Migrating from ISA 2004/2006 to Forefront TMG

Original author: Richard Hicks
  • Transfer
The Internet Security & Acceleration (ISA) Server has been replaced by the Forefront Threat Management Gateway (TMG).

In this translation, we will look at the transition from ISA 2004/2006 to Forefront TMG.

ISA Server 2004/2006 does not provide for the transition to TMG as a regular update - FF TMG works only on 64-bit Windows operating systems, while ISA only on 32-bit ones.

Therefore, porting rules and configuration from ISA to TMG remains the only solution to this problem.
Such a transfer can be done with ISA 2004 SP3 or with ISA 2006 SP1.
Depending on which version of ISA you have, there are four possible migration options:
(excluding TMG MBE - Medium Business Edition)
  • ISA Server Standard -> TMG Standard
  • ISA Server Standard -> TMG Enterprise (server in stand-alone mode)
  • ISA Server Enterprise (array from one server / server as part of the array) -> TMG Enterprise (server in isolated mode)
  • ISA Server Enterprise (array from one server / several arrays) -> TMG Enterprise (managed by EMS server)

Migrating from previous ISA versions to TMG requires careful planning, analysis, and attention to detail. Before you begin the transition, collect and write down all the most important information about the existing system, including:
IP addressing - write down the IP addresses of all network interfaces, including the interface for communication between members within the array and the virtual IP addresses used by NLB (network load balancing). If you use a VPN, also record the address ranges for remote access of clients and site-to-site networks (networks that are remote from each other).

Routing - write down all the static routes required by network-by-network schemes.

DNS- Save separately all A host entries or CNAME aliases used by the ISA firewall. Including statically configured host records of the ISA server itself, proxy server array aliases, or WPAD client records (automatic proxy configuration protocol).

WPAD - if at your enterprise DHCP distributes settings to clients, keep in mind that the changes will affect them too.

Certificates - export all the certificates and keys required for migration to TMG, including computer certificates and SSL certificates used by the HTTPS publishing rules. Keep in mind that by default, much less root certificates are installed on Windows Server 2008R2 (than on Windows Server 2008 or previous versions of Windows Server).

Active Directory- If you have published websites that use the Kerberos protocol extension - Constrained Delegation (KCD), set up a computer account with the new system for delegation. If you created an SPN (Service Principal Name Mapping) record in the Kerberos database for the configuration storage server (CSS), then update it if necessary.

Third-party solutions - keep in mind that if you installed third-party add-ons for ISA, they will not work after migration. Visit the developer’s pages to update the plugins for TMG.

Regular and user reports - save all reports, they will also not be transferred to FF TMG.

Do not think that switching to TMG will solve all your existing problems with the current ISA configuration. Use the ISA Best Practices Analyzer utility to test your system and resolve any issues prior to migration.
When planning the transition from ISA to TMG, system resources must also be considered. Despite the performance gains on 64-bit systems, TMG includes many new security and security features that will consume additional resources.
Use the Forefront TMG 2010 Capacity Planning Tool to determine if your hardware meets the TMG system requirements.
If you have completed the preparation and the new TMG configuration has already passed the initial testing, then you can proceed with the actual transition.

Export from Internet Security & Acceleration Server

So open the ISA management console -
  • for Standard Edition:
    select the ISA server name and select Export (Backup) in the context menu

  • for Enterprise Edition:
    also select Export (Backup) from the menu as shown below:

The export wizard starts.
Check the “Export confidential information” and “Export user permission settings” checkboxes, then set a password to encrypt the exported data.

Click “Next” and specify where to save the XML file. We will import this file later in TMG.

Import to Forefront Threat Management Gateway

Before importing settings into TMG, make sure that the “Getting Started” wizard did not start (this wizard creates basic access rules through the firewall). If it started, then delete all access rules created by this wizard - if this condition is met, importing settings into TMG should go without errors.

NB: When migrating from ISA Server Enterprise to TMG managed by the EMS server, you must import the configuration to EMS before creating an array or adding members to the array .
Also, when switching from ISA Server Enterprise (an array from one server / server as part of an array) to TMG Enterprise (in stand-alone server mode), you will need to do one additional action - it will be written about it at the end of the post.

On the computer with TMG, open the management console -
  • for Standard or Enterprise editions:
    select the Forefront server name and select Import (Restore) in the context menu

  • for the Enterprise edition managed by the EMS server:
    also select Import (Restore) from the menu as shown below:

The import wizard will start - specify here the path to the XML file where we previously exported the settings and enter the password that was set during the export.

After the import wizard reports that everything was successful, click the “Apply” button to save the changes and update the Threat Management Gateway configuration.

Export from ISA Server Enterprise (array from one server / server as part of an array)

Before importing ISA server settings (Enterprise edition - an array from one server or a server as part of an array) into TMG Enterprise (in stand-alone server mode), you must first convert the exported XML file to a format that the above version of TMG can work with. This is necessary because the exported ISA Enterprise file contains enterprise-level policies that are not supported by the TMG version in stand-alone server mode. To convert, use the
EE Single Server Conversion Tool for Forefront TMG
utility. After installing the file conversion utility, open a command prompt, go to the C: \ Program Files (x86) \ Microsoft Forefront TMG Tools \ EESingleServerConversion folder and give the command:

EESingleServerConversion.exe /s <исходный XML-файл> /t <конечный XML-файл>

Then follow the steps as described above for the ISA Standard version.

  1. Forefront TMG installs the Web Server (IIS) role. Please note that this component is not removed when you uninstall Forefront TMG;
  2. Microsoft Forefront TMG does not support more than 300 licensed users.

Also popular now: