You cannot install a Forefront Threat Management Gateway 2010 service pack on branch office servers

hotfixHere’s a new KB article we published on TMG 2010. This one actually first came out a couple weeks ago but since it wasn’t announced at the time I thought I’d send out a quick heads up just to let you know it was there.  This KB article talks about an issue where an installation of SP1 or SP2 at a branch office fails and then rolls back just after Setup stops the Firewall service:

=====

Notice

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Symptoms

Consider the following scenario:

  • The Microsoft Forefront Threat Management Gateway (TMG) 2010 Enterprise Edition server is running Microsoft Enterprise Management Server (EMS) in the headquarters network.
  • The TMG 2010 server that is installed on the branch office network is connected to the headquarters EMS using a Site to Site VPN that is hosted on the TMG 2010 server.

In this scenario, an installation of Service Pack 1 or Service Pack 2 on the branch office fails just after Setup stops the Firewall service. Then, the EMS connectivity problem is reported, and the Setup process roll backs the service pack installation. For more information about the ISA and TMG branch office scenario, visit the following Microsoft TechNet webpage:

http://technet.microsoft.com/fr-fr/library/bb794783(en-us).aspx

Cause

This problem occurs because the installation process must shut down the Microsoft Forefront TMG Firewall service to update binary files. When the service is stopped, the Site to Site VPN connection to the branch office network from the headquarters EMS server is closed. When this occurs, the installation process loses connection to the headquarters EMS server.

Resolution

To resolve this issue, follow these steps.

Upgrade process

On the headquarters EMS server:

  • Upgrade the computer to TMG 2010 SP1.

On the headquarters TMG server:

  1. On the Remote Access Policy node, click the VPN Clients tab.
  2. Enable VPN client access.
  3. Configure VPN Client Access. To do this, on the Protocols tab, click to select the Enable L2TP/IPsec check box, and then click Apply.
  4. Click Authentication Methods. In the Allow custom IPsec policy for L2TP connection field, click Use preshared key value, and then click Apply.
  5. Apply the configuration changes.
  6. Under Local Users and Groups, click Users, right-click New User, and then click Properties.
  7. Type the user credential details (including the user password), and then click to clear the User must change passwords at next logon check box.
  8. Click Create, and then click Close.
  9. Right-click the new user, click Properties, point to Dial-in, and then click Network Access Permission.
  10. Click Allow Access, click Apply, and then click OK.
  11. Connect remotely to branch office TMG server’s external IP address from the headquarters TMG network.

On the branch office TMG server when it is connected:

  1. Run the following from a command line with administrative permissions:

netsh tmg add allowedrange a.b.c.d a.b.c.d persistent

In this command, the placeholder a.b.c.d is the external address of the headquarters TMG server. This adds a Firewall Engine exception to enable the headquarters TMG server to connect to the branch office TMG network even when it is in lockdown mode (that is, when the TMG service is down).

  1. Create a new dial-up connection:
    1. Open Network and Sharing Center.
    2. Click A new connection or network.
    3. Connect to a workplace.
    4. Click Use my Internet connection (VPN) .
    5. Click I’ll set up an Internet connection later.
    6. Type the external address of the headquarters TMG network.
    7. Type the user credentials. Use the headquarters TMG computer name as the domain.
    8. Click Close.
  1. Right-click the new connection, click Properties, and then click the Security tab:
    1. For Type of VPN Connection, select L2TP/IPSec.
    2. Under Advanced settings, click Use preshared key for authentication.
  1. Make sure that the configuration on the headquarters TMG server is synced by using the Monitoring tab. Connect to the headquarters TMG network by using the newly created connection.

On the headquarters TMG after a VPN client connection is established:

  1. In the headquarters TMG 2010 user interface, under Monitoring, click Sessions, and then confirm that a new VPN Client session was established.
  2. Add a rule that enables all traffic from VPN Clients to Internal and Local Host networks for all users. Create the opposite rule enabling Internal plus Local Host to VPN Clients for all users.
  3. Make sure that there is a respective network routing rule. The default VPN Clients to Internal Network would be sufficient for the routing rule.

On the branch office TMG server by using your existing remote connection:

  1. Stop the Firewall service. To do this, at a command prompt with Administrative permissions, type the following:

net stop /y fwsrv

This also stops the Routing and Remote Access service and disconnects the existing Site to Site connection.

  1. Install TMG 2010 SP1 by typing the following command:

Msiexec /p <full msp path> /L*v <full log path>

  1. On the Locate Configuration Storage Server wizard page, provide explicit credentials. Do not use the Current user option.
  2. After you successfully install TMG 2010 SP1, restart the computer if you have to. Then, if you have to, manually start the Firewall service and verify that the Site to Site tunnel is restored.
  3. Disconnect the VPN client connection.

On the headquarters TMG server after you successfully upgrade the branch office TMG server:

Upgrade the headquarters TMG 2010 server to Service Pack 1. Please be aware that in order to be able to see the branch office TMG server’s configuration on the headquarters TMG server, you must first upgrade the headquarters TMG server to Service Pack 1.

Clean up after upgrade

On the headquarters TMG server:

  1. Restore the VPN Client access configuration that you set in the "Upgrade process: On the headquarters TMG server" procedure. If the Routing and Remote Access service restarts, you may have to wait for several minutes until all the services are started.
  2. Delete the user that was created in step 6 of the "Upgrade process: On the headquarters TMG server" procedure.

On the branch office TMG server:

  1. Delete Firewall Engine exceptions created in step 1 of the "On the branch office TMG server when it is connected" procedure. To do this, follow these steps:
    1. Open a command prompt with Administrative permissions.
    2. Run the following command:

netsh tmg show all

    1. In the command output, locate any dynamic and persistent IDs that corresponds to the IP range that you added in the "Upgrade process: On the headquarters TMG server" procedure.
    2. Run the following commands. Use values for x that correspond to the dynamic IDs and use values for y that correspond to the persistent IDs that you found in step 1.c.:

netsh tmg delete allowedrange id=x
netsh tmg delete allowedrange id=y persistent

  1. Delete the dial-up connection that you created in step 2 of the "Upgrade process: On the branch office TMG server when it is connected" procedure.

Query Words

TMG Service Pack Branch Office

=====

For the most current version of this article please see the following:

2648207: You cannot install a Forefront Threat Management Gateway 2010 service pack on branch office servers

J.C. Hornbeck | System Center & Security Knowledge Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

clip_image001 clip_image002