Using Windows Server Update Service for the TMG Update Center

[LEFT][CODE]https://blogs.technet.com/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx[/CODE][SIZE=3][B]Introduction[/B][/SIZE]
With the recent release of TMG and its dependency on Microsoft Updates for Network Inspection System (NIS) and Enhanced Malware Protection (EMP) updates, this seems like a good time to help you create a policy that will ensure TMG successfully obtains updates through your [URL="http://technet.microsoft.com/en-us/wsus/default.aspx"][COLOR=#0000ff]Windows Server Update Services[/URL] (WSUS) deployment.[URL="http://blogs.technet.com/isablog/archive/2009/06/28/configuring-network-inspection-system-nis.aspx"]This TMGBlog[/URL] posting discussed the fine details of NIS configuration. When using WSUS to obtain NIS and EMP updates, there are a few things you need to understand about this process:
1.Depending on how you install WSUS, the installer may configure the WSUS web site to listen for client connections on port 8530. This means that a WSUS client will use HTTP to port 8530 when checking for and downloading updates from your WSUS server.
2.There is no WSUS protocol definition in TMG. This means that TMG may be unable to connect to your WSUS server using this port.
Basically, you have two options to resolve this state; either create a WSUS traffic policy or change the default WinHTTP proxy settings.
[I][COLOR=#254061]Note: there is no benefit in performing both tasks. If you change the WinHTTP proxy configuration, the custom traffic policy will not be used.[/I]
1.The WinHTTP proxy settings option requires that you define the proxy configuration for WinHTTP clients that allow WinHTTP to self-determine the proxy. WinHTTP is a somewhat less capable in its proxy support than Internet Explorer; specifically, it cannot be told to use a specific proxy script. By default, WinHTTP uses proxy auto-detection via the WinHTTP Web Proxy Auto-Discovery Service or a static proxy server with specific bypass list entries. The advantage to this option is that need not create a custom traffic policy. The disadvantages to this is that it can adversely affect other WinHTTP consumers and will not be exported with TMG policies should you need to rebuild the server.
2.Create a custom WSUS traffic policy. This requires that you define a custom protocol for WSUS and that you use that custom protocol in an access rule. The advantage to using this method is that you need not change the WinHTTP proxy settings, which can affect more than just Windows Update mechanisms. For instance, certificate revocation requests via HTTP also use WinHTTP. The primary disadvantage to using a custom policy is that this method does not take advantage of the Web proxy or associated filters (NIS, EMP, URL Filtering).

[SIZE=3][B]Update Center Configuration[/B][/SIZE]
In order for TMG to receive NIS or EMP updates from your WSUS server, you have to choose a configuration that supports this process. Thus, the first order of business is to make sure TMG is configured properly. If you ran the Getting Started Wizard, the following steps may simply verify the proper settings.
1.In the TMG management console left pane, select [B]Update Center[/B]
2.In the TMG management console right pane
a.Select the [B]Tasks [/B]tab
b.Click [B]Configure Settings[/B]
3.In the [B]Update Center Properties[/B] page
a.select the [B]Microsoft Update[/B] tab
b.ensure “Use the Microsoft Updates service…” is selected as shown below

[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296785/original.aspx[/IMG] [/B]
[B]Figure 1 Microsoft Update tab[/B]
c.select the [B]Update Service[/B] tab
d.select “Use the computer default service only…” as shown below

[B] [IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296786/original.aspx[/IMG][/B]
[B]Figure 2 Update Service tab[/B]
[I][B]Notes[/B]: [/I]
[B][I]1.[/I][/B][I]Selecting “Use Microsoft Updates service, directly” will cause TMG to ignore the computer configuration that directs it to use WSUS for NIUS and SMP updates.[/I]
[B][I]2.[/I][/B][I]Selecting this option ensures that TMG checks for and obtains NIS and EMP updates from your WSUS service [B]only[/B]. If you want TMG to fall back to Microsoft Updates in the event your WSUS service is unavailable, you should select “Use the computer service, but fall back to Microsoft Updates.”[/I]
e.Click [B]OK[/B] to close the Update Center Properties page.
4.When prompted in the TMG management console center pane, click [B]Apply[/B] to save the changes
5.In the [B]Configuration Change Description[/B] page
a.enter any comments that you like
b.click [B]Apply[/B] again
6.In the [B]Saving Configuration Changes[/B] page, click [B]OK[/B]

[SIZE=3][B]Define the WinHTTP Proxy Configuration[/B][/SIZE]
One of the things that can affect your TMG ability to reach Microsoft Updates or your WSUS server is the WinHTTP proxy configuration. In most cases, you don’t need to make any changes, but in some deployments, you may have to configure the proxy configuration used by WinHTTP. If you configured NIS and EMP to download directly from Microsoft Updates and this has been failing, you need to configure the WinHTTP proxy settings. The good news is that this process is much cleaner and simpler in Windows 2008 than it was for Windows 2003.
Start an elevated command window
1.Click [B]Start[/B], then select [B]All Programs[/B], then [B]Accessories[/B]
2.Right-click [B]Command Prompt [/B]and select [B]Run as administrator[/B]
Examine the WinHTTP Proxy settings
1.In the elevated command window, enter the following command and hit <Enter>
[I]netsh winhttp sho proxy[/I]
The default settings are shown below
[CODE]
[B]C:\>netsh winhttp sho proxy[/B]
[B]Current WinHTTP proxy settings:[/B]
[B] Direct access (no proxy server).[/B]



[/CODE]2.To change the WinHTTP proxy settings and include the internal domain (contoso.com, in this example) as part of the bypass list, enter the following command and hit <Enter>
[I]netsh winhttp set proxy localhost:8080 “<local>;*.contoso.com"[/I]
The results of this command should appear as:
[CODE]
[B]C:\>netsh winhttp set proxy localhost:8080 "<local>;*.contoso.com"[/B]
[B]Current WinHTTP proxy settings:[/B]
[B] Proxy Server(s) : localhost:8080[/B]
[B] Bypass List : <local>;*.contoso.com[/B]
[/CODE][I]Note: the bypass list must be entered as a semi-colon-delimited list, surrounded by double quotes.[/I]
Verify the TMG Local Host proxy settings
1.In the TMG management console left pane, select [B]Networking[/B]
2.In the TMG management console center pane,
a.Select the [B]Networks [/B]tab
b.double-click the [B]Local Host[/B] network
3.in the [B]Local Host Properties[/B] page
a.select the [B]Web Proxy[/B] tab
b.verify that the settings appear as shown below

[B] [IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296787/original.aspx[/IMG][/B]
[B]Figure 3 Local Host proxy settings[/B]
If the settings differ from those shown, change them to match the figure and save the changes.
[SIZE=3][B]Create a WSUS Traffic Policy[/B][/SIZE]
Luckily, creating a rule that allows this communication is simple. You do it by performing the following steps.
Create the access rule.
1.In the TMG management console left pane:
a.right-click [B]Firewall Policy [/B]
b.select [B]New[/B], then [B]Access Rule[/B]
2.in the [B]Welcome to the New Access Rule Wizard [/B]page,
a.enter [I]WSUS from TMG[/I]
b.click [B]Next[/B]
3.in the [B]Rule Action[/B] page
a.select [B]Allow[/B]
b.click [B]Next[/B]
4.in the [B]Protocols[/B] page, click [B]Add[/B]
5.in the [B]Add Protocols[/B] page, click [B]New[/B], then [B]Protocol[/B]
6.in the [B]Welcome to the[/B] [B]New Protocol Definition Wizard[/B], enter [I]WSUS Client[/I] and click [B]Next[/B]
7.in the [B]Primary Connections Information[/B] page, click [B]New[/B]
8.in the [B]New/Edit Protocol Connection[/B] page:
a.select [B]TCP[/B] in the [B]Protocol type:[/B] drop-down
b.select [B]Outbound[/B] in the [B]Direction:[/B] drop-down
c.enter [I]8530[/I] in the [B]Port Range From:[/B] and [B]To:[/B] boxes

[B] [IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296788/original.aspx[/IMG][/B]
[B]Figure 4 Custom protocol details[/B]
d.click [B]OK [/B]to close the [B]New/Edit Protocol Connection[/B] page
9.in the [B]Primary Connections Information[/B] page, verify that the summary agrees with the data in 8.a through 8.c and click [B]Next[/B]
10.in the [B]Secondary Connections Information[/B] page, leave the defaults and click [B]Next[/B]
11.in the [B]Completing the New Protocol Definition Wizard[/B] page, verify that the summary agrees with the figure below and click Finish

[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296789/original.aspx[/IMG] [/B]
[B]Figure 5 Protocol summary[/B]
12.in the [B]Add[/B] [B]Protocols[/B] page
a.expand [B]User-Defined[/B]
b.select [B]WSUS Client[/B]
c.click [B]OK[/B], then [B]Close[/B]
13.in the [B]Protocols[/B] page, click [B]Next[/B]
14.In the [B]Access Rule Sources [/B]page, click [B]Add[/B]
15.In the [B]Add Network Entities [/B]page
a.Expand [B]Networks[/B]
b.Select [B]Local Host[/B]
c.click [B]Add[/B], then [B]Close[/B]
16.In the [B]Access Rule Sources [/B]page, click [B]Next[/B]
17.In the [B]Access Rule Destinations [/B]page, click [B]Add[/B]
18.In the [B]Add Network Entities [/B]page, Click [B]New[/B], then [B]Computer[/B]
19.In the [B]New Computer Rule Element [/B]page
a.Enter [B]WSUS Server[/B] in the Name field
b.In the [B]Computer IP address:[/B] field, enter the IP address of your WSUS server

[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296791/original.aspx[/IMG] [/B]
[B]Figure 6 WSUS server IP address[/B]
c.click [B]OK[/B]
20.In the [B]Add Network Entities [/B]page
a.expand [B]Computers[/B]
b.select WSUS Server
c.click [B]Add[/B], then [B]Close[/B]
21.In the [B]Access Rule Destinations [/B]page, click [B]Next[/B]
22.In the [B]User Sets [/B]page, click [B]Next[/B]
23.In the Completing the [B]New Access Rule Wizard [/B]page, click [B]Finish[/B]
24.When prompted in the center pane, click [B]Apply[/B] to save the changes
25.In the [B]Configuration Change Description[/B] page
a.enter any comments that you like
b.click [B]Apply[/B] again
26.In the [B]Saving Configuration Changes[/B] page, click [B]OK[/B]
Your new policy rule will appear as shown below:

[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296792/original.aspx[/IMG] [/B]
[B]Figure 7 Custom WSUS policy[/B]

[SIZE=3][B]Testing the New Configuration[/B][/SIZE]
After you set your chosen configuration, you should verify that it works as expected. The best way to do this is to use the TMG Update Center, since this is the process you’re trying to support. To do this:
1.In the TMG management console left pane, select [B]Update Center[/B]
2.In the right pane
a.select the [B]Tasks[/B] tab
b.click [B]Install New Definitions. [/B]
The display will change to indicate that TMG is checking for updates as shown below:
[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296793/original.aspx[/IMG] [/B]
[B]Figure 8 Checking for updates[/B]

When the updates are successfully validated and installed, the display will change as shown below:

[B][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3296794/original.aspx[/IMG] [/B]
[B]Figure 9 Signatures up-to-date[/B]


[SIZE=3][B]All Done[/B][/SIZE]
The steps in this article provide two supportable methods for ensuring that your TMG Update Center is able to quickly and reliably detect, acquire and install updates for NIS and EMP. Proper configuration and monitoring of this mechanism is critical to ensuring that you have the latest TMG traffic protection updates in place.
[B]Author[/B]
Jim Harrison, Program Manager, Forefront Edge CS
[B]Tech Reviewers[/B]
Bala Natarajan, Senior Support Engineer, FF Edge Beta


[/LEFT]