You can remotely manage the Enterprise Policy, but not the Array Policy

  • Article

 

I’ll try to elaborate on the issue using as many illustrations and snapshots as possible. When I came across this issue, it was quite surprising.

32-bit Remote Management Client

In the TMG environment, we are using a single EMS (Enterprise Management Server) with a single Array. There are two TMG nodes joined to this array. To manage the environment we are using a Windows 7 32-bit machine with a 32-bit client. Please use this link download the 32-bit client (TMG_ENU_Management_x86.exe) . Note that you will need to login with a Microsoft Live Id and register in order to download.

Once downloaded, install the client and connect to the EMS server using its FQDN. Make sure EMS is configured to allow remote management, refer to the below mentioned articles.

· About Forefront TMG roles and permissions - http://technet.microsoft.com/en-us/library/dd897006.aspx#BKMK_RolesAndPermissions

· Configuring roles and permissions - http://technet.microsoft.com/en-us/library/dd441007.aspx

The relevant Users on the list should be able to gain access to the TMG EMS server for administration.

After assigning the correct set of permissions and remote access to TMG EMS server, you can remotely access the Enterprise Policy and make allowed changes.

But while accessing Array nothing displays, it doesn’t even shows the arrays created in the enterprise. Refer to below mentioned Snips.

clip_image002

Here in this snip we can see that Enterprise policy is displayed.

clip_image004

Here you can see the focus is on “Arrays”, but no policies are displayed.

Let’s check and compare the version on TMG EMS server and then on this client.

clip_image006

This is the version number from TMG EMS server which is updated to latest i.e. SP2 RU2

clip_image008

This is the version number from client which is updated to SP1 UP1.

Cause

The major cause of this is due to version mismatch between the management console and the TMG enterprise. For example the TMG enterprise is at SP2 RollUP2 update level which is build number 7.0.9193.540 and the TMG management console on remote 32bit machine is at RTM which is build number 7.0.7734.100 (refer to the article).

Solution

This can be resolved by updating the TMG RTM management console on 32bit Remote machine. Refer to the links mentioned below to download and install the relevant updates.

· SP1

· SP1 UP1

· SP2

This completely depends on the version level of the TMG environment. Check the article mentioned below for all the relevant TMG versions.

http://blogs.technet.com/b/keithab/archive/2011/09/27/forefront-tmg-2010-service-pack-rollup-and-version-number-reference.aspx

Match the version with the updates to the level TMG EMS server is on. There are no rollups released for the MMC.

After updating the client to SP2 we were able to access the array policies on the client machine.

64-bit Remote Management Client

Now goes the story for 64-bit setup. Just to mention there is no separate TMG mmc console installation msp available. For this installation, the TMG 2010 ISO/DVD is used.

NOTE: The following 4 steps outline the default MMC install using the install media.

You may have followed these steps, believing that you would be able to manage TMG EMS remotely using the MMC.

1. TMG setup from installation ISO/DVD by starting Preparation Tools first.

clip_image010

2. On Welcome screen accepted the terms for installation.

3. On Installation type dialog box selected Forefront TMG Management.

clip_image012

4. Wizard finishes its work.

After a default installation of the MMC (from the install media), you may be surprised to find out it doesn’t work . Because TMG is at SP2 or above update level and the MMC installation is at RTM level.

There are updates available which can be used to bring the MMC to the same update level as the TMG EMS server is at. But the procedure used for 32bit installation doesn’t work for 64bit.

I know there are a lot of questions surfacing, but I have the answer.

Because the 64bit mmc is installed straight from the install media, we’ll have to update the installation itself to SP2/ relevant to your environment.

To do this, we’ll need to create a “TMG 2010 Slipstream” installation, in which we update the TMG installation MSI itself.

 

Steps for TMG 2010 Slipstream installation.

1. If the TMG 2010 MMC console was previously installed directly from the install media, you’ll need to uninstall it from Control Panel >> Programs and Feature.

2. Copy all the contents from TMG 2010 ISO/DVD to a folder on HDD. In this example, we will copy the contents to C:\TMG.

3. Download the following TMG 2010 updates; making sure you download all 64bit versions. Use the following links:

a. SP1 - http://www.microsoft.com/en-us/download/details.aspx?id=16734

b. UP1 - http://www.microsoft.com/en-us/download/details.aspx?id=11445

c. SP2 - http://www.microsoft.com/en-us/download/details.aspx?id=27603

4. Once you have downloaded all three files, copy the files to C:\TMG\FPC

5. The UP1 and SP2 are in .exe format, therefore we will need to extract the msp files so they can be used for slipstreaming TMG 2010.

6. Open a command prompt with elevated privileges and, in the C:\TMG\FPC folder, execute the following commands.

a. SP1 Update1 - TMG-KB2288910-amd64-ENU.exe /t TMGSP1U1

b. You’ll get a dialog after completion.

clip_image013

Click ok to close.

c. SP2 - TMG-KB2555840-amd64-ENU.exe /t TMGSP2

d. You’ll get a dialog after completion.

clip_image014

Click ok to close.

7. Below is the snip for commands and folders I used.

clip_image016

8. Under C:\TMG\FPC, there should be two new folders called TMGSP1UP1 and TMGSP2. Both of these folders will contain the extracted msp file.

clip_image018

9. Copy the msp files to FPC folder.

clip_image020

10. Now let’s create slipstream for TMG 2010. Follow the commands and make sure you update it to the same level as TMG EMS.

a. SP1 - msiexec /a ms_fpc_server.msi /p tmg-kb981324-amd64-enu.msp

This will initiate installation wizard, which will slipstream the TMG2010 installation with SP1

b. SP1UP1 - msiexec /a MS_FPC_Server.msi /p TMG-KB2288910-amd64-ENU.msp

This will initiate installation wizard, which will slipstream the TMG2010 installation with SP1UP1.

c. SP2 - msiexec /a MS_FPC_Server.msi /p TMG-KB2555840-amd64-ENU.msp

This will initiate installation wizard, which will slipstream the TMG2010 installation with SP2.

11. Next, you can delete the following highlighted files and folders from C:\TMG\FPC.

clip_image022

12. Once deleted, the C:\TMG\FPC folder appear as follows:

clip_image024

13. Now create an ISO/DVD of the entire C:\TMG folder. Make sure you do not create and ISO/DVD out of only FPC folder.

14. Now this ISO/DVD can be used to install TMG mmc console on a 64-bit client machine using the steps mentioned below.

a. Start TMG setup from installation ISO/DVD by starting Preparation Tools first.

clip_image025

b. On Welcome screen click next and accept the terms for installation.

c. On Installation type dialog box select Forefront TMG Management only.

clip_image026

d. Let wizard to finish its work and then click Finish. This will start mmc installation wizard.

e. Once installation finishes you can access the array policies as well, provided that appropriate permissions are assigned.

Thanks for reading through, I hope I was able to clear your doubts and provide a solution. If you are still facing the issue then I would recommend opening a case with Microsoft CSS.

Author:

Vivek Kumar Sharma

Support Engineer – MSD Security Division

Reviewers:

Junaid Jan

Security Support Escalation Engineer – MSD Security Division