Moving from Eval to RTM: The steps you need to take in any TMG environment.

Article
05/11/2012

Hello All! It’s Brett Crane from the Forefront Edge team here at Microsoft. I’ve noticed there have been a few questions regarding documentation on the best way to go from an Evaluation Version of TMG to the RTM version. I thought I would take a few moments to cover some scenarios in upgrading between the two products in the case they may be in a production environment.

* Please keep in mind that I am not suggesting that we recommend putting an Evaluation version of the TMG product into production environments. It is actually the exact opposite. It is meant for testing purposes only.

So all that said let’s assume that there is a configuration of TMG that is an Evaluation version that you would like to keep up and running. “What! Keep up and running! “ Yes… the Evaluation versions are time bombed. You will see issues in running the firewall service once you have passed your Evaluation time period. So, let’s talk about how you can minimize downtime and get these servers back up in a supportable RTM configuration.

What needs to be done? Well, first you need to ask yourself:

“What type of configuration am I in? Is it a Stand-alone server? Is it a Stand-alone Array with 2 or more Firewall nodes? Or is it an Enterprise Array with 2 or more Firewall nodes ?”

Based on your answer just choose one of the following quick and easy steps:

Stand-alone Server:

This process is simple enough, and there’s no question about it…you have to reinstall the product. You can’t just go out and purchase the product codes and put them in. So, you should expect that an install is going to be needed. Here are the steps for a single server:

1. Export your server configuration (Make sure to include the confidential information as well as the user permission settings).

2. Uninstall the TMG product from the server by going into Programs and Features, highlighting Microsoft Forefront Threat Management Gateway, and choosing Uninstall.

3. Install Threat Management Gateway utilizing the RTM bits you have purchased.

4. Import your configuration you saved from step 1 above.

* Please keep in mind that you haven’t changed anything on the server itself. You haven’t removed any NICs, changed IP addresses, uninstalled certificates, etc. You have just uninstalled the TMG product and reinstalled it.

Stand-alone Array with 2 or more Firewall nodes:

Seeing that this is an actual Array configuration (even though not an enterprise array utilizing a separate EMS), you’ll notice a big difference in steps below versus the steps above. What’s nice is the steps I provide should keep you up and running as long as you are using NLB for load balancing purposes. For this example I will be using 2 nodes in an array.

1. Start by exporting a full configuration of your Array for backup purposes in case any problems occur.

2. Determine which Node is your Array Manager. This is important because you will need to begin all the work on the Firewall Node that is NOT the Array Manager. To determine which of the two servers is your Array Manager just open your TMG MMC, highlight system on the left, then scroll over to the far right on your Servers tab located in the middle of your MMC. You’ll see one server says “Array Manager” and the other says “Array Managed”.

3. Notate the version numbers that your servers are at.

* This is very important because you will need to make sure you install the proper updates to bring them back up to match. If you don’t have them at the same patch level you will see issues when you try to join back to the Array.

4. From the Managed server, highlight the Array name on the left side of the MMC and choose “Disjoin Server From Array” on the right.

5. Once the server is fully disjoined from the Array go ahead and uninstall the TMG product from the server by going into Programs and Features, highlighting Microsoft Forefront Threat Management Gateway, and choosing Uninstall.

6. Install Threat Management Gateway utilizing the RTM bits you have purchased. Once the product has been reinstalled make sure to install all the needed updates to bring it to the same version as the current Array Manager.

7. Once the server is back up highlight “Forefront TMG (Server_ name) on left side of the MMC and choose “Join Array” from the far right. Point to the Array Managers name.

8. Once you have fully joined back to the Array you will notice that all your rules have been pulled back over to your new RTM server and everything should begin working again.

9. On the new RTM server highlight the Array on the left. In the Tasks tab on the far right choose “Set as Array Manager”. This will make this new server take control of the Array Manager process from the Evaluation server that is still running.

10. Go over to the remaining Evaluation server and highlight the Array on the left side of the MMC and then choose “Disjoin Server From Array” on the right.

11. Once the server is fully disjoined from the Array go ahead and uninstall the TMG product from the server by going into Programs and Features, highlighting Microsoft Forefront Threat Management Gateway, and choosing Uninstall.

12. Install Threat Management Gateway utilizing the RTM bits you have purchased. Once the product has been reinstalled make sure to install all the needed updates to bring it to the same version as the current Array Manager.

13. Once the server is back up highlight “Forefront TMG (Server_ name) on left side of the MMC and choose “Join Array” from the far right. Point to the new Array Managers name. This will cause the server to join the Array and pull down all the needed configurations.

Enterprise Array with 2 or more Firewall nodes:

Believe it or not this is actually the easiest of the three different configurations. The thing is… you don’t have to worry about updating your EMS (Enterprise Management Server) to RTM, just your firewall nodes.

1. Start by exporting a full configuration of your Array for backup purposes in case any problems occur.

2. Notate the version numbers that your servers are at.

3. Choose the firewall node that you want to start your update to RTM on. There is not a specific node that should go first.

4. From the server you chose in step 3… highlight the Array on the left side of the MMC and then choose “Disjoin Server From Array” from the far right.

7. Once the server is back up highlight “Forefront TMG (Server_ name) on left side of the MMC and choose “Join Array” from the far right. You will be joining an EMS managed Array so you will need to point to the name of your existing EMS. This will cause the server to join the Array and pull down all the needed configurations.

8. Once this server is back up and functioning as expected go to the second Firewall node that is still utilizing Evaluation bits and go through steps 4, 5, 6, and 7 just above.

So… at this point you should be up and running with RTM bits! I hope the information I provided above helps out! Keep in mind, ALWAYS GET BACKUPS PRIOR TO ANY WORK! By backups I am referring to So… at this point you should be up and running with RTM bits! I hope the information I provided above helps out! Keep in mind, ALWAYS GET BACKUPS PRIOR TO ANY WORK! By backups I am referring to System State and TMG configuration backups (or exports). If you run into any issues going from Eval to RTM know that there are support processes that can help. In any case, you may still want to make sure this is all done in a maintenance window. No need to cause an outage if something goes wrong!

Author

Brett Crane - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Reviewer

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Moving from Eval to RTM: The steps you need to take in any TMG environment.

Additional resources