Migrating from ISA Server 2004/2006 to Forefront TMG

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The following migration paths from Microsoft Internet Security and Acceleration (ISA) Server to Forefront TMG are supported:

  • ISA Server Standard Edition to Forefront TMG Standard Edition.

  • ISA Server Standard Edition to Forefront TMG Enterprise Edition standalone server.

  • An array of ISA Server Enterprise Editions (including an array containing only a single server) to an array of Forefront TMG Enterprise Editions that is managed by a Forefront TMG Enterprise Management Server (EMS).

    Note

    An array of ISA Servers cannot be migrated to an array of Forefront TMG servers that is not managed by Forefront TMG EMS. Even though you can create an array of Forefront TMG servers that is not managed by Forefront TMG EMS, this option is not available for migration.

Before you migrate from ISA Server to Forefront TMG, read the following information:

Important

If you are migrating to Forefront TMG on a server other than the server on which ISA Server is currently installed, it is recommended that you maintain the functionality of your production ISA Server until the migration is complete and you have verified that Forefront TMG is functioning as expected.

This topic contains the following sections:

  • Collecting information

  • Migrating a single ISA Server to Forefront TMG

  • Migrating an array of ISA Servers to an array of Forefront TMG servers

  • Exporting the ISA Server configuration

  • Importing the configuration into Forefront TMG

Collecting information

Before you begin the migration process, collect the following information about your existing ISA Server deployment:

  • Fully qualified domain name (FQDN) of the computer running ISA Server.

  • IP address, subnet mask, and DNS server address of the network adapter connected to the main corporate network. This network adapter will be associated with the default Forefront TMG internal network.

  • IP address, subnet mask, default gateway, and DNS server address of the network adapter connected to the external network (usually the Internet). If you are installing Forefront TMG with a single network adapter, external adapter settings are not required.

  • IP address, subnet mask, and DNS server address of network adapters connected to any other networks, such as a perimeter network.

Migrating a single ISA Server to Forefront TMG

The following tasks are required to migrate a single ISA Server to Forefront TMG:

  1. Collect information required for installation. For details, see Collecting information.

  2. Export the ISA Server configuration. For details, see Exporting the ISA Server configuration.

  3. Export the server certificates used by ISA Server. For instructions on exporting a server certificate in Windows 2003, see Importing and exporting certificates (https://go.microsoft.com/fwlink/?LinkId=152428).

  4. If you are migrating to Forefront TMG on the same computer that is running ISA Server, uninstall ISA Server from the computer. For details, see ISA Server SE: Uninstalling ISA Server Software (https://go.microsoft.com/fwlink/?LinkId=152933).

  5. Perform a clean install of Windows 2008 (SP2 64 bit or R2) on the computer. This applies to both a new computer or the computer that had ISA Server installed (in place upgrades from a 32 bit Windows 2003 to a 64 bit Windows 2008 are not supported). For details, see Installing Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=152429).

  6. Install Forefront TMG. For details, see Installing Forefront TMG.

  7. Import the server certificate into the Forefront TMG server. For details, see Move Certificates (https://go.microsoft.com/fwlink/?LinkId=152430).

  8. Import and apply the ISA Server configuration in the Forefront TMG Management console. For details, see Importing the configuration into Forefront TMG.

  9. Restore ISA Server report jobs and Firewall logging properties on Forefront TMG. For information, see Configuring Forefront TMG reports and Configuring Forefront TMG logs.

  10. If you are installing Forefront TMG on a clean server, that is, on a computer that was not previously running ISA Server, update your production environment with the new server information, such as internal and external IP addresses, and Domain Name System (DNS) server address.

  11. Check that the configuration is operational and that services are started on the Forefront TMG server.

Migrating an array of ISA Servers to an array of Forefront TMG servers

When performing this procedure, note the following:

  • You must adjust computer-specific settings in the new array of Forefront TMG computers if they differ from the ISA configuration you import. For example, FQDNs, reporting and logging, credentials, and certificates.

  • Only the configuration settings of the Configuration Storage Server (CSS) are migrated to a separate computer running Forefront TMG EMS. Even if the CSS was located on one of the ISA Server computers and not a separate computer, Forefront TMG EMS must be installed on a separate computer.

The following tasks are required to migrate an array of ISA Servers to an array of Forefront TMG servers:

  1. Collect the information required for installation from each server in the array. For details, see Collecting information.

  2. Export the ISA Server configuration from the computer designated as the CSS. For details, see Exporting the ISA Server configuration.

  3. Export the server certificates used by the ISA Servers. For instructions on exporting a server certificate in Windows 2003, see Importing and exporting certificates (https://go.microsoft.com/fwlink/?LinkId=152428).

  4. If you are migrating to an array of Forefront TMG computers using the same computers that are running ISA Server, uninstall ISA Server from the computers. For details, see ISA Server EE: Uninstalling ISA Server Software (https://go.microsoft.com/fwlink/?LinkId=152936).

  5. Perform a clean install of Windows 2008 (SP2 64 bit or R2) on the computers. This applies both to new computers and the computers on which ISA Server was installed (in place upgrades from a 32 bit Windows 2003 to a 64 bit Windows 2008 are not supported). For details, see Installing Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=152429).

  6. Install Forefront TMG EMS on the management server (this must be a separate computer and not one of the computers in the new array). For details, see Installing an Enterprise Management Server (EMS) for centralized management.

  7. Import and apply the ISA Server CSS configuration into the Forefront TMG EMS on the management server. For details, see Importing the configuration into Forefront TMG.

  8. Install Forefront TMG on each of the new array members. For details, see Installing Forefront TMG.

  9. Import the server certificates into the Forefront TMG servers. For details, see Move Certificates (https://go.microsoft.com/fwlink/?LinkId=152430).

  10. Restore ISA Server report jobs and Firewall logging properties. For information, see Configuring Forefront TMG reports and Configuring Forefront TMG logs.

  11. If you are installing Forefront TMG on a computer that was not previously running ISA Server, update your production environment with the new server information, such as internal and external IP addresses, and Domain Name System (DNS) server address.

  12. Join each Forefront TMG server in the array to the Forefront TMG EMS management server. For information, see Joining a server to an enterprise array.

  13. Check that the configuration is synced and that services are started on each Forefront TMG server in the array.

Exporting the ISA Server configuration

Use the following procedure to export the current ISA Server configuration.

To export the ISA Server configuration

  1. In the ISA Server Management console, in the tree, access the root node:

    • On an ISA Server computer, expand Microsoft Internet Security and Acceleration Server, and then click ServerName.

    • On a Configuration Storage Server computer, click Microsoft Internet Security and Acceleration Server.

      Note

      It is recommended that you export the entire configuration from the root node. The other option is to export only the specific nodes you want to migrate to Forefront TMG. Note that only the following nodes can be migrated individually: URLSet, DomainNameSet, ComputerSet, Computer, Subnet and AddressRange.

  2. In the Tasks pane, click Export ISA Server Configuration to a File.

  3. In the Export Wizard, on the Export Preferences page, select the following options:

    • Export confidential information. Specify a password of at least eight characters.

    • Export user permission settings.

    When you export confidential information, the following are included in the exported data:

    • Credentials that are used for alerts, logging, reports, report jobs, primary and backup routes, dial-up connections, and Web publishing.

    • The shared secret that is specified if a RADIUS server is used.

    • The preshared key that is specified for Internet Protocol security (IPsec) configuration.

    Confidential information is encrypted during the export process. The password is used to decrypt the information during the import process.

    Important

    To import the configuration into Forefront TMG, you must select the option Export confidential information, regardless of whether such information exists in the system.

  4. On the Export File Location page, specify a name and location for the exported backup file. If you intend to upgrade this computer to Windows Server 2008 and install Forefront TMG on it, copy the exported file to a network location, so that it won’t be deleted before the migration process is complete.

  5. On the Apply Changes bar, click Apply.

Importing the configuration into Forefront TMG

Use the following procedure to import the ISA Server configuration into Forefront TMG.

To import the configuration into Forefront TMG

  1. In the Forefront TMG Management console, in the tree, access the root node:

    • On a Forefront TMG computer, expand Microsoft Forefront Threat Management Gateway, and then click ServerName.

    • On an EMS computer, click Microsoft Forefront Threat Management Gateway.

  2. On the Tasks tab, click Import (Restore) configuration.

  3. In Look in, browse to the folder that contains the file you are importing.

  4. In the Select the Import File step, in File name, specify the file name of the .xml file you are importing.

  5. Specify the password required to decrypt the confidential information.

  6. On the Apply Changes bar, click Apply.

Concepts

Migrating and upgrading to Forefront TMG