How to Reinstall Microsoft Forefront Threat Management Gateway on Windows Essential Business Server Security Server

INTRODUCTION

This article describes how to reinstall Microsoft® Forefront™ Threat Management Gateway, Medium Business Edition on Windows® Essential Business Server Security Server.  This may be necessary as a last-effort troubleshooting step or to repair a damaged installation of Forefront TMG.  The steps in this article will, of course, cause loss of network connectivity until Forefront TMG is reinstalled and reconfigured.
Important: Before using these steps, it is recommended that you make a complete backup of the Security Server.
There are four steps to uninstalling and reinstalling TMG on EBS:

1. Backup the existing firewall settings 2. Uninstall Forefront TMG from Security Server 3. Install Forefront TMG on Security Server 4. Restore the Forefront TMG firewall configuration

Backup the existing firewall settings

To save network firewall settings to an XML file

1. Click Start, click All Programs, click Windows Essential Business Server, and then clickWindows Essential Business Server Administration Console.
2. Click the Security tab, and in the results pane, click Network firewall. In the tasks pane, clickSave firewall settings.
   
3. In the Save as dialog box, choose a name and a location for the XML file that will contain the current configuration settings for the network firewall. Click Save to begin.
4. Click Close on the “the settings were successfully saved” dialog when it appears.

Uninstall Forefront TMG from Security Server

To uninstall Forefront TMG from the server, follow these steps:

1. From Control Panel open Programs and Features on the Security Server
2. Highlight “Microsoft Forefront Threat Management Gateway” and click on Uninstall/Change
     
3. The next screen gives the option to either remove or repair Forefront TMG from the server. Select the option to Remove and select next.  
     
4. Select whether you would like to retain the existing log files and cache files on the server. If you want to remove the files, do not check anything. If you wish to retain them, check both the options and select next.
      
5. The installation wizard will proceed with the removal of TMG from the server. Uninstalling TMG from Programs and Features also removes its LDS instance (ISASTGCTRL).
      
6. Reboot the server when prompted.

Reinstall Forefront TMG on Security Server
Forefront TMG can be reinstalled using the following steps:

1. Navigate to the following location on the Security Server
   •           %ProgramFiles%\Windows Essential Business Server\Bin\ISA
2. Double-click on ISAAutorun.exe to start TMG setup. 
     
3. On the “Microsoft Forefront TMG Setup” screen, click on “Install Forefront TMG”. 
     
4. Select “Install Forefront Threat Management Gateway” and click on next.
5. Accept the defaults on the Component Selection screen and click next. 
     
6. On the Internal Network screen use these steps to configure your network settings:
   1. Click on Add
   2. In the “Addresses” window that comes up next, click on “Add Adapter”.
   3. Select the network adapter for your internal network and click OK, then OK again.     
        
   4. Once you are back to the “Internal Network” screen, click next.
7. Click Next to acknowledge the “Setup will restart these services on the server: SNMP Service, IIS Admin Service, World Wide Web Publishing Service and Microsoft Operations Manager Service” message.
8. Click “Install” to begin the setup of Forefront TMG on the server.

After installation has completed and Forefront TMG console is launched for the first time, the TMG console will launch the Getting Started Wizard.
Before proceeding to restore the settings, click on “Close” at the “Getting started wizard” screen. This brings up a confirmation window, asking “Are you sure you want to close the Getting Started Wizard?” Uncheck the box against “Automatically launch the wizard the next time the Forefront TMG Management console is launched” and click Yes.

Restore the Forefront TMG Settings

To restore the settings previously backed up before uninstalling Forefront TMG, use the following steps:
1. Launch the Essential Business Server Administration Console.
2. Click the Security tab, and then click on Network firewall. In the tasks pane, click Apply Saved Settings.
3. In the Open dialog box, choose the name and the location of the XML file saved in the “Backup the existing firewall settings” section of this article. Click Open to apply the settings.
4. Once the settings have been committed, a “the network firewall settings were applied successfully” dialog will appear. Click Close to dismiss the dialog.
If you were unable to back up your most recent settings before uninstalling Forefront TMG, you can restore TMG to the settings configured during the EBS installation using these steps:

%ProgramFiles%\Windows Essential Business Server\Data

1. Launch the Windows® Essential Business Server Administration Console on the Management server
2. Click on the Security tab
3. Highlight Network Firewall and click on Restore Default Network Firewall Settings under Network Firewall Tasks. 

4. In the resulting dialog, click Yes to restore the default settings.
5. Click close to dismiss the “Default network firewall settings were successfully restored” dialog.

Exchange Certificate Expiration in EBS 2008

This post has been re-written on 8/25/2011 to cover a wider range of scenarios that have been generating an increasing amount of traffic recently.
The EBS 2008 Messaging Server is installed with two Exchange certificates; both are used for securing communication with the Security server. Specifically, one certificate is used by the Hub Transport role to secure EdgeSync communication with the Edge Transport Role and the other is for securing web communication between Forefront TMG and the Exchange virtual directories (this same certificate is also used for any application that uses port 443, such as OWA, Outlook Anywhere, TSGateway, and Remote Web Workplace).

Certificate Expiration Issues

The certificate used for Web traffic expires two years after its creation date. When it does, you will not be able to access resources such as OWA, ActiveSync, and RWW from the internet.
The certificate used for EdgeSync is valid for only one year from its creation date and you will start receiving warnings in Event Viewer once it expires:

Application
MSExchangeTransport
Error
12014
Microsoft Exchange couldn't find a certificate that contains the domain name Domain_Name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Server with a FQDN parameter of FQDN. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Application
MSExchangeTransport
Warning
12015
An internal transport certificate expired.

NOTE: The certificate simply expiring will not cause EdgeSync or SMTP mail flow to stop working. You will just receive the above events and STARTTLS will be unavailable.

Recreating the Certificate

The following method should be used when either certificate has expired or has been accidentally deleted. This will fix both loss of web access and loss of mail flow between the Security and Messaging servers. Essentially we are replacing both certificates with single new one that will be valid for another 2 years. It will be issued by the trusted internal Certificate Authority while maintaining both original names to preserve certificate trust between the two servers.
Create the new certificate 

1. On the Messaging Server, launch Exchange PowerShell as admin. 
2. Run the following command to create a temporary directory for this process:
   md c:\EBSBlog 
3. Run the following commands to collect the $ComputerName, $FQDN, $Date, and $FriendlyName values you will need:
   $ComputerName = gc env:computername
   $DnsDomain = gc env:userdnsdomain
   $FQDN = $ComputerName + “.” + $DnsDomain
   $Date = Get-Date –Format d $FriendlyName = $Date + “ EBSBlogCert” 
4. Run the following command to generate the new certificate request:
   New-ExchangeCertificate –GenerateRequest –Path c:\EBSBlog\NewEBSCert.req –DomainName $ComputerName, $FQDN –FriendlyName $FriendlyName 
5. Run the following command to submit the request:
   CertReq –attrib “CertificateTemplate:WebServer” c:\EBSBlog\NewEBSCert.req 
6. When prompted, select your internal Certificate Authority and save the resulting certificate with the name NewEBSCert.cer back to the c:\EBSBlog folder. 
7. Run the following commands to import the certificate into Exchange and assign the necessary services:
   Import-ExchangeCertificate c:\EBSBlog\NewEBSCert.cer
   Get-ExchangeCertificate | Where {$_.FriendlyName –match $FriendlyName} | Enable-ExchangeCertificate –Services IIS,SMTP,POP,IMAP 
8. Select Y to overwrite the existing default SMTP certificate.

If the original transport certificate had been deleted previously, it is expected that you will receive the following informational/warning message:

New-ExchangeCertificate : The internal transport certificate for the local server was corrupted or missing in Active Directory. The problem has been fixed. If you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Exchange Management Shell. 
Whether or not you receive this message, follow the steps below to recreate the Edge Subscription between the Hub role on Messaging and the Edge role on Security.
Recreate the Edge Subscription

From Security Server:

1. Open Exchange PowerShell as administrator and run the following commands:
   md c:\EBSBlog
   New-EdgeSubscription –FileName c:\EBSBlog\new.xml 
2. Choose Yes to confirm.
   
   From Messaging Server: 
3. Copy the xml file from the Security server to the c:\EBSBlog folder on the Messaging server and run the following command:
   New-EdgeSubscription –FileName c:\EBSBlog\new.xml –Site Default-First-Site-Name 
4. Wait between 5 and 15 minutes, then test EdgeSync by running the following command to ensure that it’s working properly:
   Test-EdgeSynchronization
   

Once all entries say Synchronized, mail flow should be restored. If you are still having issues, you may want to contact Microsoft Product Support Services for assistance.

More Information

Missing Certificate
We often find that customers discover the expiration on their web certificate before they realize that their EdgeSync certificate has expired, since only the web certificate expiration will cause major functionality loss. We also find that many times customers are unintentionally removing the old certificates improperly during the course of troubleshooting, which can then break both inbound and outbound mailflow as well. In this circumstance, you may receive errors such as the following:

Application
MSExchangeTransport
Warning
12023

Microsoft Exchange could not load the certificate with thumbprint of from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mailflow to other Exchange Servers could be affected by this error…

Application
MSExchangeTransport
Error
2018

Outbound direct trust authentication failed for certificate . The target IP address of the Exchange server that Microsoft Exchange tried to authenticate to is . Make sure EdgeSync is running properly.

Application
MSExchange EdgeSync
Error
1032

No credential was found for …

451 4.4.0 Primary target IP address responded with: “454 4.7.0 Temporary authentication failure.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts