You are on page 1of 4

Configuring update settings

5 out of 5 rated this helpful - Rate this topic

[This topic is pre-release documentation and is subject to change in future releases. Blank
topics are included as placeholders.]

Forefront TMG uses the Microsoft Update service to update malware definition updates on the
Forefront TMG server. The following table provides a summary of how the update mechanisms
are used.

Update types Windows Update Microsoft Update W

Malware definition updates No Yes Y

Operating system updates Yes Yes Y

Operating system and product updates No Yes Y

For easy access the Microsoft Update service can be enabled in the Forefront TMG
Management console in addition to the Windows Control Panel. To update Forefront TMG
malware definitions, you must join the Microsoft Update service in the Forefront TMG
Management console.

You can configure malware definition updates using the procedures described in this topic.
You can also run the Getting Started Wizard at any time to specify update settings. For more
information, see Configuring Initial Deployment Settings.

Configuring Forefront TMG to use Microsoft Update consists of the following steps:

1. Join the Microsoft Update service in the Forefront TMG Management console.

2. Configure malware definition update settings.

3. Then use any of the following methods:

o Method 1. Configure Web proxy browser settings on the Forefront TMG server
to point at Local Host. Then verify that the predefined system policy rule
"Allow HTTP/HTTPS from to specified Microsoft Updates sites" is enabled.

o Method 2. Use WSUS for update distribution. If you are using WSUS ensure
that you have two access rules. Create one rule to allow HTTP access from the
Local Host network to the WSUS server. Create a second rule to allow access
from the WSUS server to the external Microsoft Update sites. A WSUS server
provides a centralized update source for computers in your organization. For
more information, see Windows Server Update Services 3.0 Overview, at
Microsoft TechNet.

o Method 3. In addition to the predefined system policy rule Allow HTTP/HTTPS


from to specified Microsoft Updates sites", create an access rule allowing only
the HTTPS protocol to the external network.
4. Check and install updates. Enable automatic updates, or check periodically for updates
and install manually.

Configuring malware definition update settings

1. In the Forefront TMG Management console tree, click the Update Center node.

2. On the Tasks tab, click Configure Update Settings.

3. On the Definition Updates tab, do the following:

o In Automatic Update Action, configure automatic update settings. We


recommend that you select Check and install to specify that Forefront TMG
should check and install new updates when available. If you select Check only,
Forefront TMG provides an alert to inform you that new updates are available
but will not install them. If you select Do nothing, Forefront TMG does not
check for new updates.

o In Automatic Update Action Polling frequency, specify how often Forefront


TMG polls for updates and applies the specified automatic update action. Note
that following installation, there is an evaluation period of a year for installing
malware definition updates. Following the evaluation period, a subscription
license is required.

Enabling Microsoft Updates

1. In the Forefront TMG Management console tree, click the Update Center node.

2. On the Tasks tab, click Configure Microsoft Update Settings.

3. On the Microsoft Update Setup tab, click Use the Microsoft Update service to check
for updates (recommended) to specify that the Microsoft Update Service should be
used to obtain malware definition updates and other updates provided by Microsoft
Update, including operating system updates and Forefront TMG updates. Otherwise,
select I do not want to use the Microsoft Update service.

Note:

If the Forefront TMG server is configured to receive updates from Windows Server Update Services (WSUS), this c
you stop using WSUS, settings on this page will be applied.

Method 1

Configuring Web proxy settings

This procedure specifies how to enable the Local Host network to listen for Web proxy
requests and how to configure Web proxy settings in Internet Explorer.

1. In the Forefront TMG Management console tree, click the Networking node.

2. In the details pane, right-click Local Host, and then click Properties. On the Web Proxy
tab, ensure that the setting Enable Web Proxy client connections for this network is
enabled. Either keep the default port of 8080, or specify a different port.
3. On the Forefront TMG server, open Internet Explorer and click the Tools menu.

4. Click Internet Options, click the Connections tab.

5. Click LAN settings, and do the following:

o Select Use a proxy server for your LAN (these settings will not apply to dial-
up or VPN connections).

o In Address, specify the IP address of the Local Host network. Web proxy
requests to this address are then handled by the Web proxy filter, which
handles name resolution and routing.

o In Port, specify the same port number that you specified in the Web Proxy
properties for the Local Host network.

o Select Bypass proxy server for local addresses to ensure that Web requests
for local resources are not proxied.

Verifying the system policy rule

1. In the Forefront TMG Management console tree, right-click the Firewall Policy node,
and then click Edit System Policy.

2. In the Various configuration group, select Microsoft Update Sites.

3. On the General tab, ensure that Enable this configuration group is selected.

Method 2

Creating an access rule

1. In the Forefront TMG Management console tree, click the Firewall Policy node.

2. On the Tasks tab, select Create Access Rule.

3. On the Welcome page of the wizard, specify a name for the rule. For example,
Microsoft Update Access Rule.

4. On the Rule Action page, select Allow.

5. On the Protocols page, in This rule applies to, select Selected protocols, and then
click Add.

6. Click to expand the Web protocols group. Select HTTPS, click Add, and then click Close.

7. On the Malware Inspection page, select Enable malware inspection for this rule.

8. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box,
click to expand Networks, and then click Local Host. Click Add, and then clickClose.

9. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog
box, click to expand Networks, and then click External. Click Add, and then clickClose.

10. On the User Sets page, leave the All Users default setting.

Checking and installing updates manually

1. To check for updates immediately, click Configure Update Settings.


2. To install updates, click Install New Updates.