The software update management process lets organizations
control how they maintain and deploy software releases to their production
environments. Software update management improves operational efficiency and
effectiveness, helps overcome security vulnerabilities, and helps maintain the
stability of the production environment. For general information about
Microsoft software update strategies, visit the following Microsoft Web site:
When you plan a software update management strategy for computers
that are running Microsoft Internet Security and Acceleration Server (ISA
Server), consider the following recommendations:
- Make sure that computers that are running ISA Server have
the latest Windows updates.
- Install critical updates and security updates for ISA
Server as they become available. Additionally, install updates for components
that are installed by ISA Server, such as Microsoft Data Engine (MSDE), as they
- You can install any hotfixes that are available from
Microsoft Product Support Services to address specific issues that you
experience. However, because this kind of hotfix is typically included in the
next ISA Server service pack, we recommend that you wait for the service pack
that contains the hotfix unless the issue affects you severely.
- ISA Server updates and service packs are cumulative. A service pack for a specific version of ISA Server contains all previously released updates and fixes for that version. A service pack or cumulative update can be installed on computers that are running the release to manufacturing (RTM) version of ISA Server or on computers that are running ISA Server together with any hotfixes or updates that have been issued since RTM.
You should install hotfixes and updates only on computers that are
running the version of ISA Server that is specified by the hotfix or by the
update. For example, you should install hotfixes and updates for ISA Server
2004, Standard Edition only on computers that are running ISA Server 2004,
Standard Edition. You can install ISA Server 2006 hotfixes only on computers
that are running ISA Server 2006.
Downloading and installing hotfixes
Download and install the hotfix as instructed by Microsoft
Product Support Services, as described in the Microsoft Knowledge Base article
for the hotfix, or as described on the Microsoft Download
While you install the hotfix, the driver and services might
stop on the computer that is running ISA Server. Sometimes, you may have to
physically disconnect the ISA Server computer from untrusted networks, such as
external networks, before you install the hotfix. You can learn whether this
disconnection is required by reading the Microsoft Knowledge Base article that
accompanies the hotfix or the download site's instructions.Note
Server services are installed, ISA Server enters lockdown mode during
installation. After installation, the ISA Server computers or array members
must be restarted.
By using administrative installation, you can integrate an update
into the ISA Server administrative installation point before you run ISA Server
Setup. For more information about administrative installation, visit the
following Microsoft Web site:
How to install updates for Enterprise editions of ISA Server
In large enterprises, you may be unable to install updates concurrently on all ISA Server computers. In this case, we recommend that you install updates in the following order:
- On each computer that is running the ISA Server Management console (for remote management).
- On each Configuration Storage server.
- As required, run the upgrade separately on each server in an array and repeat for all arrays. To maintain availability, do the following on each ISA Server computer:
- If the server is load-balanced by using NLB or any other load-balancing mechanism, remove the server from the load-balancing configuration.
- Drain existing connections that are served by the server.
- Set nlb to "suspended" to prevent auto-rejoin when you restart.
- Install the update.
- Perform additional steps as required by the update package.
- Restart the server if it is required.
- Start NLB on the updated server.
After you install an update on the remote management console or on Configuration Storage server, the following states apply:
- The update does not affect remotely managed ISA Server computers or array members that do not yet have the update installed.
Features that are provided by the update may be only partially functional, as follows:
Features that do not require a change on the ISA Server computer will work as expected. For example, policy changes that are made on the remote management computer will affect all members of the array.
- Features that require a change on the ISA Server computer will not be functional. For example, ISA Server 2006 SP1 provides a test button feature to verify Web publishing settings. This feature will not be available on array members that are not running SP1.
If an update is not installed on all array members, only servers that are running the update can provide the update features. As client requests are balanced between array members, clients cannot benefit from changed behavior if a request is served by an array member that does not have the update installed.
When you run a monitoring application, such as the Microsoft
Operations Manager (MOM) Management Pack for ISA Server, you use ISA Server
files. Using these files may interfere with ISA Server Setup. To avoid this
problem, stop the monitoring application before you do any of the following:
- Repair, modify, install, or update ISA Server
- Install or uninstall a service pack
- Upgrade ISA Server
By default, a log is not created when you install a hotfix. You
can specify that a log is to be created during the installation. You can then
use this log together with Microsoft Product Support Services to troubleshoot
installation problems. Logging is only useful if installation fails. If you
install again after a successful installation, no useful information is logged.
To specify that a log is to be created during the installation of a hotfix,
type the following at a command prompt:
Msiexec /p Hotfix_Name.msp REINSTALL=ALL REINSTALLMODE=omus /l*vx! Logfile_Name.log
This statement is interpreted as follows:
- /p applies an update.
- Hotfix_Name.msp is the name of the hotfix file and the location where you
downloaded the file.
- REINSTALL=ALL reinstalls features that are already installed. Use this command
together with REINSTALLMODE to indicate the type of reinstallation. REINSTALL uses all uppercase letters.
- REINSTALLMODE=omus is used with REINSTALL to specify the kind of reinstallation. REINSTALLMODE uses all uppercase letters. The omus option indicates the following:
- o reinstalls a file if it is missing or if it is an older
- m rewrites registry entries in the HKEY_LOCAL_MACHINE registry hive
or in the HKEY_CLASSES_ROOT registry hive.
- u rewrites registry entries in the HKEY_CURRENT_USER registry hive
or in the HKEY_USERS registry hive.
- s reinstalls all shortcuts and re-caches all icons.
- /l turns on logging.
- *vx indicates a wildcard character that logs all information by using
- Logfile_Name.log is the name of the log file.
By default, the log file is created in the same folder where you
run the msiexec
You can also examine the event viewer for
relevant information. After the installation is complete, an event indicates
whether the hotfix installation was successful.
Verifying installed hotfixes and updates
You can use the Add or Remove Programs item in Control Panel to
find ISA Server hotfixes and updates that you have installed. Hotfixes are
labeled with the name of the product. The name of the hotfix also includes the
Microsoft Knowledge Base article number that is associated with the hotfix.
the uninstallation process, installation source files may be required, such as the CD-ROM or
the network location of the ISA Server Standard Edition installation files. If
the files are inaccessible, the Microsoft Firewall service may not start.
If this happens, uninstall the service pack again to make sure that you can access the installation
source files, rerun the installation, or run ISA Server Setup in the Repair
If you cancel the uninstallation of a service pack when you are not
connected to the installation source files, ISA Server services may not start. If this happens, let the uninstallation process finish. To do this, run the service pack installation again, run Repair, or
uninstall the service pack again.
You can use the Add or Remove
Programs item in Control Panel to uninstall hotfixes and updates. To uninstall
an ISA Server 2004 hotfix or update, you must first install Windows Installer
3.0. For more information about Windows Installer 3.0, visit the following
Microsoft Web site:
Installing hotfixes and updates on Firewall Client computers
Follow the instructions for installing ISA Server 2004 hotfixes
and ISA Server 2006 hotfixes to install Firewall Client hotfixes and updates on
client computers that are running Firewall Client software. ISA Server 2004
includes the option to install a Firewall Client Share during Setup. Each fix
that affects Firewall Client software includes a hotfix or update that you can
apply directly to client computers. Each fix also includes a second hotfix that
you can apply to the ISA Server 2004 Firewall Client Share. Hotfixes that are
applied to the Firewall Client Share can then be distributed to client
computers. To update a Firewall Client Share with a hotfix or update, use one
of the following methods: