If your FEP 2010 clients are trying to download an update from the SCCM Server, you recognise a denied connection from the client through the Forefront Threat Management Gateway 2010. You have to allow the secure connection 8531 on the FFTMG. You can do this, with an extra tool from http://www.isatools.org/ , go there to “TMG Tools” and download “ISA Tunnel Port tool”.

Then run the command from an administrator command line. The commands would be:

run “cscript isa_tpr.js /del SSL”

run “cscript isa_tpr.js /add SSL 442 8531” (or whatever you have defined to secure connection for WSUS)

run “cscript isa_tpr.js /show SSL” (just for confimation)

Now just restart the Microsoft Firewall service and that’s it! Have fun with downloading virus defintions from SCCM/WSUS. Smiley mit geöffnetem Mund