Configuring connectivity to update sites

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to configure Forefront TMG to check for and download definition updates for protection mechanisms.

To receive definition updates, complete the following procedures:

  1. Enabling Microsoft Update and activating licenses

  2. Configuring connectivity to the relevant update sites

If you experience issues connecting to Microsoft Update, see Troubleshooting connectivity to update sites.

Enabling Microsoft Update and activating licenses

To enable Microsoft Update and activate licenses

  1. In the Forefront TMG Management console, in the tree, click the server name node.

  2. On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.

  3. On the Microsoft Update Setup page, click Use the Microsoft Update service to check for updates (recommended).

    Note

    To activate protection mechanism licenses, you must opt in to Microsoft Update. This is true even if you intend to use WSUS.

    Note

    If the Forefront TMG server is configured to receive updates from WSUS, it will ignore the settings on the Microsoft Update Setup page.

  4. On the Forefront TMG Protection Features Settings page, activate licenses for the protection features you want to enable. You can only download and install updated definitions for features that you have enabled.

  5. If you activated the Network Inspection System (NIS) license, on the NIS Signature Update Settings page, select the automatic update action you desire.

  6. Complete the wizard, and then click Finish. On the Apply Changes bar, click Apply.

Configuring connectivity to the relevant update sites

To connect to Microsoft Update directly

  • Forefront TMG by default allows traffic to and from Microsoft's various update sites. If the Forefront TMG server is deployed on the edge and has a direct link to the Internet, connecting to Microsoft Update and retrieving definition updates should pose no issues. If you are experiencing a problem, the System Policy access rule for Microsoft Update may be disabled. For more information, see Troubleshooting connectivity to update sites.

To receive definition updates in a chaining scenario

  1. If the Forefront TMG server you are configuring connects to the Internet through a Web proxy server or an upstream firewall, verify that the chaining rule for the appropriate upstream server allows traffic from the Local Host network to the Internet.

To connect to a WSUS server

  • To connect to a WSUS server for update distribution, you have to create the following two access rules:

    • On the Forefront TMG server, create a rule allowing HTTP access from the Local Host network to the WSUS server.

    • On the WSUS server, create a rule allowing access from the WSUS server to the external Microsoft Update sites.

Testing the configuration

To test the configuration, install updates manually.

To check for and install updates manually

  1. In the Forefront TMG Management console, in the tree, click the Update Center node.

  2. On the Tasks tab, click Install New Updates. If Forefront TMG successfully downloads and installs new definitions, on the details pane, Last Update Status shows Up to date, and Last Updated shows today's date and time.

    If Forefront TMG fails to connect to the update source, the Last Update Status for the selected protected mechanism reports as Failed. An error message may indicate the source of the problem. Otherwise, see the troubleshooting tips in Troubleshooting connectivity to update sites.

Troubleshooting connectivity to update sites

Review alerts

If a connection cannot be made to an update site, the first thing to check is whether there are any system-generated alerts related to the update operation.

To verify that system policy allows Microsoft Update traffic

  1. In the Forefront TMG Management console, in the tree, click the Monitoring node.

  2. Click the Alerts tab, and then look for recent alerts having to do with connectivity or proxy settings.

Connecting to Microsoft Update

If a Forefront TMG server cannot connect to Microsoft Update, verify that your system has the Microsoft Update access rule enabled.

To verify that system policy allows Microsoft Update traffic

  1. In the Forefront TMG Management console, in the tree, right-click the Firewall Policy node, and then click Edit System Policy.

  2. In the Various configuration group, select Microsoft Update Sites.

  3. On the General tab, verify that Enable this configuration group is selected.

Other issues

Manually initiating a check for new definitions generates an error message if the update source cannot be contacted under the following conditions:

  • The license for the relevant protection mechanism has expired.

  • You have not opted in to Microsoft Update.

  • The Scheduler service is not running.

In deployments with multiple Forefront TMG servers, it's possible that the Scheduler service, the Firewall service, or both of these services are not running on all servers. Verify these services are running by doing the following.

To verify the Scheduler service and Firewall service are running on all servers

  • On the Forefront TMG Management console, in the tree, click the Monitoring node, and then click the Services tab. Make sure that the relevant service is running on each Forefront TMG server.

Concepts

Managing definition updates for Forefront TMG