to have the TMG internal network definition accurately reflect your internal network (which is a best practice) you’ll need to update the answer file accordingly. The syntax for ARRAY_INTERNALNET is as follows:
N From1-To1, From2-To2, … FromN-ToN
Where N is the number of network blocks you want to define and From-X-ToX is the IP address range for the subnet. In my lab I have a single subnet of 172.16.1.0/24, so my ARRAY_INTERNALET definition looks like this:
ARRAY_INTERNALNET=1 172.16.1.1-172.16.1.255
After you’ve finished editing and saved the unattended installation answer file, you can use the following command to execute a full unattended installation.
setup.exe /v /qb fullpathanswerfile=c:\Users\Administrator\Desktop\InstallStandaloneServer.ini
One challenge you’ll find is that after installation begins there is no clear visual indicator that the setup process has completed. To determine if the installation completed successfully, navigate to the C:\Windows\Temp folder and look for a file called ISAWRAP*.log. Open this file and scroll to the end. If the setup completed successfully the last entry should show a return value of SETUP_SUCCESS. Now, if you’re really clever you can copy tail.exe from the old Windows Server 2003 Resource Kit utilities and tail the file after the installation starts. You can also use your existing systems management tools to monitor this file for successful completion.
Post Installation
Once the automated installation has been completed you can manage your Forefront TMG firewall as you would normally. Opening the management console the first time will initiate the out-of-box experience and begin the Getting Started Wizard. Don’t forget that if you are planning to import the configuration from ISA Server 2006, you’ll need to do that prior to running the Getting Started Wizard.
Summary
Investing time and effort into preparing the Forefront TMG installation media by slipstreaming service packs and updates can be a significant time saver when installing Forefront TMG. It also provides a more consistent installation experience, eliminating the pitfalls of installing TMG in enterprise arrays with different service pack or update levels. In addition, using the unattended installation features of Forefront TMG allows administrators to leverage existing systems management tools to perform fully automated deployments to rapidly provision and deploy Forefront TMG firewalls to meet the demands of dynamically changing environments.
