Service Pack 2 (SP2) was recently released for Microsoft’s firewall product Forefront Threat Management Gateway (TMG). I upgraded my lab VM this morning and it was nice and simple, the whole process took under 10 minutes. I thought I’d just grab some screenshots of what to expect and post them here for reference.

 

Preparation

First up it looks like SP2 isn’t a cumulative so you can’t just install it over the top of a fresh TMG install. You need to make sure you are running at least  TMG SP1 with Update 1

To check if you have these updates go into control panel and then “Programs and Features” click “Installed Updates” on the left hand side & you should see all installed windows patches that are installed, including those for TMG

image

(screenshot taken after my SP2 install but you can see here the other updates I had installed)

 

Next we need to do some preparation & planning… for my environment I was installing TMG on a virtual machine so it was easy to take a snapshot so that if something went wrong I could simply revert the VM and start over. I’d strongly recommend you take a backup for the TMG array configuration before you started the Service Pack installation.

My environment was also a single server, standard edition installation. If you are running a TMG array I’d recommend you read Microsoft’s guidelines here for SP1 installation – http://technet.microsoft.com/en-us/library/ff717843.aspx

The basic plan for a NLB TMG array upgrade is:

  • Upgrade the EMS master server
  • Upgrade any EMS replicas
  • Drain stop the reporting TMG server
  • Upgrade the reporting TMG server
  • reboot & join back to NLB
  • Drain stop the next TMG node
  • Patch & reboot
  • Repeat until all servers updated

Microsoft also suggest that you can create a “clone array” where you create a new TMG array for the SP2 servers and then one by one remove nodes from your SP1 array, patch them and then join them to the SP2 array.

Next we need to download SP2 (here), chances are you are running 2008 R2 so you’ll need the x64 version of the patch. Make sure to store the patch locally on each server you are going to upgrade as during the installation TMG will enter “lock down” mode and so stop communicating on the network. To avoid any issues it’s best to have the patch locally on the machine.

Installation

  • Run the patch “.exe”

image

image

image

  • Accept the license terms

image

  • Select your CSS server (local host for a standalone install – EMS server in an array)

image

  • Start the installation

image

  • It is normal here to loose network connectivity to the TMG while the services are stopped. At the end of the installation all things being well the TMG services should auto-start

image

image

image

  • No reboot is required at the end of the install
  • Open the TMG console and check its version information (Help / About TMG)

image

Post install tidy up

The installation took under 10 minutes from start to finish with about a 5 minute “down time” window when TMG wasn’t responding to requests

Don’t forget after a successful install to go back and tidy things up like removing any snapshots you created if it was a virtual machine (in Hyper-V you need to stop the VM before the snapshot file properly removed from disk!)

See my follow up post for some of the changes included in TMG SP2 & good luck with your installation…!