Upgrading to Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition

  • Article

ISA Server 2004 supports a full upgrade path for ISA Server 2000 users. Most ISA Server 2000 network settings, monitoring configuration, and cache configuration will be upgraded to ISA Server 2004.

ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. This section provides information about the key items to consider as part of the upgrade process.

Upgrade scenarios

Before upgrading to ISA Server 2004 Enterprise Edition, carefully review the Upgrade process.

Depending on which ISA Server 2004 component you are installing, you perform different steps to upgrade from ISA Server 2000, as described in this section.

  • Upgrading to Computer Running ISA Server Services
  • Upgrading to Configuration Storage Server
  • ISA Server 2000 Routing and Remote Access upgrade
  • Upgrading Add-ins

Upgrade process

The ISA Server 2004 Migration Tool enables a full upgrade path for ISA Server 2000 users to ISA Server 2004. Most ISA Server 2000 configuration information will be upgraded to ISA Server 2004. ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. These changes also impact which elements can be upgraded.

Notes:

  • ISA Server 2000 Service Pack 1 (SP1) or Service Pack 2 (SP2) must be installed on the computer.
  • You can only upgrade from ISA Server 2000 Enterprise Edition.
  • We recommend that when upgrading from ISA Server 2000 to ISA Server 2004 on a different computer, you install all necessary certificates on that computer before importing the ISA Server 2000 configuration file.
  • You must install the same language version of ISA Server 2004 when upgrading from ISA Server 2000.
  • If ISA Server 2000 is currently installed on a Windows Microsoft Windows® 2000 Server computer, verify that ISA Server 2000 Service Pack 1 (SP1) or ISA Server 2000 Service Pack 2 (SP2) is installed. If ISA Server 2000 SP1 is installed, verify that the hot fix described in the Microsoft Knowledge Base article 331962, "Running ISA Server on Windows Server 2003" is also installed. Then, upgrade the operating system to Microsoft® Windows Server™ 2003.

Upgrading from an array of ISA Server 2000 computers

The upgrade process from an array of ISA Server 2000 computers involves these steps:

  1. Create an ISA Server 2004 Configuration Storage server, as described in Upgrading to Configuration Storage server. The Configuration Storage server should be created on a computer that does not belong to the original ISA Server 2000 array.
  2. After you create the Configuration Storage server, upgrade the ISA Server 2000 array members, as described in Upgrading to a computer running ISA Server services.

If you do not want to dedicate an additional computer to the ISA Server 2004 array, do the following:

  1. On one of the ISA Server 2004 computers, install the Configuration Storage server component. Be sure to select Create a replica.
  2. On each ISA Server 2004 array member, connect to the computer on which you installed the Configuration Storage server.
  3. Uninstall the Configuration Storage server from the computer that did not originally belong to the ISA Server 2000 array.

Upgrading from a stand-alone ISA Server 2000 computer

The upgrade process from a stand-alone ISA Server 2000 computer is similar to the upgrade process for an ISA Server 2000 array. As with the array upgrade, you will require an additional computer on which to install the ISA Server 2004 Configuration Storage server component.

Upgrading from ISA Server 2004 Standard Edition

The upgrade process from ISA Server 2004 Standard Edition involves these steps:

  1. Export the ISA Server 2004 Standard Edition configuration. For instructions, see ISA Server 2004 Standard Edition Help.
  2. Install the Configuration Storage server component of ISA Server 2004 Enterprise Edition.
  3. Install one array member (either on the Configuration Storage server or on a separate computer).
  4. Import the configuration file that you exported in step 1 to the array you created in step 3.
  5. Install ISA Server array members.

The array must have only one member server when you import the configuration information.

Upgrading to a computer running ISA Server services

The components of ISA Server 2004 can be installed on separate computers. The upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 differs, depending on which ISA Server 2004 component is installed.

When you install only the ISA Server services, the upgrade process from ISA Server 2000 is straightforward, in that you perform an in-place upgrade.

After you upgrade, carefully review the migrated rule elements. The upgrade process is automated, and although the migration is accurate, the resulting rule elements may not be optimal. Tweak the rule elements as appropriate.

Upgrading to a Configuration Storage Server

The components of ISA Server 2004 can be installed on separate computers. The upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 differs, depending on which ISA Server 2004 component is installed.

When you upgrade from ISA Server 2000 to a Configuration Storage server component of ISA Server 2004, perform the following steps:

  1. Run the ISA Server Migration Wizard on the ISA Server 2000 computer. The wizard creates an .xml file with the configuration information.
  2. Install Microsoft ISA Server 2004 Enterprise Edition, selecting the option to install the Configuration Storage server.
  3. Import the .xml file to the ISA Server 2004 computer. Before you import the .xml file, we recommend that you perform a full backup of the current settings on the ISA Server 2004 computer.

We recommend that when upgrading from ISA Server 2000 to ISA Server 2004 on a different computer, you install all necessary certificates on that computer before importing the ISA Server 2000 configuration file.

After you upgrade, carefully review the migrated rule elements. The upgrade process is automated, and although the migration is accurate, the resulting rule elements may not be optimal. Tweak the rule elements as appropriate.

ISA Server 2000 Routing and Remote Access upgrade

When you install ISA Server 2004, you can upgrade the Routing and Remote Access configuration. You can upgrade the configuration to ISA Server 2004, regardless of whether ISA Server 2000 is installed on the computer.

Note the following limitations to the Routing and Remote Access configuration upgrade:

  • The maximum number of remote virtual private network (VPN) clients allowed to connect to ISA Server 2004 is set to whichever is larger on Routing and Remote Access: the number of PPTP ports or the number of L2TP ports.
  • If the number of IP addresses statically assigned is smaller than the number of VPN clients, the number of VPN clients is reduced to fit the size of the static address pool. A warning is issued to the user during the Routing and Remote Access upgrade process.
  • The static address pool is not migrated.
  • Preshared keys configured for Routing and Remote Access are not exported. A warning message is issued.
  • If an invalid IP address is configured for the primary DNS server, it is not exported. The DHCP settings are used instead, and a warning message is issued. If an invalid IP address is configured for the backup DNS server, it is not exported. A warning message is issued.
  • If an invalid IP address is configured for the primary WINS server, it is not exported. The DHCP settings are used instead, and a warning message is issued. If an invalid IP address is configured for the backup WINS server, it is not exported. A warning message is issued.
  • If a site-to-site connection on Routing and Remote Access is configured as PPTP first (and then L2TP), it is upgraded to a remote site network on ISA Server 2004 that uses PPTP only. A warning message is issued.
  • If a site-to-site connection on Routing and Remote Access is configured as L2TP first (and then PPTP), it is upgraded to a remote site network on ISA Server 2004 that uses L2TP only. A warning message is issued.
  • Preshared keys configured for site-to-site connections in Routing and Remote Access are not exported. A warning message is issued.
  • Credentials configured for site-to-site connections in Routing and Remote Access are not exported. On ISA Server 2004, outgoing VPN connections are disabled until you reconfigure them. A warning message is issued.

The configuration information stored in the .xml file can be imported only to an empty array in ISA Server 2004 Enterprise Edition.

Upgrading add-ins

Application filters and Web filters supplied by third-party vendors for ISA Server 2000 are not compatible with ISA Server 2004. Some third-party vendors have created new versions for ISA Server 2004. To upgrade to the new versions, perform the following steps:

  1. Uninstall the application filters and Web filters from the ISA Server 2000 computer.
  2. Perform the upgrade to ISA Server 2004.
  3. Install the new version of the application filter or Web filter.

For more information about how add-ins are upgraded, see ISA Server 2000 add-in configuration upgrade.

Upgrading the Message Screener

The upgrade process from ISA Server 2000 Message Screener is straightforward, in that you perform an in-place upgrade.

What Gets Upgraded

ISA Server 2004 supports a full upgrade path for ISA Server 2000 users. Most ISA Server 2000 network settings, monitoring configuration, and cache configuration will be upgraded to ISA Server 2004.

ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. This section provides information about the key items to consider as part of the upgrade process.

  • ISA Server 2000 administration and monitoring configuration upgrade
  • ISA Server 2000 array and enterprise upgrade
  • ISA Server 2000 access policy configuration upgrade
  • ISA Server 2000 publishing policy configuration upgrade
  • ISA Server 2000 policy elements upgrade
  • ISA Server 2000 network and client configuration upgrade
  • ISA Server 2000 dial-up, chaining, and routing configuration upgrade
  • ISA Server 2000 add-in configuration upgrade
  • ISA Server 2000 cache configuration upgrade
  • ISA Server 2000 Feature Pack 1 and hotfix configuration upgrade
  • What is not upgraded

ISA Server 2000 administration and monitoring configuration upgrade

Some administration and monitoring configuration settings are migrated to ISA Server 2004, as detailed in the following sections.

System access control lists

In ISA Server 2000, you can use ISA Server Management to reconfigure a system access control list (SACL) on certain objects. In addition, the SACL for any element could be changed, using the Admin COM object model.

SACLs are not migrated to ISA Server 2004. Instead, the default SACLs are applied.

Monitoring

All ISA Server 2000 alert definitions are migrated directly to ISA Server 2004, with the following exceptions:

  • Alert definitions that reference Web Proxy are created for the Microsoft Firewall service instead, because there is no Web Proxy service in ISA Server 2004.
  • The following ISA Server 2004 alert definitions are not modified: DNS intrusion, POP intrusion, RPC filter connectivity changed, and SOCKS configuration failure.

No log configuration settings are migrated from ISA Server 2000. ISA Server 2004 log settings are set to the post-installation default settings. After migration, ISA Server 2004 logs are stored as Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) logs or in text format.

Report jobs, reports, and report configuration are not migrated.

ISA Server 2000 array and enterprise upgrade

When you upgrade an ISA Server 2000 enterprise, most settings are migrated to ISA Server 2004, as detailed in the following sections.

Enterprise policy

When you upgrade an ISA Server 2000 array, the enterprise policy applied to the ISA Server 2000 array is upgraded, but as an empty policy. That is, the enterprise policy does not contain any rules.

Enterprise policy elements

Enterprise policy elements are upgraded to ISA Server 2004 enterprise policy elements, as detailed in ISA Server 2000 policy elements upgrade.

Similarly, ISA Server 2000 array-level policy elements are upgraded to ISA Server 2004 array-level policy elements.

ISA Server 2000 access policy configuration upgrade

ISA Server 2000 access policy rules are not upgraded to ISA Server 2004. Specifically, the following rules are not upgraded as part of the upgrade process:

  • Site and content rules
  • Protocol rules
  • Packet filters

Bandwidth rules

Bandwidth rules (and associated policy elements) are not supported in ISA Server 2004. They are not upgraded.

Packet filtering

If packet filtering is disabled on ISA Server 2000, all traffic to the Local Host and Perimeter networks is allowed, in accordance with the configured system policy.

ISA Server 2000 publishing policy configuration upgrade

ISA Server 2000 publishing rules are not upgraded to ISA Server 2004. Specifically, the following rules are not upgraded as part of the upgrade process:

  • Server publishing rules
  • Web publishing rules

ISA Server 2000 policy elements upgrade

Most ISA Server 2000 policy elements are upgraded to ISA Server 2004, as detailed in the following sections. Enterprise-level policy elements on ISA Server 2000 are upgraded to ISA Server 2004 enterprise-level policy elements. Similarly, array-level policy elements on ISA Server 2000 are upgraded to ISA Server 2004 array-level policy elements.

Client address sets

In ISA Server 2000, client address sets included IP addresses and IP address ranges. Client address sets were used in site and content rules, and in protocol rules (and not in publishing rules).

In ISA Server 2004, client address sets are replaced by computer sets. For each ISA Server 2000 rule that applies to a client address set that is upgraded, a new computer set is created on ISA Server 2004. The upgraded rule applies to the new computer set, which includes the same IP addresses as the original client address set on ISA Server 2000.

Content groups

ISA Server 2000 content groups are upgraded directly to ISA Server 2004. If a content group with the same name exists on ISA Server 2004, the content group from ISA Server 2000 is not imported.

Destination sets

ISA Server 2000 destination sets could include computer names, IP addresses, IP address ranges, domain names, and paths on computers. The destination sets are used in site and content rules, and in publishing rules.

ISA Server 2004 does not use destination sets. Instead, other network elements were introduced, which can be used flexibly with access rules and publishing rules.

The following table describes how ISA Server 2000 destination sets are mapped to various ISA Server 2004 network objects.

ISA Server 2000 policy element ISA Server 2004 network object

Destination set with wildcards

Domain name set

Destination set with path

URL set

Destination set with single IP address

URL set

Destination set with single IP address and with path

URL set

Destination set with IP address range

Computer set

Destination set with IP address range and path

URL set

Note

If the ISA Server destination set includes more than five IP addresses, no URL set is created. In this case, a warning is included in the log file. Furthermore, if a rule applies to this destination set, the rule is not upgraded, and a message is included in the log file.

The following table shows examples of how ISA Server 2000 destination sets are upgraded.

Destination set on ISA Server 2000 Network object on ISA Server 2004

Destination set with mayah.microsoft.com 

Domain name set with mayah.microsoft.com 

Destination set with eitanh.microsoft.com and with path foo

Domain name set with eitanh.microsoft.com andURL set with https://eitanh.microsoft.com/foo/

Destination set with IP address range 192.168.123.134 (single IP) and path foo

Computer set with range 192.168.123.134 to 192.168.123.134URL set with https://192.168.123.134/foo/

Destination set with yairh.microsoft.com and path /foo, with IP address 1.2.3.4 and path boo, and with IP address range 1.2.3.4 to 1.2.3.5 and path /home

Computer set with IP address ranges 1.2.3.4 to 1.2.3.4 and IP address ranges 1.2.3.4 to 1.2.3.5.Domain name set with yairh.microsoft.comURL set with https://yairh.microsoft.com/foo, https://1.2.3.4/boo, https://1.2.3.4/home, and https://1.2.3.5/home

Destination sets and rules

The following table describes the ISA Server 2004 rule settings for the destination sets originally used in rules upgraded from ISA Server 2000.

ISA Server 2000 ISA Server 2004

All destinations

To property is set to Anywhere.

All Internal destinations

To property is set to Internal Network.Destination network is set to Internal.

All External destinations

To property is set to External Network.Destination network is set to External.

Selected destination

To property is set to computer sets, domain names, and URL sets, corresponding to the original destination set.

Protocol definitions

ISA Server 2000 included two types of protocol definitions:

  • Explicitly defined protocol definitions. Protocol elements created upon installation, by ISA Server, or created subsequently by a user.
  • Implicitly defined protocol definitions. Used by specific application filters or by an IP packet filter.

The migration tool creates corresponding protocol definitions in ISA Server 2004 for all explicitly defined protocol elements. If ISA Server 2004 already has a protocol definition with the same name, the ISA Server 2000 protocol definition is not imported.

Implicitly defined protocol definitions, created by third-party application filters, are not upgraded. A warning message indicates this in the migration log file. Implicitly defined protocol definitions, used with IP packet filters, are upgraded.

Protocol definitions that cannot be identified by the migration tool are not upgraded. Any rules that apply to unidentified protocol definitions are deleted.

Schedule

ISA Server 2000 schedules upgrade directly to ISA Server 2004. Any ISA Server 2000 rule that does not have a specifically named schedule will reference the schedules created (with the same name) in ISA Server 2004.

A new schedule may be created on ISA Server 2004 when two schedules are used by a site and content rule, and by a protocol rule on ISA Server 2000.

Web listeners

ISA Server 2000 included incoming listeners and outgoing listeners on a specific IP address. In ISA Server 2004, Web listeners can be assigned an entire network, or to a specific IP address.

The incoming listeners on ISA Server 2000 are upgraded to ISA Server 2004 as Web listeners on the External network.

The default outgoing listeners on ISA Server 2000 are upgraded to ISA Server 2004 as Web listeners on the Internal network. If the the default listener is not being used, no listener is upgraded. This is noted in the log file.

Naming conventions

The following table details the naming conventions for the new rule elements.

ISA Server 2000 policy element ISA Server 2004 rule element

Destination set (creates computer set)

Computer set with Destination_Set_Name

Destination set (creates URL set)

URL set with Destination_Set_Name

Default Web listener

External default Web listener

Merged schedule

ScheduleName1_ScheduleName2

ISA Server 2000 network and client configuration upgrade

ISA Server 2000 network and client configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.

Networks

ISA Server 2000 supports only two networks: Internal and External. A perimeter network (also known as DMZ, demilitarized zone, and screened subnet) could be implied by creating packet filters to route traffic from the External network to the perimeter network.

ISA Server 2004 supports multiple networks. The following networks are created by default on ISA Server 2004:

  • Internal, derived from the ISA Server 2000 local address table (LAT). The Internal network on ISA Server 2004 does not include IP addresses in the VPN static address pool configured on ISA Server 2000. It also does not include the broadcast address.
  • External
  • Local Host
  • VPN Clients

The migration tool creates the following network rules on ISA Server 2004:

  • A network rule that defines a route relationship between the Local Host and the Internal network.
  • A network rule that defines a route relationship between the VPN clients, Quarantine and the Internal network.
  • A network rule that defines a NAT relationship between the Internal,VPN clients, Quarantine and the External network.

Local Domain Table

The local domain table (LDT) is migrated as is to ISA Server 2004. If the ISA Server 2000 LDT includes IP addresses, these are not migrated to ISA Server 2004.

Client settings

In ISA Server 2004, client settings are per network. ISA Server 2000 client settings are upgraded directly to the client settings on the ISA Server 2004 Internal network.

As in ISA Server 2000, ISA Server 2004 Firewall Client application settings apply to all client requests. Firewall Client application settings are upgraded directly to ISA Server 2004.

ISA Server 2000 dial-up, chaining, and routing configuration upgrade

Most ISA Server 2000 dial-up, chaining, and routing configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.

Dial-up connections

In ISA Server 2000, multiple dial-up connections could be created, but only one dial-up connection could be active at a time. In ISA Server 2004, only a single dial-up can be created.

In ISA Server 2000, the dial-up connection was defined per Firewall client and per Web Proxy client. In ISA Server 2004, the dial-up connection is defined per network.

As part of the upgrade process, only the active dial-up connection is upgraded. It is assigned to the External network.

All other dial-up connections are not upgraded. This is noted in the upgrade log file.

Firewall chaining

ISA Server 2000 chaining configuration is upgraded directly to ISA Server 2004. The only exception is the dial-up connection specified on ISA Server 2000. On ISA Server 2004, the dial-up connection is created on the External network.

Routing rules

Each ISA Server 2000 routing rule is duplicated on ISA Server 2004, as a cache rule and as a routing rule.

The ISA Server 2004 routing rule is created with identical properties to those of the original ISA Server 2000 routing rule. The destinations specified for the ISA Server 2000 routing rule are mapped to specific networks on the To property page of the ISA Server 2004 routing rule properties.

If the ISA Server 2000 routing rule used a dial-up entry, a dial-up entry with the same properties is created on the External network of ISA Server 2004.

A new caching rule is created based on the original ISA Server 2000 routing rule. The destinations specified for the ISA Server 2000 routing rule are mapped to specific networks on the To property page of the ISA Server 2004 routing rule properties.

The following properties are not supported on ISA Server 2004 caching rules and are therefore not upgraded from the original ISA Server 2000 routing rule: bridging and action.

ISA Server 2000 add-in configuration upgrade

In ISA Server 2000, application filters were applied unconditionally to specific traffic. In ISA Server 2004, some filtering can be applied on a per-rule basis. The following table describes how ISA Server 2000 application filter functionality is upgraded to ISA Server 2004.

Note

Be sure to remove any application filters or Web filters supplied by third party vendors before upgrading. If these application or Web filters are also available for ISA Server 2004, you can reinstall them after you upgrade.

Application filter or rule ISA Server 2000 ISA Server 2004

H.323 filter

Allow incoming call

Filter listens on the External network

Allow outgoing calls

Filter listens on the Internal network

All other configurations

Same as in ISA Server 2000

HTTP redirection

All configurations

Not supported

RPC filter

All configurations

Replaced with per-rule filtering

SMTP filter

SMTP commands

Same as in ISA Server 2000

Attachments, users and domains, and keywords

Upgraded to an SMTP server publishing rule, on a per-rule basis

SOCKS v4 filter

Enabled

Listen for SOCKS requests initiated from the Internal network

Streaming media

MMS filter, PNM filter, and RTSP filter: any configuration

Configuration same as ISA Server 2000

MMS stream splitting not supported

Configuration settings for the following application filters are upgraded directly to ISA Server 2004:

  • DNS intrusion detection filter
  • POP intrusion detection filter

If the message screener is not installed on the computer being upgraded to ISA Server 2004, then any traffic from the message screener computer is blocked unless you specifically configure ISA Server 2004, allowing all traffic to and from the Internal network to and from the Local Host network. Similarly, you can add a rule that allows MS Firewall Control traffic from the message screener computer to the Local Host computer.

Some application filter properties are configured differently in ISA Server 2004 than in ISA Server 2000.

Note that third-party application filters are not upgraded. Similarly, any protocol definitions that are installed with the application filter are not upgraded. Any rules that apply to these protocol definitions are not upgraded.

HTTP Redirector Filter

ISA Server 2000 HTTP redirector filter settings are not migrated to ISA Server 2004. To configure ISA Server 2004, do the following:

  • If you configured the HTTP redirector in ISA Server 2000 to Send to requested Web server, configure the Web Proxy filter in ISA Server 2004 to not apply to the HTTP protocol (by default on ISA Server 2004, all requests are directed to the Web Proxy filter).
  • If you configured the HTTP redirector in ISA Server 2000 to Reject HTTP requests from Firewall and SecureNAT clients, in ISA Server 2004, create a new protocol definition that uses port 80. Then, create an access rule that denies use of the protocol.

User-defined content types used for link translation are migrated to array-level content types. However, in ISA Server 2004 Enterprise Edition, the link translation filter can be applied only to enterprise-level content types. For the link translation filter to function correctly, you should copy the migrated content types to the enterprise level.

ISA Server 2000 cache configuration upgrade

Most ISA Server 2000 cache configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.

Caching

Most ISA Server 2000 cache properties are upgraded directly, with no change, from ISA Server 2000 to ISA Server 2004. Note the following exceptions:

  • General cache properties specifying whether cache objects should be updated are set to the ISA Server 2004 default.
  • General cache properties specifying whether objects exceeding a certain size should be cached are not upgraded.
  • General cache properties specifying whether dynamic content is cached are set in the ISA Server 2004 default cache rule.

The cache drive configuration is retained in ISA Server 2004. If the migration is done to a different computer, the ISA Server 2004 computer should have similar hardware and drive configuration to the original ISA Server 2000 computer.

If ISA Server 2000 was installed in cache mode, the migration tool does the following:

  • Configures the Internal network on ISA Server 2004 to include all addresses associated with the single network adapter specified on the ISA Server 2000 computer.
  • Creates an access rule allowing HTTP, HTTPS, and FTP access from the Internal network to the Internal network.

Scheduled content download jobs

ISA Server 2000 scheduled content download jobs are upgraded directly to ISA Server 2004.

ISA Server 2000 Feature Pack 1 and hotfix configuration upgrade

ISA Server 2000 Feature Pack 1 introduced several new features, which are included in ISA Server 2004. Most ISA Server 2000 Feature Pack 1 configuration information is migrated directly to ISA Server 2004. Note the following exceptions:

  • Link translation. Directly migrated to ISA Server 2004. Note the following:
    • A new content group is created for content groups to which the ISA Server 2000 link translation filter applied.
    • With ISA Server 2000 Feature Pack 1 link translation, you could configure whether caching of translated responses on external proxy should be prevented. This feature is not supported in ISA Server 2004.
  • SecurID authentication support. Note the following:
    • In ISA Server 2000 Feature Pack 1, SecurID authentication was configured per Web publishing rule. In ISA Server 2004, it is configured per Web listener.
    • To complete the migration of SecurID authentication configuration, do the following:
      1. Copy the Sdconf.rec file generated by the access control entry (ACE) server to %SystemRoot%\System32.
      2. Create an access rule allowing communication from the Local Host to the ACE server.
  • URLScan. This filter is renamed HTTP filter in ISA Server 2004. The Urlscan.ini file is saved in %windir%\temp\isa2k_upgrade. None of the settings are migrated to ISA Server 2004.

ISA Server 2000 hotfixes

All registry keys installed as part of ISA Server 2000 hotfixes are migrated directly to ISA Server 2004.

What is not upgraded

The following ISA Server 2000 objects and configuration settings are not migrated to ISA Server 2004:

  • Bandwidth rules are no longer supported in ISA Server 2004.

  • Permission settings, such as system access control lists (SACLs), are not upgraded. For more information, see ISA Server 2000 administration and monitoring configuration upgrade.

  • Logging and reporting configuration and information are not migrated. For more information, see ISA Server 2000 administration and monitoring configuration upgrade.

  • No rules are migrated. Only the rule elements are upgraded. For more information, see ISA Server 2000 policy elements upgrade.

    Note

    When you upgrade, the H.323 gatekeeper installed with ISA Server 2000 is removed.

When you use the Migration Tool to install ISA Server 2004, the Firewall Client Share (with the Firewall Client for ISA Server 2004 software) is installed. We recommend that you install the Firewall Client Share.