FF TMG 2010 Service Pack 2 is Now Available

Before you start installing TMG 2010 SP2, make sure you have the following infrastructure ready.

  1. TMG 2010 installed on Win2k8 or Win2k8 R2 Server.
  2. TMG 2010 SP1  and TMG 2010 Service Pack 1 Update 1 installed on top of TMG 2010.
  3. Download FF TMG 2010 SP2 and save on your server.

Pre-cautions: Take following steps before you run service pack installer

Verify/Note Current version


Check any alerts/issue in TMG 2010 server


Check event logs for any existing underlying issues

Back up an enterprise configuration: In the Forefront TMG Management console, in the tree, click the Enterprise node. On the Tasks tab>click Export Enterprise Configuration.


To export confidential information, such as user passwords and certificates, select Export confidential information and provide a password. Confidential information is encrypted during the export process. The password you enter here will be required to import the configuration.
To export user permissions, select Export user permission settings.
In Save this data in this file, specify the folder in which the export file will be saved, and the file name. In File name, enter a name for the exported file.

Important! To restore an enterprise configuration

In the Forefront TMG Management console, in the tree, click the Enterprise node>On the Tasks tab>click Import Enterprise Configuration.

Select the file that you saved when you exported the configuration.

Select Overwrite (restore) to restore configuration settings. If you exported user permissions, select Import user permission settings. If you exported confidential information, enter the password that you specified when you exported the file.

Install TMG 2010 SP2 on a TMG standalone server:

Installing SP2 in TMG 2010 standalone server is pretty straight forward.

Open elevated Command prompt, locate directory where you saved TMG 2010 SP2


run TMG-KB2555840-amd64-ENU or TMG-KB2555840-x86-ENU based on your architecture.







Install TMG 2010 Sp2 on Enterprise Array Members:

  • In-place upgrade
  1. Install the service pack on the EMS master with same credentials that were used to install the EMS during the initial Forefront TMG setup otherwise setup will fail.
  2. upgrade first the reporting server and then the array members.
  3. Install Service Pack 2 to all EMS array members.
  • Clone array upgrade
  1. Install Forefront TMG Enterprise Management on a different computer.
  2. Create a new array and import the previously exported enterprise configuration.
  3. Install the service pack on cloned EMS
  4. disjoin array members from the reporting server from the array, installing the service pack, and then joining it to the new array that is running the service pack. Continue the process with the other array members.

Installation steps for servers that use load balancing If the server is load-balanced by using network load balancing (NLB) or any other load-balancing mechanism, do the following:

  • Remove the server from the load-balancing configuration.
  • Drain existing connections that are served by the server.
  • Set NLB to suspended to prevent auto-rejoin when you restart.
  • Install the update.
  • Restart the server if it is required.
  • Start NLB on the updated server.
Post installation notes:
  1. Forefront TMG services may not start or may not sync with EMS after you install or remove a service pack. In this case, use the Monitoring node of the Forefront TMG Management console to manually restart the services.
  2. If you are logging to a remote SQL database, you are required to migrate the log database to the new schema. For instructions, see Upgrading a remote SQL database for Forefront TMG SP1
  3. Run BPA in TMG 2010 and check event logs as best practice.

Known issues: The following issues relate to the configuration and operation of Forefront TMG SP2:

  • Reload failure with local user

    Issue: After configuring the Firewall service user as a local user, reloading the configuration fails.

    Workaround: Configure a domain user for the Firewall service. See Kerberos authentication on an NLB array.

  • Uninstall failure

    Issue: After configuring the Firewall service user as a domain user, you cannot uninstall Forefront TMG SP2.

    Workaround: Reconfigure the Firewall service user to be the network service, then you can uninstall Forefront TMG SP2.

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s