Installing with migrated settings

Before you migrate from ISA Server 2006 Standard Edition installed in a domain environment to Forefront TMG, read the following:

Migrating to Forefront TMG consists of the following tasks:

  1. Collecting information required for installation.
  2. Exporting the ISA Server 2006 Standard Edition configuration.
  3. Installing Forefront TMG on a server running the Windows Server 2008 64-bit operating system. If you plan to install Windows Server 2008 and Forefront TMG on the computer running ISA Server 2006, ISA Server firewall services will not be available from the time you uninstall ISA Server 2006, until you install the new operating system and Forefront TMG.
  4. Importing and applying the ISA Server 2006 configuration in the Forefront TMG management console.
  5. Swapping the servers if Forefront TMG is installed on a new computer.
  6. Modifying certificate and VPN authentication settings if required.

These tasks are described in more detail in the following procedures.

Collecting information

Before you begin the migration process, collect the following information about your existing ISA Server 2006 deployment:

  • Fully qualified domain name (FQDN) of the computer running ISA Server 2006.
  • IP address, subnet mask, and Domain Name System (DNS) server address of the network adapter connected to the main corporate network. This network adapter will be associated with the default Forefront TMG Internal network.
  • IP address, subnet mask, default gateway, and DNS server address of the network adapter connected to the external network (usually the Internet). If you are installing Forefront TMG with a single network adapter only, external adapter settings are not required.
  • IP address, subnet mask, and DNS server address of network adapters connected to any other networks, such as a perimeter network.

Exporting the current configuration

To export the ISA Server 2006 configuration

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, and then click Server_Name.

  2. On the Tasks pane, click Export ISA Server Configuration to a File to start the Export Wizard.

  3. On the Export Preferences page, select Export confidential information, and then specify a password of at least eight characters for the exported file. Select Export user permission settings to export assignments of ISA Server administrative roles to users and groups. When you select to export confidential information the following is included in the exported data:

    • Credentials used for alerts, logging, reports, report jobs, primary and backup routes, dial-up connections, and Web publishing.
    • The shared secret specified if a RADIUS server is used.
    • The preshared key specified for Internet Protocol security (IPsec) configuration.
    • Confidential information is encrypted during the export process. The password is used to decrypt the information during the import process.
  4. On the Export File Location page, specify a name and location for the exported backup file. If you are intending to install Windows Server 2008 and Forefront TMG on the computer running ISA Server 2006, copy the exported file to a network location.

Note

Forefront TMG can only import an ISA Server 2006 exported file when the export was run from the Server_Name node.

Note

The export and import backs up and restores SSL certificate keys that indicate to Forefront TMG which certificates to use. Export and import does not back up and restore the actual certificates. In addition to running the Export Wizard, you must export server certificates used by ISA Server 2006.

Installing the new server

Installation consists of the following tasks:

  1. Installing Microsoft Windows Server 2008. For more information see Installing Windows Server 2008 at Microsoft TechNet.
  2. Installing Forefront TMG on the computer running Windows Server 2008.

Note

The internal network adapter must be connected to the network and enabled in order to install Forefront TMG. If the Forefront TMG computer will be connected to the same network as the ISA Server 2006 computer, a different IP address must be assigned to the internal network adapter of the Forefront TMG computer during installation.

To install Forefront TMG

  1. Insert the Forefront TMG CD into the CD drive, or run ISAAutorun.exe from a shared network drive.

  2. In the main Setup page, click Install Forefront TMG, and then complete the wizard.

  3. On the Setup Type page, select whether you want to install Forefront TMG firewall services, or only the Forefront TMG management console to remotely manage computers running Forefront TMG.

  4. On the Internal Network page, click Add. Then click Add Adapter and select the adapter connected to the main corporate network. For more information about defining the Internal network range, see the section "Adding IP addresses to the Internal network" in Installing Forefront TMG.

  5. On the final page of the wizard, you can select to open the Forefront TMG management console immediately. The first time that you run the Forefront TMG management console, the Getting Started Wizard will start automatically to allow you to modify IP address settings for your networks, to join the server to a domain, and to configure update settings. For more information, see Configuring initial deployment settings

Importing the configuration

Import configuration settings to the Forefront TMG computer as follows:

To import configuration settings

  1. Copy the export file to the newly installed Forefront TMG computer.

  2. In the Forefront TMG Management console tree, click the Forefront TMG node.

  3. In the Tasks pane, click Import (Restore) Array Configuration to run the Import Wizard.

  4. On the Select the Import File page, specify or browse to the export file location. Files of type .xml are displayed when browsing.

  5. On the Import Action page, select Import to indicate that settings should be merged.

  6. On the Import Preferences page, select to import server-specific information and user permission settings.

  7. On the Enter Password page, specify the password you used to safeguard exported confidential information.

  8. In the details pane of the management console, click Apply to apply the imported configuration changes.

Note

Applying configuration changes may take a few minutes. In addition, some services may need to be restarted.

Swapping the servers

Perform the following procedure if you have installed Forefront TMG on a new computer.

Note

Firewall services are not operational during the swap process so users will experience an interruption of services until the swap has been completed. We recommend that you notify users before the migration that firewall services will not be available while the swap is in progress.

To replace the ISA Server computer

  1. Disconnect the Forefront TMG computer from all networks.

  2. Make sure that IP addresses on the Forefront TMG computer match the IP addresses on the ISA Server 2006 computer.

  3. Turn off the Forefront TMG computer.

  4. Mark the relevant network cables on the ISA Server 2006 computer as External network, Internal network, and perimeter network.

  5. Shut down the ISA Server 2006 computer, and then disconnect it from the network.

  6. Connect the Forefront TMG computer to the required networks, and then turn on the computer.

  7. Check that the Forefront TMG computer is connected and working properly.

Completing additional tasks

The following table lists additional tasks that might need to be taken on the Forefront TMG computer after migration.

ISA Server 2006 feature Required actions

Web publishing (reverse proxy) listening for HTTPS requests

Import certificates exported from ISA Server 2006 to the Forefront TMG computer.

Cc995044.note(en-us,TechNet.10).gifNote:
If a new server certificate is installed, you will need to modify the affected Web listener and select the new SSL certificate.

VPN tunnel encryption using server certificate (L2TP over IPsec, IPsec tunnel mode, or VPN client access using L2TP over IPsec)

On the Forefront TMG computer, install a new server certificate from the same internal certification authority (CA) that issued the server certificate used for VPN authentication to the ISA Server 2006 computer.

User account for VPN connection (L2TP over IPsec, or PPTP)

For a remote site to initiate a site-to-site connection there must be a user account matching the remote network name. If the user account was created as a local user account on the ISA Server 2006 computer, you must create an account with the same user name and password on the Forefront TMG computer. The user account must be granted dial-in permissions.