Share via


Planning for migration

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG supports the following migration options:

  • Migrating from Internet Security and Acceleration (ISA) Server 2004 to Forefront TMG.

  • Migrating from ISA Server 2006 to Forefront TMG.

  • Migrating from Forefront TMG Release Candidate (RC) to Forefront TMG Release to Manufacturing (RTM).

  • Upgrading from Forefront TMG Standard Edition to Enterprise Edition.

For more information and instructions on the migration options, see Migrating and upgrading to Forefront TMG.

Migration limitations

Before you migrate, you should be aware of the following:

  • Migration from ISA Server 2004 is supported only for ISA Server 2004 Service Pack 3.

  • Migration from ISA Server 2006 is supported only for ISA Server 2006 Service Pack 1.

  • If you have enabled the Local Host network to listen for Web proxy client requests, this setting is not migrated.

  • Customized log field selections are not migrated. When ISA Server configuration settings are imported, customized log field selections are overwritten with default log field settings.

  • Report configuration settings are not migrated.

  • If you have specified a custom value for the number of times that an event must occur before an alert is triggered, this custom value is not migrated.

  • Third party add-ons are disabled after upgrade. If you were running a third-party add-on for ISA Server, before reenabling it, contact the vendor to check on the availability of an updated version for Forefront TMG.

  • After migrating the configuration from ISA Server, the static address pool for VPN is not migrated into the Forefront TMG configuration. This is by design and affects VPN S2S (RRAS only) and VPN Roaming clients.

  • After migrating the VPN S2S configuration from ISA Server into Forefront TMG, the S2S network fails to connect because no tunnel owner is configured.

    To resolve this issue, run the following script on Forefront TMG after the import:

    <script>

    dim root

    Set root = CreateObject("FPC.Root")

    Set Arr=root.GetContainingArray

    set S2SNet = Arr.NetworkConfiguration.Networks.Item(NetworkName)

    S2SNet.VpnConfiguration.SetAssignedServer(root.GetContainingServer.Name)

    S2SNet.save

    </script>

  • In ISA 2006 (both phase I and phase II), the IPsec configuration for IPsec S2S had the following default values:

    • Encryption algorithm: 3DES

    • Integrity algorithm: SHA1

    In Forefront TMG, these values were changed to new default values that provide better security:

    • Encryption algorithm: AES256

    • Integrity algorithm: SHA256

    When importing an ISA Server configuration which uses the default values, these values are replaced by the Forefront TMG current default values (this behavior is by design).

    The replacement of the default values will break the current IPsec configuration (unless the configuration is also changed on the other side of the tunnel to use the current values). The current values can be changed in the UI under 'IPsec Settings' in the Connection tab of the S2S network properties property sheet.

Concepts

Installation design guide for Forefront TMG