Note: This article was originally published in 2012. Some steps, commands, or software versions may have changed. Check the current Microsoft documentation for the latest information.

Prerequisites

Before you begin, make sure you have:

  • Forefront TMG 2010 installed
  • TMG Management Console access
  • Understanding of firewall and proxy concepts

After installing TMG server on a computer I ran into the issue that it could not retrieve updates from either the Internet or the corporate WSUS. I got different error codes (80072EE2) for each of the scenarios but the result was the same. (http://kx.cloudingenium.com/wp-content/uploads/sites/3/2012/02/windows_update_01.jpg)](http://richardhicks.files.wordpress.com/2010/08/windows_update_01.jpg) After looking into the logs I found out the reason for those two behaviors: First the communication to the WSUS server was blocked and then for the Windows Update Service over the internet I needed to use the proxy server for those communications to work. In order to configure the http proxy you can either use Internet Explorer and set it up there (but then IE will use the proxy as well) or you can use the netsh command to setup the http proxy as follows (don´t forget to run using elevated credentials):

netsh winhttp set proxy localhost:8080

(http://richardhicks.files.wordpress.com/2010/08/windows_update_03.jpg?w=600)](http://richardhicks.files.wordpress.com/2010/08/windows_update_03.jpg) As mentioned above all http traffic will now travel through the proxy. For certain services you don´t want the traffic to use the proxy (perhaps some internal services on your network) set the proxy bypass list. You can learn more about that and other features using the help: nets winhttp set proxy ? Below is what I ended up doing to set this up in my case: C:Windowssystem32>netsh winhttp set proxy ? Usage: set proxy Parameters: Tag Value proxy-server - proxy server for use for http and/or https protocol bypass-list - a list of sites that should be visited bypassing the proxy (use "" to bypass all short name hosts) Examples: set proxy myproxy set proxy myproxy:80 “;bar” set proxy proxy-server=“http=myproxy;https=sproxy:88” bypass-list=“.foo.com”   C:Windowssystem32>netsh netsh>winhttp netsh winhttp>set proxy localhost:8080 ”;.DomainName.local” Current WinHTTP proxy settings: Proxy Server(s) : localhost:8080 Bypass List : ;*.DomainName.local netsh winhttp> In the case you want to use WSUS as well what I did was just to create a new access rule from localhost to my WSUS server using port 8530. The below abstract is obtained from technet and it shows all the steps on how to do this:

Create a

(http://blogs.technet.com/b/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx “Using Windows Server Update Service for the TMG Update Center”)

Luckily, creating a rule that allows this communication is simple. You do it by performing the following steps. Create the access rule.

    1. In the TMG management console left pane:
    2. a. right-click Firewall Policy
    3. b. select New , then Access Rule
    1. in the Welcome to the New Access Rule Wizard page,
    2. a. enter WSUS from TMG
    3. b. click Next
    1. in the Rule Action page
    2. a. select Allow
    3. b. click Next
    1. in the Protocols page, click Add
    1. in the Add Protocols page, click New , then Protocol
    1. in the Welcome to the New Protocol Definition Wizard , enter WSUS Client and click Next
    1. in the Primary Connections Information page, click New
    1. in the New/Edit Protocol Connection page:
    2. a. select TCP in the Protocol type: drop-down
    3. b. select Outbound in the Direction: drop-down
    4. c. enter 8530 in the Port Range From: and To: boxes

Figure 4 Custom protocol details

  1. d. click OK to close the New/Edit Protocol Connection page
    1. in the Primary Connections Information page, verify that the summary agrees with the data in 8.a through 8.c and click Next
    1. in the Secondary Connections Information page, leave the defaults and click Next
    1. in the Completing the New Protocol Definition Wizard page, verify that the summary agrees with the figure below and click Finish

Figure 5 Protocol summary

    1. in the Add Protocols page
    2. a. expand User-Defined
    3. b. select WSUS Client
    4. c. click OK , then Close
    1. in the Protocols page, click Next
    1. In the Access Rule Sources page, click Add
    1. In the Add Network Entities page
    2. a. Expand Networks
    3. b. Select Local Host
    4. c. click Add , then Close
    1. In the Access Rule Sources page, click Next
    1. In the Access Rule Destinations page, click Add
    1. In the Add Network Entities page, Click New , then Computer
    1. In the New Computer Rule Element page
    2. a. Enter WSUS Server in the Name field
    3. b. In the Computer IP address: field, enter the IP address of your WSUS server

Figure 6 WSUS server IP address

  1. c. click OK
    1. In the Add Network Entities page
    2. a. expand Computers
    3. b. select WSUS Server
    4. c. click Add , then Close
    1. In the Access Rule Destinations page, click Next
    1. In the User Sets page, click Next
    1. In the Completing the New Access Rule Wizard page, click Finish
    1. When prompted in the center pane, click Apply to save the changes
    1. In the Configuration Change Description page
    2. a. enter any comments that you like
    3. b. click Apply again
    1. In the Saving Configuration Changes page, click OK

Figure 7 Custom WSUS policy

Summary

You’ve successfully learned configure tmg server to allow for windows update (internet & corporate wsus) - 80072ee2. If you run into any issues, double-check the prerequisites and ensure your Microsoft environment is properly configured.