ISA Server 2004 FAQ: Installing and Upgrading

  • Article

This frequently asked questions (FAQ) document provides answers to questions commonly asked during installation and upgrade of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q

Can I upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 Standard Edition?

A

No, an upgrade path is only supported from ISA Server 2000 Standard Edition running at least Service Pack 1.

Q

Can I upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 Standard Edition?

A

No, an upgrade path is only supported from ISA Server 2000 Standard Edition running at least Service Pack 1.

Q

What do I need to do to preserve my ISA Server 2000 settings during the upgrade?

A

If you do an in-place upgrade and install ISA Server 2004 on the same computer running ISA Server 2000, the configuration is automatically migrated to ISA A

If you uninstall ISA Server 2000 before installing ISA Server 2004, or install ISA Server 2004 on a different computer, you should run the Migration Tool on the ISA Server 2000 computer before upgrading to ISA Server 2004. Upgrade to ISA Server 2004, and then import the migrated configuration.

Remember that before exporting and importing settings, you should back up your current ISA Server 2000 configuration.

Q

Are all my settings preserved during an upgrade?

A

Most of the settings are preserved, but there are a number of settings that are not preserved:

Bandwidth rules are not supported in ISA Server 2004 and are not upgraded.

  • Logging and reporting settings and information are not upgraded.
  • Permission settings such as system access control lists (SACLs) are not upgraded.
  • The H.323 Gatekeeper installed with ISA Server 2000 is removed.

For detailed information, read the upgrade guide, available from autorun when you run ISA Server setup.

Q

What happens to the permissions I specified for particular objects in ISA Server 2000?

A

These permissions are not migrated to ISA Server 2004. Instead, the default permissions are applied.

Q

Are application filters migrated?

A

Yes, as follows:

  • FTP Access filter. Protocol rules for FTP, and protocol rules applying to FTP Server are migrated to access rules with read-only disabled. Protocol rules applying to FTP download are migrated to access rules with read-only enabled.
  • H.323 filter. When allowing incoming calls, after upgrading, this filter listens on the External network. For allowing outgoing calls, after upgrading, this filter listens on the Internal network. The Internal network does not include the VPN Clients network or the Local Host network, and you should modify filter settings to listen on these networks if required.
  • SMTP filter. For SMTP commands, this is the same as in ISA Server 2000. Attachments, keywords, and users and domains are migrated to an SMTP server publishing rule on a per-rule basis.
  • RPC filter. The RPC filter configuration in ISA Server 2000 is replaced with per-rule filtering.
  • HTTP Redirection filter. Not upgraded (not supported in ISA Server 2004).
  • SOCKS v4 filter. After upgrading, this filter listens on the Internal network. The Internal network does not include the VPN Clients network or the Local Host network, and you should modify filter settings to listen on these networks if required.
  • Streaming Media filters (RTSP, MMS, PNM): Same as in ISA Server 2000. MMS stream splitting is not supported.
  • DNS filter (intrusion detection). Migrated directly to ISA Server 2004.
  • POP filter (intrusion detection). Migrated directly to ISA Server 2004.

Note that third-party filters are not upgraded.

Q

What happens to the cache during migration?

A

The cache drive configuration is retained. If you migrate to a different computer, the hardware and drive should be similar to the ISA Server 2000 computer. Most cache properties are migrated directly, with the following exceptions:

  • General cache properties that specify whether cache objects should be updated are set to the ISA Server 2004 default settings.
  • General cache properties specifying whether objects exceeding certain size should be cached are not migrated.
  • General cache properties specifying whether dynamic content is cached are set on the ISA Server 2004 default cache rule.

Q

What happens on an upgrade from ISA Server 2000 with a single network adapter?

A

A single network adapter configuration is upgraded as follows:

  • The Internal network on ISA Server 2004 is configured to include all addresses associated with the single network adapter on the ISA Server 2000 computer.
  • An access rule is created to allow HTTP, FTP, and HTTPS access from the Internal network to the Internal network.

Q

Are packet filters supported in ISA Server 2004?

A

No, for more information on how packet filters are migrated, see the migration document (ISA2000migrate.htm). This document is available from autorun, or on the ISA Server 2004 CD.

Q

What happened to URLScan in ISA Server 2004?

A

This feature, provided with ISA Server 2000 Feature Pack 1, is renamed HTTP Filter in ISA Server 2004. Some functionality is no longer available, including:

  • EnableLogging
  • PerProcessLogging
  • AllowLateScanning
  • PerDayLogging
  • RejectResponseUrL
  • UseFastPathReject
  • DenyUrlSequences

Q

What will happen to my routing rules?

A

Each ISA Server 2000 routing rule is duplicated on ISA Server 2004, as a cache rule and as a routing rule. Routing rules are created with identical properties to those of the original ISA Server 2000 routing rule. Destinations are mapped to specific networks in the ISA Server 2004 routing rule properties. If the routing rule used a dial-up entry, a dial-up entry with the same properties is created on the External network of ISA Server 2004. A new caching rule is created based on the original ISA Server 2000 routing rule. Note that the bridging and action properties of ISA Server 2000 routing rules are not migrated.

Q

Is streaming media and live stream splitting supported on ISA Server 2004?

A

No, these features are not available with ISA Server 2004. ISA Server 2004 streaming media filters focus only on enabling firewall traversal for the media protocols.

Q

What file name should I provide for the exported policy when I run the migration tool?

A

You can specify any file name, but if the file already exists, it will be overwritten.

Q

I am running an import that includes SSL certificates and the import failed. What could be wrong?

A

This could occur if the target computer does not support certificates, or has a different certificate configuration. In this case, you must disable SSL on the incoming and outgoing Web listener pages on the ISA Server computer before exporting the file configuration. Alternatively, you can copy the certificate to the target computer before beginning the export.

Another reason this may occur is that you did not select Import cache drive settings and SSL certificates in the Import dialog box. Ensure this is selected and try running the import again.

Q

I am running ISA Server 2000 with Administration Tools only (for remote management). Can I upgrade to ISA Server 2004?

A

No, you cannot upgrade to ISA Server 2004 from ISA Server 2000 in Administration mode. First reinstall ISA Server 2000 with ISA Server Services, and then upgrade.

Q

Can I remotely install ISA Server using RDP from a computer in the External or Internal network?

A

ISA Server can be installed remotely from a computer in the Internal network, or in the External network. If you choose to install ISA Server 2004 from an untrusted computer in the External network, Setup will add the external computer running Setup to the predefined Remote Management Computers set, used in system policy rules allowing remote management of ISA Server from selected computers.

Q

Can I install ISA Server 2004 on a computer running Microsoft Windows® 2000 Server?

A

Yes. Note the following:

  • Windows 2000 Service Pack 4 (SP4) or later must be installed.
  • Internet Explorer 6 or later must be installed.
  • All critical updates should be installed.
  • If you are using the Windows 2000 SP4 slipstream, you must also install the hotfix specified in the Microsoft Knowledge Base article 821887, "Events for Authorization Roles Are Not Logged in the Security Log When You Configure Auditing for Windows 2000 Authorization Manager Runtime."
  • If you install on Windows 2000, you cannot configure the L2TP IPSec preshared key.
  • Quarantine mode for VPN clients is not supported.
  • On servers running Windows 2000, all ISA Server services run using the local system account. (These run under the Network Service account on computers running Windows Server„¢ 2003.)

Q

What services are affected during ISA Server installation?

A

As part of the installation process, the following services are disabled:

  • Internet Connection Firewall or Internet Connection Sharing
  • IP Network Address Translation

In addition, the following services are stopped during installation:

  • SNMP service
  • FTP Publishing service
  • Network News Transfer Protocol (NNTP)
  • IIS Admin service
  • World Wide Web Publishing service

Q

In the Export Configuration dialog box, what does "Export user permission settings" and "Export confidential information (encryption will be used)" mean?

A

The Export user permission settings check box relates to the permissions on the ISA Server Management configuration. Typically, you would select this if you want to replicate an existing configuration inside the same organization.

The Export confidential information check box relates to any configuration data that should remain confidential, including:

  • User credential passwords used in your ISA Server configuration. For example, in logging to an SQL server, running a program as a result of an alert, or L2TP remote authentication.
  • RADIUS shared secret
  • VPN preshared IPSec key

[Topic Last Modified: 12/16/2008]