You should install hotfixes and updates only on computers that are running the version of ISA Server that is specified by the hotfix or by the update. For example, you should install hotfixes and updates for ISA Server 2004, Standard Edition only on computers that are running ISA Server 2004, Standard Edition. You can install ISA Server 2006 hotfixes only on computers that are running ISA Server 2006.
Downloading and installing hotfixes
Download and install the hotfix as instructed by Microsoft Product Support Services, as described in the Microsoft Knowledge Base article for the hotfix, or as described on the Microsoft Download Center.
While you install the hotfix, the driver and services might stop on the computer that is running ISA Server. Sometimes, you may have to physically disconnect the ISA Server computer from untrusted networks, such as external networks, before you install the hotfix. You can learn whether this disconnection is required by reading the Microsoft Knowledge Base article that accompanies the hotfix or the download site's instructions.Note
If ISA Server services are installed, ISA Server enters lockdown mode during installation. After installation, the ISA Server computers or array members must be restarted.
By using administrative installation, you can integrate an update into the ISA Server administrative installation point before you run ISA Server Setup. For more information about administrative installation, visit the following Microsoft Web site:
How to install updates for Enterprise editions of ISA Server
- ISA Server updates and service packs should be installed on all array members and Configuration Storage servers.
- Before you install the updates on ISA Server 2004 Enterprise Edition, you must log on to the Configuration Storage server by using the same credentials that were used to install the Configuration Storage server during the initial ISA Server Setup. If you install the update by using a different administrator account, the installation may fail. In this case, you will receive a "Setup cannot initialize ISA Server settings" error message.
- ISA Server services may not start after you install or remove ISA Server updates. This problem may occur if the computer that is running the services is not synchronized with the Configuration Storage server. In this case, use the Monitoring node of the ISA Server Management console to manually restart the services.
- In an ISA Server Enterprise deployment in which ISA Server array members are installed in workgroup mode and the Configuration Storage server is part of a domain, ISA Server updates that are installed by using the Microsoft Update mechanism will fail. This problem occurs because there are no credentials available to access the Configuration Storage server. Rollback is successful after the update fails. The following workarounds are available for this issue:
To install an update at the command prompt and to specify credentials, type the following at a command prompt:
- For ISA Server 2004 Enterprise Edition, obtain the relevant update from the following Microsoft Download Center Web site:Then, install the update at a command prompt, and specify credentials.
- For ISA Server 2006 Enterprise Edition, the following conditions are true:
- ISA Server 2006 Enterprise Edition updates that were released before the ISA Server 2006 Supportability update (http://go.microsoft.com/fwlink/?LinkID=94689) that was issued on September 11, 2007 cannot be installed by using an alternative method. There is no workaround.
- For ISA Server 2006 Enterprise Edition updates that were issued after the ISA Server 2006 Supportability Update, including the supportability update, obtain the relevant update from the Microsoft Download Center. When you run the update, a dialog box appears during Setup to let you to specify credentials to be used. Or, you can install the update at the command prompt.
msiexec /p <msp> REINSTALL=all REINSTALLMODE=omus STORAGESERVER_CONNECT_ACCOUNT=mydomain\mydomainpermitteduser STORAGESERVER_CONNECT_PWD=mypwd /qb /l*v msilogfilename.log Note If you use this method to install the update, the update cannot be removed. To uninstall this update, you must use the following workaround:
- Export the array configuration.
- Uninstall ISA Server.
- Reinstall ISA Server.
- Import the array configuration.
In large enterprises, you may be unable to install updates concurrently on all ISA Server computers. In this case, we recommend that you install updates in the following order:
- On each computer that is running the ISA Server Management console (for remote management).
- On each Configuration Storage server.
- As required, run the upgrade separately on each server in an array and repeat for all arrays. To maintain availability, do the following on each ISA Server computer:
- If the server is load-balanced by using NLB or any other load-balancing mechanism, remove the server from the load-balancing configuration.
- Drain existing connections that are served by the server.
- Set nlb to "suspended" to prevent auto-rejoin when you restart.
- Install the update.
- Perform additional steps as required by the update package.
- Restart the server if it is required.
- Start NLB on the updated server.
After you install an update on the remote management console or on Configuration Storage server, the following states apply:
- The update does not affect remotely managed ISA Server computers or array members that do not yet have the update installed.
- Features that are provided by the update may be only partially functional, as follows:
- Features that do not require a change on the ISA Server computer will work as expected. For example, policy changes that are made on the remote management computer will affect all members of the array.
- Features that require a change on the ISA Server computer will not be functional. For example, ISA Server 2006 SP1 provides a test button feature to verify Web publishing settings. This feature will not be available on array members that are not running SP1.
If an update is not installed on all array members, only servers that are running the update can provide the update features. As client requests are balanced between array members, clients cannot benefit from changed behavior if a request is served by an array member that does not have the update installed.
When you run a monitoring application, such as the Microsoft Operations Manager (MOM) Management Pack for ISA Server, you use ISA Server files. Using these files may interfere with ISA Server Setup. To avoid this problem, stop the monitoring application before you do any of the following:
- Repair, modify, install, or update ISA Server
- Install or uninstall a service pack
- Upgrade ISA Server
By default, a log is not created when you install a hotfix. You can specify that a log is to be created during the installation. You can then use this log together with Microsoft Product Support Services to troubleshoot installation problems. Logging is only useful if installation fails. If you install again after a successful installation, no useful information is logged. To specify that a log is to be created during the installation of a hotfix, type the following at a command prompt:
Msiexec /p Hotfix_Name.msp REINSTALL=ALL REINSTALLMODE=omus /l*vx! Logfile_Name.log
This statement is interpreted as follows:
- /p applies an update.
- Hotfix_Name.msp is the name of the hotfix file and the location where you downloaded the file.
- REINSTALL=ALL reinstalls features that are already installed. Use this command together with REINSTALLMODE to indicate the type of reinstallation. REINSTALL uses all uppercase letters.
- REINSTALLMODE=omus is used with REINSTALL to specify the kind of reinstallation. REINSTALLMODE uses all uppercase letters. The omus option indicates the following:
- o reinstalls a file if it is missing or if it is an older version.
- m rewrites registry entries in the HKEY_LOCAL_MACHINE registry hive or in the HKEY_CLASSES_ROOT registry hive.
- u rewrites registry entries in the HKEY_CURRENT_USER registry hive or in the HKEY_USERS registry hive.
- s reinstalls all shortcuts and re-caches all icons.
- /l turns on logging.
- *vx indicates a wildcard character that logs all information by using verbose output.
- Logfile_Name.log is the name of the log file.
By default, the log file is created in the same folder where you run the msiexec
You can also examine the event viewer for relevant information. After the installation is complete, an event indicates whether the hotfix installation was successful.
Verifying installed hotfixes and updates
You can use the Add or Remove Programs item in Control Panel to find ISA Server hotfixes and updates that you have installed. Hotfixes are labeled with the name of the product. The name of the hotfix also includes the Microsoft Knowledge Base article number that is associated with the hotfix.
During the uninstallation process, installation source files may be required, such as the CD-ROM or the network location of the ISA Server Standard Edition installation files. If the files are inaccessible, the Microsoft Firewall service may not start. If this happens, uninstall the service pack again to make sure that you can access the installation source files, rerun the installation, or run ISA Server Setup in the Repair mode.
If you cancel the uninstallation of a service pack when you are not connected to the installation source files, ISA Server services may not start. If this happens, let the uninstallation process finish. To do this, run the service pack installation again, run Repair, or uninstall the service pack again.
You can use the Add or Remove Programs item in Control Panel to uninstall hotfixes and updates. To uninstall an ISA Server 2004 hotfix or update, you must first install Windows Installer 3.0. For more information about Windows Installer 3.0, visit the following Microsoft Web site:
Installing hotfixes and updates on Firewall Client computers
Follow the instructions for installing ISA Server 2004 hotfixes and ISA Server 2006 hotfixes to install Firewall Client hotfixes and updates on client computers that are running Firewall Client software. ISA Server 2004 includes the option to install a Firewall Client Share during Setup. Each fix that affects Firewall Client software includes a hotfix or update that you can apply directly to client computers. Each fix also includes a second hotfix that you can apply to the ISA Server 2004 Firewall Client Share. Hotfixes that are applied to the Firewall Client Share can then be distributed to client computers. To update a Firewall Client Share with a hotfix or update, use one of the following methods:
- Run the Update.bat script in the Firewall Client Share. Typically, the path of this script is \\ISA\Mspclnt\Webinst\Update.bat.
- Run the msiexec command in the Firewall Client Share. To do this, type the following command at a command prompt:
msiexec /feumsv \\ISA\Mspclnt\MS_FWC.msi