Configuring connectivity to update sites
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to configure Forefront TMG to check for and download definition updates for protection mechanisms.
To receive definition updates, complete the following procedures:
Enabling Microsoft Update and activating licenses
Configuring connectivity to the relevant update sites
If you experience issues connecting to Microsoft Update, see Troubleshooting connectivity to update sites.
Enabling Microsoft Update and activating licenses
To enable Microsoft Update and activate licenses
In the Forefront TMG Management console, in the tree, click the server name node.
On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.
On the Microsoft Update Setup page, click Use the Microsoft Update service to check for updates (recommended).
Note
To activate protection mechanism licenses, you must opt in to Microsoft Update. This is true even if you intend to use WSUS.
Note
If the Forefront TMG server is configured to receive updates from WSUS, it will ignore the settings on the Microsoft Update Setup page.
On the Forefront TMG Protection Features Settings page, activate licenses for the protection features you want to enable. You can only download and install updated definitions for features that you have enabled.
If you activated the Network Inspection System (NIS) license, on the NIS Signature Update Settings page, select the automatic update action you desire.
Complete the wizard, and then click Finish. On the Apply Changes bar, click Apply.
Configuring connectivity to the relevant update sites
To connect to Microsoft Update directly
- Forefront TMG by default allows traffic to and from Microsoft's various update sites. If the Forefront TMG server is deployed on the edge and has a direct link to the Internet, connecting to Microsoft Update and retrieving definition updates should pose no issues. If you are experiencing a problem, the System Policy access rule for Microsoft Update may be disabled. For more information, see Troubleshooting connectivity to update sites.
To receive definition updates in a chaining scenario
- If the Forefront TMG server you are configuring connects to the Internet through a Web proxy server or an upstream firewall, verify that the chaining rule for the appropriate upstream server allows traffic from the Local Host network to the Internet.
To connect to a WSUS server
To connect to a WSUS server for update distribution, you have to create the following two access rules:
On the Forefront TMG server, create a rule allowing HTTP access from the Local Host network to the WSUS server.
On the WSUS server, create a rule allowing access from the WSUS server to the external Microsoft Update sites.
Testing the configuration
To test the configuration, install updates manually.
To check for and install updates manually
In the Forefront TMG Management console, in the tree, click the Update Center node.
On the Tasks tab, click Install New Updates. If Forefront TMG successfully downloads and installs new definitions, on the details pane, Last Update Status shows Up to date, and Last Updated shows today's date and time.
If Forefront TMG fails to connect to the update source, the Last Update Status for the selected protected mechanism reports as Failed. An error message may indicate the source of the problem. Otherwise, see the troubleshooting tips in Troubleshooting connectivity to update sites.
Troubleshooting connectivity to update sites
Review alerts
If a connection cannot be made to an update site, the first thing to check is whether there are any system-generated alerts related to the update operation.
To verify that system policy allows Microsoft Update traffic
In the Forefront TMG Management console, in the tree, click the Monitoring node.
Click the Alerts tab, and then look for recent alerts having to do with connectivity or proxy settings.
Connecting to Microsoft Update
If a Forefront TMG server cannot connect to Microsoft Update, verify that your system has the Microsoft Update access rule enabled.
To verify that system policy allows Microsoft Update traffic
In the Forefront TMG Management console, in the tree, right-click the Firewall Policy node, and then click Edit System Policy.
In the Various configuration group, select Microsoft Update Sites.
On the General tab, verify that Enable this configuration group is selected.
Other issues
Manually initiating a check for new definitions generates an error message if the update source cannot be contacted under the following conditions:
The license for the relevant protection mechanism has expired.
You have not opted in to Microsoft Update.
The Scheduler service is not running.
In deployments with multiple Forefront TMG servers, it's possible that the Scheduler service, the Firewall service, or both of these services are not running on all servers. Verify these services are running by doing the following.
To verify the Scheduler service and Firewall service are running on all servers
- On the Forefront TMG Management console, in the tree, click the Monitoring node, and then click the Services tab. Make sure that the relevant service is running on each Forefront TMG server.