Microsoft KB Archive/885957

= How to install ISA Server hotfixes and updates =

Article ID: 885957

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

-



INTRODUCTION
The software update management process lets organizations control how they maintain and deploy software releases to their production environments. Software update management improves operational efficiency and effectiveness, helps overcome security vulnerabilities, and helps maintain the stability of the production environment. For general information about Microsoft software update strategies, visit the following Microsoft Web site:

http://www.microsoft.com/technet/archive/security/topics/patchmanagement/patchmanagement.mspx?mfr=true

When you plan a software update management strategy for computers that are running Microsoft Internet Security and Acceleration Server (ISA Server), consider the following recommendations:
 * Make sure that computers that are running ISA Server have the latest Windows updates.
 * Install critical updates and security updates for ISA Server as they become available. Additionally, install updates for components that are installed by ISA Server, such as Microsoft Data Engine (MSDE), as they become available.
 * You can install any hotfixes that are available from Microsoft Product Support Services to address specific issues that you experience. However, because this kind of hotfix is typically included in the next ISA Server service pack, we recommend that you wait for the service pack that contains the hotfix unless the issue affects you severely.



Prerequisites
You should install hotfixes and updates only on computers that are running the version of ISA Server that is specified by the hotfix or by the update. For example, you should install hotfixes and updates for ISA Server 2004, Standard Edition only on computers that are running ISA Server 2004, Standard Edition. You can install ISA Server 2006 hotfixes only on computers that are running ISA Server 2006.

Downloading and installing hotfixes
Download and install the hotfix as instructed by Microsoft Product Support Services, as described in the Microsoft Knowledge Base article for the hotfix, or as described on the Microsoft Download Center.

While you install the hotfix, the driver and services might stop on the computer that is running ISA Server. Sometimes, you may have to physically disconnect the ISA Server computer from untrusted networks, such as external networks, before you install the hotfix. You can learn whether this disconnection is required by reading the Microsoft Knowledge Base article that accompanies the hotfix or the download site's instructions.

Note If ISA Server services are installed, ISA Server enters lockdown mode during installation. After installation, the ISA Server computers or array members must be restarted.

Administrative installation
By using administrative installation, you can integrate an update into the ISA Server administrative installation point before you run ISA Server Setup. For more information about administrative installation, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa367541.aspx

How to install updates for Enterprise editions of ISA Server
 Before you install the updates, log on to the Configuration Storage server by using administrative credentials. Use the same credentials that you used to install the Configuration Storage server in ISA Server Setup. If you install the update by using a different administrator account, the installation fails. In this case, you will receive a &quot;Setup cannot initialize ISA Server settings&quot; error message. ISA Server services may not start after you install or remove ISA Server updates. This problem may occur if the computer that is running the services is not synchronized with the Configuration Storage server. In this case, use the Monitoring node of the ISA Server Management console to manually restart the services. In an ISA Server Enterprise deployment in which ISA Server array members are installed in workgroup mode and the Configuration Storage server is part of a domain, ISA Server updates that are installed by using the Microsoft Update mechanism will fail. This problem occurs because there are no credentials available to access the Configuration Storage server. Rollback is successful after the update fails. The following workarounds are available for this issue:  For ISA Server 2004 Enterprise Edition, obtain the relevant update from the following Microsoft Download Center Web site:

http://www.microsoft.com/downloads/Browse.aspx?displaylang=en&productID=23E0C7B9-FEAA-4E02-9662-31B9BD4CDF8B

Then, install the update at a command prompt, and specify credentials. For ISA Server 2006 Enterprise Edition, the following conditions are true:  ISA Server 2006 Enterprise Edition updates that were released before the ISA Server 2006 Supportability update (http://go.microsoft.com/fwlink/?LinkID=94689) that was issued on September 11, 2007 cannot be installed by using an alternative method. There is no workaround. For ISA Server 2006 Enterprise Edition updates that were issued after the ISA Server 2006 Supportability Update, including the supportability update, obtain the relevant update from the Microsoft Download Center. When you run the update, a dialog box appears during Setup to let you to specify credentials to be used. Or, you can install the update at the command prompt.</li></ul> </li></ul>

To install an update at the command prompt and to specify credentials, type the following at a command prompt:

msiexec /p REINSTALL=all REINSTALLMODE=omus STORAGESERVER_CONNECT_ACCOUNT=mydomain\mydomainpermitteduser STORAGESERVER_CONNECT_PWD=mypwd /qb /l*v msilogfilename.log

Note If you use this method to install the update, the update cannot be removed. To uninstall this update, you must use the following workaround: <ol> Export the array configuration.</li> Uninstall ISA Server.</li> Reinstall ISA Server.</li> Import the array configuration.</li></ol> </li></ul>

Other issues
When you run a monitoring application, such as the Microsoft Operations Manager (MOM) Management Pack for ISA Server, you use ISA Server files. Using these files may interfere with ISA Server Setup. To avoid this problem, stop the monitoring application before you do any of the following:
 * Repair, modify, install, or update ISA Server
 * Install or uninstall a service pack
 * Upgrade ISA Server

Troubleshooting installation
By default, a log is not created when you install a hotfix. You can specify that a log is to be created during the installation. You can then use this log together with Microsoft Product Support Services to troubleshoot installation problems. Logging is only useful if installation fails. If you install again after a successful installation, no useful information is logged. To specify that a log is to be created during the installation of a hotfix, type the following at a command prompt:

Msiexec /p .msp REINSTALL=ALL REINSTALLMODE=omus /l*vx! .log

This statement is interpreted as follows:
 * /p applies an update.
 *  .msp is the name of the hotfix file and the location where you downloaded the file.
 * REINSTALL=ALL reinstalls features that are already installed. Use this command together with REINSTALLMODE to indicate the type of reinstallation. REINSTALL uses all uppercase letters.
 * REINSTALLMODE=omus is used with REINSTALL to specify the kind of reinstallation. REINSTALLMODE uses all uppercase letters. The omus option indicates the following:
 * o reinstalls a file if it is missing or if it is an older version.
 * m rewrites registry entries in the HKEY_LOCAL_MACHINE registry hive or in the HKEY_CLASSES_ROOT registry hive.
 * u rewrites registry entries in the HKEY_CURRENT_USER registry hive or in the HKEY_USERS registry hive.
 * s reinstalls all shortcuts and re-caches all icons.
 * /l turns on logging.
 * *vx indicates a wildcard character that logs all information by using verbose output.
 *  .log is the name of the log file.

By default, the log file is created in the same folder where you run the msiexec command.

You can also examine the event viewer for relevant information. After the installation is complete, an event indicates whether the hotfix installation was successful.

Verifying installed hotfixes and updates
You can use the Add or Remove Programs item in Control Panel to find ISA Server hotfixes and updates that you have installed. Hotfixes are labeled with the name of the product. The name of the hotfix also includes the Microsoft Knowledge Base article number that is associated with the hotfix.

Uninstalling hotfixes
During the uninstallation process, installation source files may be required, such as the CD-ROM or the network location of the ISA Server Standard Edition installation files. If the files are inaccessible, the Microsoft Firewall service may not start. If this happens, uninstall the service pack again to make sure that you can access the installation source files, rerun the installation, or run ISA Server Setup in the Repair mode.

If you cancel the uninstallation of a service pack when you are not connected to the installation source files, ISA Server services may not start. If this happens, let the uninstallation process finish. To do this, run the service pack installation again, run Repair, or uninstall the service pack again.

You can use the Add or Remove Programs item in Control Panel to uninstall hotfixes and updates. To uninstall an ISA Server 2004 hotfix or update, you must first install Windows Installer 3.0. For more information about Windows Installer 3.0, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkID=40389

Installing hotfixes and updates on Firewall Client computers
Follow the instructions for installing ISA Server 2004 hotfixes and ISA Server 2006 hotfixes to install Firewall Client hotfixes and updates on client computers that are running Firewall Client software. ISA Server 2004 includes the option to install a Firewall Client Share during Setup. Each fix that affects Firewall Client software includes a hotfix or update that you can apply directly to client computers. Each fix also includes a second hotfix that you can apply to the ISA Server 2004 Firewall Client Share. Hotfixes that are applied to the Firewall Client Share can then be distributed to client computers. To update a Firewall Client Share with a hotfix or update, use one of the following methods: <ul> Run the Update.bat script in the Firewall Client Share. Typically, the path of this script is \\ISA\Mspclnt\Webinst\Update.bat.</li> Run the msiexec command in the Firewall Client Share. To do this, type the following command at a command prompt:

msiexec /feumsv \\ISA\Mspclnt\MS_FWC.msi

</li></ul>

Keywords: kbhowto kbinfo kbisa2006swept KB885957

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.