A few Important Things to make note of while installing SP1 on TMG Enterprise


Introduction :

While installing SP1 for TMG on the Enterprise Edition with EMS managed array with two Array members and with NLB enabled we come across a few behaviors where we can get stuck. I will elaborate more on this in the rest of the article.


Scenario :

There is a very nice Article on Technet which has a description of installing SP1 of TMG on the Enterprise Edition. The article is mentioned below:


If we have NLB enabled Array members in an EMS-Managed Array then we will follow the steps mentioned below in that article:

Installation steps for servers that use load balancing

If the server is load-balanced by using network load balancing (NLB) or any other load-balancing mechanism, do the following:

1. Remove the server from the load-balancing configuration.

2. Drain existing connections that are served by the server.

3. Set nlb to "suspended" to prevent auto-rejoin when you restart.

4. Install the update.

5. Restart the server if it is required.

6. Start NLB on the updated server.



And there are a few things mentioned below which will help you in clearing the doubts which will arise while performing the above steps and it will be a smooth process hereon:



1) When you will click on ‘Drain and Stop Selected Service’ on the NLB service on the TMG console you will find out that the status will get stuck on ‘Draining and Stopping’ as shown in the image below:






Takeaway: This isan expected behavior and it will not show the status ‘Stopped’ at all. So, after a couple of minutes you can go ahead and click on ‘Suspend Selected Service’ to suspend it. And you will see that the service is showing ‘Suspended’ now:





2) After installing SP1 on the First Array Member(TMG-Firewall1 in this case) when you will go to ‘Configuration’ under Monitoring you will see that the second Array Member (TMG-Firewall2 in this case) is not able to Sync with the CSS as shown in the image below:




Takeaway: This is also an expected behavior as only TMG-Firewall1 has SP1 installed and TMG-Firewall2 does not have it yet, so, it does not Sync.

3) After we see the behavior as mentioned in Point number 2 when we go back to the TMG-Firewall2, we see that it is not showing the array there as shown in the image below:





Takeaway: No need to worry about it. Again an expected behavior.

4) No we have to Drain Stop the NLB on TMG-Firewall2 in order to install SP1, but how would we do it as we don’t see any Array information on TMG-Firewall 2. So here is what we need to do to perform this step.

a) Go to TMG-Firewall1 and open the TMG Management Console.

b) Under Services we will see all the services for both the Array members.

c) We can go ahead and Drain Stop the NLB service of TMG-Firewall2 from here now.





And after this you need to again keep in mind that the status of ‘Draining and Stopping’ is not going to change on its own to ‘Stopped’ . So you will have to go ahead with the Suspension of the NLB service and then install SP1 on TMG-Firewall2 as well.

Once we have SP1 installed on both the Array members we will see that both are Synced with CSS now and we can see the Array information back now on TMG-Firewall2.



Nitin Singh

Security Support Engineer

Microsoft CSS Forefront Security Edge Team