How to Back Up and Restore an ISA Server Enterprise Configuration (Enterprise Edition)

  • Article

This document provides guidelines for backing up an ISA Server enterprise configuration, and instructions for restoring the configuration. It includes the following information:

  • Planning and selecting a backup method
  • How to replicate a Configuration Storage server
  • How to back up an entire enterprise configuration
  • How to recover the following scenarios:
    • A Configuration Storage server located on an ISA Server array member is not available.
    • A Configuration Storage server running on a separate computer is not available.
    • Array members are unavailable.
    • Both the Configuration Storage server and array members are unavailable.

Planning a backup policy

Take the following proactive steps to limit the impact of Configuration Storage server and array node failure:

  • Deploy multiple Configuration Storage servers in your enterprise so that if one fails the configuration can be recovered from a replicate. A replicate can only be created if the primary Configuration Storage server is a domain member. The replicate must be a member of the same domain or a trusted domain.
  • Back up the Configuration Storage server on a regular basis, to a medium that is separate from the Configuration Storage server hardware. We recommend that you back up the configuration after any major modifications, including changing cache size or location, configuring firewall policy or system rules, modifying network definitions or rules, configuring authentication settings, and modifying administrative rights.

Backup methods

ISA Server settings can be backed up using the following methods and tools:

  • Windows NTBackup.
  • ADAM Volume Shadow Copy Server
  • ISA Server import and export

Using Windows Backup

You can back up and restore the ISA Server configuration using the Windows NTBackup utility to create a backup of ADAM files located on the Configuration Storage server. This method can only be used to backup the entire enterprise configuration, and should be used in large complex enterprises (more than 50 arrays).

ADAM VSS

As an alternative to ISA Server export or Windows Backup you can use the VSS service provided in Windows Server 2003 to take volume shadow copies of the ISA Server 2006 configuration. Restoration of an enterprise configuration uses the ADAM VSS writer and is only available on the Configuration Storage server. Note that VSS shadow copy data resides on the same volume as the original data, so should not be used to replace backups to alternative locations. For more information, see ISA Server 2006 and VSS writer at the ISA Server TechCenter.

ISA Server export

You can use the ISA Server Export Wizard to export ISA Server configuration information to an .xml file. You can export settings from the Configuration Storage server and array members, as follows:

  • An entire ISA Server enterprise configuration
  • A specific enterprise policy
  • Configuration information for a specific array
  • An entire set of firewall policy rules, or a selected firewall rule
  • Cache configuration settings and cache content download jobs
  • Networks, network sets and network rules
  • Web chaining rules
  • Connectivity verifiers

Replicating a Configuration Storage server

This section contains information about creating a replicate Configuration Storage server.

If the Configuration Storage server goes offline, array members continue to function but array policy cannot be modified. You can enhance fault tolerance by creating an alternative Configuration Storage server that is a replica of the primary server. This alternate server can be used if the primary Configuration Storage server is unavailable. Array members attempt to contact a primary Configuration Storage server that is unavailable for 30 minutes. After this time, the members attempt to contact the alternate replicate server.

Configuring a replicate Configuration Storage server consists of the following steps:

  1. Add the replicate computer to a predefined ISA Server computer set. A predefined system policy rule allows this computer set access to the ISA Server computer.
  2. Run Setup on the replicate computer, and copy enterprise configuration information from the primary Configuration Storage server. You can do this using either of the following methods:
    • Replicate using Windows Backup. This method is recommended if you are replicating over a slow network (10 Mbps per second or less), or if primary Configuration Storage server will not be available when you run Setup on the replicate computer.
    • Replicate from the primary Configuration Storage server.
  3. After Setup is complete, optimize replication by establishing ADAM sites and moving the replicate to a different site.
  4. Configure array members to use the replicate server.

These steps are described in detail in the following procedures.

Adding the replicate to the computer set

To allow the replicate Configuration Storage server to access ISA Server, add the replicate computer as a member of the enterprise-level computer set "Replicate Configuration Storage Servers".

To add the replicate to the Configuration Storage servers computer set

  1. In the ISA Server Management console, click the Firewall Policy node.

  2. Click the Toolbox tab.

  3. Click to expand Network Objects, and then click to expand Computer Sets.

  4. Right-click Replicate Configuration Storage servers, and then click Properties.

  5. On the General tab, click Add, and then click Computer.

  6. Type in the name and IP address of the replicate computer.

Replicating using Windows Backup

If you are replicating over a slow network, do the following:

  1. Run Windows Backup on the primary Configuration Storage server to collect the enterprise configuration.
  2. Restore the backup files to the replicate computer.
  3. Run Setup on the replicate computer.

To run Windows Backup

  1. On the primary Configuration Storage server, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. On the Welcome page, click Advanced Mode.

  3. On the Backup tab, select the ADAMData folder, located under Program Files\Microsoft ISA Server.

  4. In Backup media or file name, type the name of the backup file.

  5. Click Start Backup.

To restore the backup files to the replicate computer

  1. On the replicate computer, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. On the Welcome page, click Advanced Mode.

  3. On the Restore and Manage Media tab, select the item to restore.

  4. In Restore files to, click Original location to restore files to the same location. To restore files to an alternate location, click Alternate Location and specify a restore folder. Note that the folder must be on an NTFS drive and located on the local computer. A network location is not supported.

  5. On the Tools menu, click Options.

  6. Click Always replace the file on my computer, and then click OK.

  7. Click Start Restore.

Run Setup to create the replica

  1. On the replica computer, insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006 and use the wizard to install the Configuration Storage server.

  3. On the Setup Scenarios page, select Install Configuration Storage server.

  4. On the Component Selection page, accept the default settings.

  5. On the Enterprise Installation Options page, click Create a replica of the enterprise configuration.

  6. On the Locate Configuration Storage Server page, specify the FQDN of the Configuration Storage server you want to replicate. If the logged on user does not have domain administrator permissions, select Connect using this account and specify credentials with the required permissions.

  7. In ISA Server Configuration Replicate Source, choose the option to replicate from a Windows backup file, and select the relevant file.

  8. Complete the Setup wizard.

Replicating from the primary Configuration Storage server

Run ISA Server Setup on the replicate computer. During installation you specify that the computer will be a replicate and the Setup process connects automatically to the original Configuration Storage server.

Run Setup to create the replica

  1. On the replica computer, insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006 and use the wizard to install the Configuration Storage server.

  3. On the Setup Scenarios page, select Install Configuration Storage server.

  4. On the Component Selection page, accept the default settings.

  5. On the Enterprise Installation Options page, click Create a replica of the enterprise configuration.

  6. On the Locate Configuration Storage Server page, specify the FQDN of the Configuration Storage server you want to replicate. If the logged on user does not have domain administrator permissions, select Connect using this account and specify credentials with the required permissions.

  7. In ISA Server Configuration Replicate Source, select Replicate over the network.

Note

If you receive a Setup message indicating that an object already exists in ADAM during replication, uninstall the ISA Server instance of ADAM using Add/Remove Programs in the Control Panel, and then run Setup again. During uninstall, you may receive a message that Configuration Storage server objects cannot be deleted when there is no connection to the Configuration Storage server. The uninstall process completes, but the computer will still retain read permissions for ISA Server objects in ADAM at the end of the uninstall process. You can then manually remove the server node using the ISA Server Management console (or COM) on the primary Configuration Storage server computer, or on one of the array members.

Creating ADAM sites

If you replicate a Configuration Storage server using the backup files from another Configuration Storage server, during setup the replicated Configuration Storage server will be joined to the same ADAM site as the Configuration Storage server from which the backup files were created. After Setup is complete, you can optimize the replication of configuration information stored on the Configuration Storage servers by establishing ADAM sites, and moving the replicated Configuration Storage server to a different site.

To create ADAM sites

  1. Download the AdamSites.exe tool from the Microsoft Download Center.

  2. Create a new ADAM site by typing the following at a command prompt: AdamSites Site Create NewSite

  3. Move the replicate server to a new ADAM site by typing the following at a command prompt: AdamSites MoveServer ReplicateConfigurationServer Site1 NewSite

Configuring array members to use the replicate Configuration Storage server

On the alternate replicate Configuration Storage server, do the following:

To configure array members to use the replicate

  1. In the ISA Server Management console, expand the Arrays node and select the array name.

  2. Select Configure Array Properties on the Tasks tab.

  3. On the Configuration Storage tab, specify the name of the computer running the secondary Configuration Storage server in Alternate Configuration Storage server (optional).

  4. In the details pane, click Apply to save the changes and update the firewall policy.

  5. Repeat the procedure for each array in the enterprise.

Note

Alternatively, you can use the ChangeStorageServer.vbs script to specify an alternate Configuration Storage server. This script is located in the FPC\Program Files\Microsoft ISA Server installation folder. Run the script on all array members that require updating.

Backing up the enterprise configuration

The Configuration Storage server computer is an ADAM instance that is the repository of the enterprise layout and all of the configuration information for all arrays and array members in an enterprise. Each ISA Server array member has a local copy of its configuration that is a copy of the Configuration Storage server's configuration.

Backing up an enterprise configuration is done by exporting the enterprise configuration to a single .xml file. This export includes the following:

  • Enterprise policy settings and all enterprise-specific information.
  • Settings for all arrays in the enterprise, including array-level firewall policy rules, rule elements, alerts, and cache settings.
  • Array-specific information such as certificates and cache drives.

Before backing up your enterprise configuration, note the following:

  • For maximum security, save the backup file to an NTFS file system disk partition. Only administrators of the ISA Server computer should have read permissions to the directory.
  • When creating the backup file, you can choose to export user permission settings and confidential information. Confidential information includes user credential passwords such as those used for alerts, logging, report jobs, primary and backup routes, dial-up connections, and Web publishing, RADIUS shared secrets, and preshared IPsec keys. This information is encrypted using the password specified during export. During an import, this password is required to decrypt the confidential information. Other configuration data in the exported backup file is not encrypted. The exported file should be treated as sensitive data that has the potential for information disclosure.
  • Exporting an enterprise configuration also exports SSL certificate keys which indicate to ISA Server which certificates to use. This is not the same as backing up and restoring the certificates themselves. We recommend that you maintain a backup of SSL certificates, which you should do manually to a secure location. For more information, see Backing Up Server Certificates at Microsoft TechNet. Certificate settings on the ISA Server computer to which you are importing the configuration must match the certificate settings in the exported file. If you import to an ISA Server computer with different certificates, the Microsoft Firewall service will fail to start.

You can back up an enterprise configuration using any of the following methods:

  • Back up using Windows Backup
  • Back up using ISA Server export

These methods are described in detail in the following procedures**:**

Backing up using Windows Backup

To back up using Windows Backup

  1. On the Configuration Storage server, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. On the Welcome page, click Advanced Mode.

  3. On the Backup tab, select the ADAMData folder, located under Program Files\Microsoft ISA Server.

  4. In Backup media or file name, type the name of the backup file.

  5. Click Start Backup.

Backing up using ISA Server export

To back up using ISA Server export

  1. Before backing up the enterprise, ensure that all changes have been replicated among primary and backup Configuration Storage servers.

  2. On the primary Configuration Storage server, click the root node Microsoft Internet Security and Acceleration Server 2006 in the ISA Server Management console.

  3. On the Tasks tab, in Related Tasks, click Export (Back Up) Configuration to start the Export Wizard.

  4. On the Export Preferences page, Export confidential information to include confidential information associated with the specific array in the export. You must have a connection to at least one firewall server in each array in order to read the array's confidential information. Specify a password of at least eight characters. The password is used to decrypt the information during import.

  5. Select Export user permission settings to include the ISA Server security roles of users in the export. For example, indicating who has administrative rights.

Restoring the enterprise configuration

This section provides recovery instructions for the following scenarios:

  • Scenario 1: A Configuration Storage server running on an ISA Server array member is unavailable.
  • Scenario 2: A Configuration Storage server running on a separate computer is unavailable.
  • Scenario 3: Array members are unavailable.

Scenario 1: Configuration Storage server running on an array member is unavailable

The following flowchart illustrates the process for recovering the Configuration Storage server in this scenario. Relevant procedures are listed after the flowchart.

Verifying that array members are using the alternate Configuration Storage server if one is available

If an alternate Configuration Storage server is available, check that array members are using it:

To verify the Configuration Storage server used by array members

  1. In the console tree of ISA Server Management, click the applicable array.

  2. On the Tasks tab, click Configure Array Properties.

  3. On the Configuration Storage tab, verify that the available Configuration Storage server is specified as the primary or alternate Configuration Storage servers. Modify if required.

Note

Alternatively, you can use the ChangeStorageServer.vbs script to specify an alternate Configuration Storage server. This script is located in the FPC\Program Files\Microsoft ISA Server installation folder. Run the script on all array members that require updating.

Transferring the ADAM schema master role if primary Configuration Storage server is unavailable

If the replicate Configuration Storage server is available and the primary is not, transfer the schema role to make the replicate act as the primary:

To transfer the schema master role to the replica

  1. On the replica Configuration Storage server, click Start, point to All Programs, point to ADAM, and then click Adam Tools Command Prompt.

  2. At the command prompt type: dsmgmt

  3. At the dsmgmt: command prompt type: roles

  4. At the fsmo maintenance: command prompt, type: connections

  5. At the server connections: command prompt, type in the name of the computer running the replica configuration storage server, as follows: connect to server *computername:*2171

  6. At the server connections: command prompt, type: quit

  7. At the fsmo maintenance: command prompt, type: transfer naming master

transfer schema master

Installing Configuration Storage server on an array member and obtaining settings from an alternate replicate server

When an alternate Configuration Storage server is available, run Setup as follows:

Install a Configuration Storage server as a replicate server

  1. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006.

  3. To install the Configuration Storage server on an array member, in the Setup Scenarios page, select Install both ISA Server services and Configuration Storage server.

  4. On the Enterprise installation options page, select Create a replica of the enterprise configuration.

  5. On the Locate Configuration Storage Server page, specify the FQDN of the available Configuration Storage server. If the logged on user does not have domain administrator permissions, specify credentials with those permissions.

  6. On the ISA Server Configuration Replicate Source page, select Replicate over the network to connect directly to the available Configuration Storage server.

  7. Complete the Setup wizard.

Installing Configuration Storage server on an array member when no alternate replicate server is available

When no alternate Configuration Storage server is available, run Setup and then restore settings from a back up file in merge mode, as follows:

Install a Configuration Storage server as a primary server

  1. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006.

  3. To install the Configuration Storage server on an array member, in the Setup Scenarios page, select Install both ISA Server services and Configuration Storage server.

  4. On the Enterprise installation options page, select Create a new ISA Server enterprise.

  5. On the Create a New Enterprise page, specify the name of the enterprise. It should match the name of the enterprise that was used previously by the unavailable Configuration Storage server.

  6. Complete the Setup wizard.

  7. On the newly installed Configuration Storage server, open ISA Server Management.

  8. Select the Microsoft Internet Security and Acceleration Server 2006 root node.

  9. On the Tasks tab, click Import (Restore) Configuration to start the Import Wizard.

  10. On the Select the Import File page, specify or browse to the backup file location. Files of type .xml are displayed when browsing.

  11. On the Import Action page, select Import to indicate that settings should be merged.

  12. On the Import Preferences page, select to import server-specific information and user permission settings if you exported these.

  13. On the Enter Password page, specify the password you used to safeguard exported confidential information.

Prepare server certificate used for Configuration Storage server authentication in workgroup mode

If the Configuration Storage server or array members are in workgroup mode, a server certificate installed on the Configuration Storage server is required to authenticate the server to array members. Configure a server certificate as follows:

To configure a server certificate to authenticate the Configuration Storage server

  1. If you have a copy of the .pfx file you used for the unavailable Configuration Storage server, import it to the newly installed Configuration Storage server

  2. If you do not have a copy, you must request a server certificate. The common name of the certificate should match the FQDN of the unavailable Configuration Storage server. Do this as follows:

    1. Request a certificate from a private standalone or enterprise Certification Authority (CA). You can do this on any computer that can access the CA. This should not be done on the computer on which the Configuration Storage server will be installed, because that computer uses a exported certificate file to ensure the certificate is installed in the correct location and associated with the correct service.
    2. After obtaining the certificate, export it together with its private key. The export provides a .pfx file that can then be imported to the Configuration Storage server computer.

  3. ISA Server array members require the CA root certificate to indicate that they trust the server certificate used by the Configuration Storage server. If the array members are installed in a domain and the CA is in the domain, these certificates are deployed automatically. Otherwise you must install on each array member.

For detailed instructions for all these steps, see ISA Server 2004 Enterprise Edition in a Workgroup. The certificate instructions are valid for ISA Server 2006.

Update array members to use the new Configuration Storage server

Verify that array members are using the correct Configuration Storage servers as follows:

Verify array member settings

  1. In the console tree of ISA Server Management, click the applicable array.

  2. On the Tasks tab, click Configure Array Properties.

  3. On the Configuration Storage tab, verify that the available Configuration Storage servers are configured.

Note

Alternatively, you can use the ChangeStorageServer.vbs script to specify an alternate Configuration Storage server. This script is located in the FPC\Program Files\Microsoft ISA Server installation folder. Run the script on all array members that require updating.

Scenario 2: Configuration Storage server running on dedicated computer is unavailable

The following flowchart illustrates the process for recovering the Configuration Storage server in this scenario. Relevant procedures are listed after the flowchart.

Verifying that array members are using the alternate Configuration Storage server if one is available

If an alternate Configuration Storage server is available, check that array members are using it:

To verify the Configuration Storage server used by array members

  1. In the console tree of ISA Server Management, click the applicable array.

  2. On the Tasks tab, click Configure Array Properties.

  3. On the Configuration Storage tab, verify that the available Configuration Storage server is specified as the primary or alternate Configuration Storage servers. Modify if required.

Note

Alternatively, you can use the ChangeStorageServer.vbs script to specify an alternate Configuration Storage server. This script is located in the FPC\Program Files\Microsoft ISA Server installation folder. Run the script on all array members that require updating.

Transferring the ADAM schema master role if primary Configuration Storage server is unavailable

If the replicate Configuration Storage server is available and the primary is not, transfer the schema role to make the replicate act as the primary:

To transfer the schema master role to the replica

  1. On the replica Configuration Storage server, click Start, point to All Programs, point to ADAM, and then click Adam Tools Command Prompt.

  2. At the command prompt type: dsmgmt

  3. At the dsmgmt: command prompt type: roles

  4. At the fsmo maintenance: command prompt, type: connections

  5. At the server connections: command prompt, type in the name of the computer running the replica configuration storage server, as follows: connect to server *computername:*2171

  6. At the server connections: command prompt, type: quit

  7. At the fsmo maintenance: command prompt, type: transfer naming master

transfer schema master

Installing Configuration Storage server on a separate computer when an alternate replicate server is available

When an alternate Configuration Storage server is available, run Setup as follows:

Install a Configuration Storage server on a separate computer with a replicate available

  1. On the Configuration Storage computer, insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006.

  3. To install the Configuration Storage server on an array member, in the Setup Scenarios page, select Install Configuration Storage server.

  4. On the Enterprise installation options page, select Create a replica of the enterprise configuration.

  5. On the Locate Configuration Storage Server page, specify the FQDN of the available Configuration Storage server. If the logged on user does not have domain administrator permissions, specify credentials with those permissions.

  6. On the ISA Server Configuration Replicate Source page, select Replicate over the network to connect directly to the available Configuration Storage server.

  7. Complete the Setup wizard.

Installing Configuration Storage server on separate computer when no alternate replicate server is available

When no alternate Configuration Storage server is available, run Setup and then restore settings from a back up file in overwrite mode, as follows:

Install a Configuration Storage server as a primary server

  1. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006.

  3. On the Setup Scenarios page, select Install Configuration Storage server.

  4. On the Enterprise installation options page, select Create a new ISA Server enterprise.

  5. On the Create a New Enterprise page, specify the name of the enterprise. It should match the name of the enterprise that was used previously by the unavailable Configuration Storage server.

  6. Complete the Setup wizard.

  7. Configuration Storage server, open ISA Server Management.

  8. Select the Microsoft Internet Security and Acceleration Server 2006 root node.

  9. On the Tasks tab, click Import (Restore) Configuration to start the Import Wizard.

  10. On the Select the Import File page, specify or browse to the backup file location. Files of type .xml are displayed when browsing.

  11. On the Import Action page, select Overwrite to import new settings and delete old.

  12. On the Import Preferences page, select to import server-specific information and user permission settings if you exported these.

  13. On the Enter Password page, specify the password you used to safeguard exported confidential information.

Prepare server certificate used for Configuration Storage server authentication in workgroup mode

If the Configuration Storage server or array members are in workgroup mode, a server certificate installed on the Configuration Storage server is required to authenticate the server to array members. Configure a server certificate as follows:

To configure a server certificate to authenticate the Configuration Storage server

  1. If you have a copy of the .pfx file you used for the unavailable Configuration Storage server, import it to the newly installed Configuration Storage server

  2. If you do not have a copy, you must request a server certificate. The common name of the certificate should match the FQDN of the unavailable Configuration Storage server. Do this as follows:

    1. Request a certificate from a private standalone or enterprise Certification Authority (CA). You can do this on any computer that can access the CA. This should not be done on the computer on which the Configuration Storage server will be installed, because that computer uses a exported certificate file to ensure the certificate is installed in the correct location and associated with the correct service.
    2. After obtaining the certificate, export it together with its private key. The export provides a .pfx file that can then be imported to the Configuration Storage server computer.

  3. ISA Server array members require the CA root certificate to indicate that they trust the server certificate used by the Configuration Storage server. If the array members are installed in a domain and the CA is in the domain, these certificates are deployed automatically. Otherwise you must install on each array member.

For detailed instructions for all these steps, see ISA Server 2004 Enterprise Edition in a Workgroup. The certificate instructions are valid for ISA Server 2006.

Update array members to use the new Configuration Storage server

Verify that array members are using the correct Configuration Storage servers as follows:

Verify array member settings

  1. In the console tree of ISA Server Management, click the applicable array.

  2. On the Tasks tab, click Configure Array Properties.

  3. On the Configuration Storage tab, verify that the available Configuration Storage servers are configured.

Note

Alternatively, you can use the ChangeStorageServer.vbs script to specify an alternate Configuration Storage server. This script is located in the FPC\Program Files\Microsoft ISA Server installation folder. Run the script on all array members that require updating.

Scenario 3: Array members are unavailable

The following flowchart illustrates the process for recovering array members that are down. If the Configuration Storage server is also down, you should recover that first, and then restore array members. Relevant procedures are listed after the flowchart.

Deleting array members from an enterprise

Delete array members as follows:

Delete an array member

  1. In the console tree of ISA Server Management, expand Arrays, expand the array name, expand Configuration, and then click Servers.

  2. Right-click the server you want to remove, and then click Delete.

  3. Repeat for each server that should be removed from thearray.

Reinstalling array members

Reinstall array members as follows:

Reinstall an array member

  1. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006 to start Setup.

  3. On the Setup Scenarios page, select Install ISA Server services.

  4. On the Locate Configuration Storage server page, type in the FQDN of the Configuration Storage server previously used by the array member.

  5. On the Array Membership page, select Join an existing array.

  6. On the Join Existing Array page, specify the name of the array.

  7. On the Configuration Storage Server Authentication Options page, select Windows authentication if the Configuration Storage server and array computers are domain members. Otherwise, select Authentication over SSL encrypted channel.

  8. On the Internal Network page, specify the address ranges that are included in the Internet network.

  9. Restart the computer when prompted.