Backing up the Forefront TMG configuration

  • Article

Microsoft Forefront Threat Management Gateway includes a backup and restore feature that enables you to export its configuration to an .xml file, and then import that configuration back to the Forefront TMG.

In Forefront TMG, backing up is otherwise known as exporting, and restoring is also referred to as importing. This import/export feature is flexible, in that you can export on many levels in Forefront TMG. For example, you can export (and subsequently import) an entire firewall policy, a single rule, or a single network object. Also, you can back up your entire configuration so that you can restore it at a later date.

Backing up a configuration

Backing up a configuration is done by exporting the Forefront TMG configuration to an .xml file. Forefront TMG provides the Export Wizard to walk you through the backup process.

When you export a configuration, all general configuration information is exported. The backup file includes all policy information and all other organization-specific information. It also includes the access rules, publishing rules, rule elements, alert configuration, cache configuration, and other Forefront TMG properties, such as cache drives and Secure Sockets Layer (SSL) certificate keys.

Note

The backup and restore process backs up and restores SSL certificate keys, which indicate to Forefront TMG which certificates to use. This is not the same as backing up and restoring the certificates themselves. We recommend that you maintain a backup of SSL certificates, which you should do manually to a secure location.

In addition to exporting all general configuration information, when creating the backup file, you are given the option to export user permission settings and confidential information, such as user passwords. Confidential information included in the exported file is encrypted using the password specified as part of the export process. Confidential information includes user credential passwords (for example, passwords used for logging on to a computer running Microsoft SQL Server), Remote Authentication Dial-In User Service (RADIUS) shared secrets, or preshared Internet Protocol security (IPsec) keys. When confidential details, such as user passwords, have been exported with the file, the password specified during the export process is required to open and decrypt the secure information. Note that general configuration data in the exported backup file is not encrypted. The exported Forefront TMG configuration data in the backup files should be treated as sensitive data that has the potential for information disclosure.

Preparing for a disaster

Backing up the configuration is important both for disaster recovery purposes and for reverting to a previous configuration if necessary. Therefore, we recommend that you back up the entire configuration after:

  • the initial configuration of your Forefront TMG computer
  • any major modifications, including changing cache size or location, modifying firewall policy, configuring system rules, creating network definitions or network rules, and delegating administrative rights or removing delegation.

Adhering to this guidance will assist you in the case of a catastrophic loss, where you will be able to restore the configuration from a current backup file.

Before backing up your configuration, note the following:

  • You must be an Array Administrator or Array Auditor to export the configuration. To export confidential information, you must be an Array Administrator.
  • For maximum security, we recommend that you save the backup file to an NTFS file system disk partition. Only administrators of the Forefront TMG computer should have read permissions to the directory.
  • When you export an entire configuration, certificate settings are also exported. The certificate settings on the Forefront TMG computer to which you are importing the configuration must match the certificate settings in the exported file. If you import to a Forefront TMG computer with different certificates, the Microsoft Firewall service will fail to start.

For procedural information on backing up the entire Forefront TMG configuration, see Backing up and restoring an entire configuration.

For procedural information on backing up a part of the Forefront TMG configuration, see Backing up specific policies and settings.

Restoring a configuration

Restoring the configuration is done by importing the backup configuration file to the Forefront TMG server. During the import process, the configuration saved in the backup .xml file is copied to the Forefront TMG server.

The restore process reconstructs most configuration information. When you import the .xml configuration file, you are given the option to overwrite the existing configuration or import the configuration details into the existing configuration. The overwrite option will replace the existing configuration with the configuration in the import file. When restoring a configuration, always select to overwrite the existing configuration. Before importing the configuration, note the following:

  • When confidential details, such as user passwords, have been exported with the file, a password is required to open and decrypt the secure information. This password was specified when the file was created during the export process.
  • The certificate settings on the Forefront TMG computer to which you are importing the configuration must match the certificate settings in the exported file. If you import to a Forefront TMG computer with different certificates, the Microsoft Firewall service will fail to start.

For procedural information on restoring the entire Forefront TMG configuration, see Backing up and restoring an entire configuration.

For procedural information on restoring a part of the Forefront TMG configuration, see Importing individual policy rules and rule elements.

Other Resources

Importing and overwriting
Exporting and importing server-specific and confidential information