Upgrade Guide for ISA Server 2006 Standard Edition

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2006 provides a path for upgrading your ISA Server 2004 computers, from an existing deployment of ISA Server 2004 to a deployment of ISA Server 2006. During the upgrade process, the upgrade mechanism transfers the ISA Server 2004 configuration to a valid ISA Server 2006 configuration.

Note

There is no direct upgrade path from ISA Server 2000 to ISA Server 2006.

What Is in This Document

This guide includes an overview of the supported upgrade scenarios, upgrade requirements, and upgrade procedures for ISA Server Standard Edition. The following topics are covered:

  • Upgrade Requirements
  • Limitations
  • Upgrade Methods
  • Upgrade Walk-Throughs

For information about upgrading ISA Server 2004 Enterprise Edition, see "Upgrading ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition" at the Microsoft TechNet Web site.

Upgrade Requirements

To upgrade to ISA Server 2006 Standard Edition, you need:

  • A personal computer with a 733-megahertz (MHz) or faster processor.

  • A Microsoft Windows Server™ 2003 operating system with Service Pack 1 (SP1) or a Microsoft Windows Server 2003 R2 operating system.

    Note

    You cannot install ISA Server 2006 on 64-bit versions of Windows Server 2003 operating systems.

  • 512 megabytes (MB) of physical memory.

  • One local hard disk partition that is formatted with the NTFS file system.

  • 150 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching.

  • One network adapter that is compatible with the computer's operating system, for communication with the Internal network.

  • An additional network adapter for each network connected to the ISA Server computer.

  • ISA Server 2004 Standard Edition, ISA Server 2004 Standard Edition with Service Pack 1 (SP1), or ISA Server 2004 Standard Edition with Service Pack 2 (SP2) installed.

  • When upgrading, the ISA Server 2006 language must match the ISA Server 2004 language.

Limitations

The following features are no longer supported in ISA Server 2006 and need to be uninstalled before upgrading to ISA Server 2006:

  • Firewall Client Share    Firewall Client Share is no longer part of the ISA Server installation. If you need a share point to install Firewall Client, copy the Client directory from the ISA Server 2006 CD to a computer that is not running ISA Server and manually configure the share point.
  • SMTP Message Screener   SMTP Message Screener is not supported by ISA Server 2006.

The following is a list of issues to consider before and after you begin the upgrade process:

  • Log files will be deleted during the upgrade process. ISA Server 2004 log files are not compatible with ISA Server 2006. If you need an archive copy of your log files, see Back Up ISA Server 2004 Log and Cache Files.
  • Cache files will be deleted during the upgrade process. To back up your cache files, see Back Up ISA Server 2004 Log and Cache Files.
  • ISA Server 2004 SP2 HTTP compression settings are not properly upgraded. Record your HTTP compression settings and reconfigure HTTP compression settings after the upgrade to ISA Server 2006 is complete.
  • DiffServ settings are not upgraded to ISA Server 2006. Record your DiffServ settings and reconfigure DiffServ settings after the upgrade to ISA Server 2006 is complete.
  • When upgrading from ISA Server 2004 Standard Edition, the following change to authentication security is implemented:
    • When you use HTTP-to-HTTP bridging, ISA Server will not allow traffic on the external HTTP port when the Web listener is configured to request Basic, forms-based, or Remote Authentication Dial-In User Service (RADIUS) authentication. This is a security-related change. These credentials should be encrypted, and not sent in plaintext over HTTP.
  • The ISA Server 2004 Microsoft Management Console (MMC) snap-in can be upgraded to ISA Server 2006 MMC. The ISA Server 2004 and ISA Server 2006 MMC cannot reside on the same computer.
  • Firewall logging and Web proxy logging for Microsoft SQL Server™ database settings are not upgraded. Log settings revert to the Microsoft SQL Server Desktop Engine (MSDE) database. Record your SQL Server database settings and reconfigure your Firewall and Web proxy log settings after the upgrade to ISA Server 2006 is complete.
  • For the most recent information, see the "ISA Server 2006 Release Notes" at the ISA Server Web site.

Upgrade Methods

ISA Server 2006 supports the following upgrade paths.

Path Description

In-Place Upgrade

With an in-place upgrade, you can upgrade your existing ISA Server 2004 computer to ISA Server 2006 on the existing equipment. The ISA Server 2006 installation process detects a valid version of ISA Server 2004 and performs an upgrade installation.

Migration

With a migration, you can export your existing ISA Server 2004 configuration to a computer with a clean installation of ISA Server 2006.

Supported In-Place Upgrade Scenarios

The following table lists the in-place upgrade scenarios supported by ISA Server 2006.

Existing version New version Supported or not supported

ISA Server 2004 Standard Edition, ISA Server 2004 Standard Edition with SP1, or ISA Server 2004 Standard Edition with SP2

ISA Server 2006 Standard Edition

Supported

ISA Server 2004 Standard Edition, ISA Server 2004 Standard Edition with SP1, ISA Server 2004 Standard Edition with SP2, or ISA Server 2006 Standard Edition

ISA Server 2006 Enterprise Edition

Not supported

ISA Server 2004 Enterprise Edition or ISA Server 2004 Enterprise Edition with SP2

ISA Server 2006 Standard Edition

Not Supported

Note the following:

  • In addition to the product upgrade, ISA Server 2006 also supports a build-to-build upgrade. This allows you to upgrade a beta version of ISA Server 2006 to a new build of the same product. The following build-to-build upgrades will be supported:

    • Beta to Release Candidate (RC)

    • RC to Release to Manufacturing (RTM)

      Note

      For more information about build-to-build upgrades, see Appendix A: Build-to-Build Upgrade.

  • ISA Server services and ISA Server Management can be upgraded. All other components, such as SMTP Message Screener and Firewall Client Share, must be uninstalled before upgrading, because these components are no longer supported in ISA Server 2006.

  • During the upgrade, ISA Server services are not operational. We therefore recommend that you disconnect the ISA Server computer from the External network until the upgrade is complete.

Supported Migration Scenarios

The following table outlines the migration paths supported by ISA Server 2006 Standard Edition.

Source or platform ISA Server 2006 Standard Edition

ISA Server 2000 Standard Edition (using the Migration Tool found on the ISA Server 2004 CD)

Not supported

ISA Server 2000 Enterprise Edition (using the Migration Tool found on the ISA Server 2004 CD)

Not supported

ISA Server 2004 Standard Edition, ISA Server 2004 Standard Edition with SP1, or ISA Server 2004 Standard Edition with SP2

Supported

ISA Server 2004 Enterprise Edition or ISA Server 2004 Enterprise Edition with SP2

Not supported

ISA Server 2006 Enterprise Edition Beta or ISA Server 2006 Enterprise Edition RC

Not supported

Upgrade Walk-Throughs

This section will walk you through the two methods for upgrading ISA Server 2004 Standard Edition while maintaining existing settings and configuration:

  • In-Place Upgrade
  • Migration

In-Place Upgrade

With an in-place upgrade, you can upgrade your existing ISA Server 2004 computer to ISA Server 2006 on the existing equipment. The ISA Server 2006 installation process detects a valid version of ISA Server 2004 and performs an upgrade installation.

This section provides step-by-step instructions about how to perform an in-place upgrade to ISA Server 2006 Standard Edition:

  • Back Up the Existing ISA Server 2004 Configuration

  • Back Up ISA Server 2004 Log and Cache Files

  • Run ISA Server 2006 Setup

    Note

    Confirm that ISA Server 2004 is properly functioning before beginning the upgrade process.

Back Up the Existing ISA Server 2004 Configuration

Important

We recommend that you back up your configuration, log files, and cache files before making any major changes to ISA Server 2004. This enables you to restore to your current configuration and import the exported configuration file if there is a problem with the upgrade.

The following procedure describes how to back up your ISA Server 2004 computer. Perform the following procedure on your existing ISA Server 2004 computer.

To back up your ISA Server 2004 configuration

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2004, and then click Server_Name.

  2. On the Tasks tab, click Backup this ISA Server Configuration.

  3. In Save in, specify the folder in which the export file will be saved.

  4. In File name, type a name for the exported file, and then click Backup.

  5. In Password and Confirm password, type a password that will be required.

Back Up ISA Server 2004 Log and Cache Files

During the upgrade process, existing log and cache files are erased. ISA Server 2004 log files are not compatible with ISA Server 2006. However, ISA Server 2004 cache files are compatible with ISA Server 2006.

Log files

To back up ISA Server 2004 log files, copy the files to an alternate location. The default location for log files is C:\Program Files\Microsoft ISA Server\ISALogs.

MSDE log format

MSDE is installed and configured as the default log storage format. You must first detach the database from the current server and then copy the files to an alternate location.

To detach a database from the server, enter the following lines at a command prompt.

To detach an MSDE database from a server enter the following

  1. OSQL - S computer_name \MSFW - E

  2. sp_detach_db database_name

  3. go

  4. quit

Note

database_name is the name of the .mdf and .ldf files without their extensions.

Now you can copy the .mdf and .ldf files to another location.

To reattach the database to the server, perform the following procedure.

To reattach an MSDE database to a server, type the following

  1. OSQL -S computer_name**\MSFW -E**

  2. sp_attach_dbs @dbname**=*'database_name', @filename1='full_path_to_mdf_file', @filename2='full_path_to_ldf_file'*

  3. go

  4. quit

Microsoft SQL Server log format

For instructions about how to back up a database in SQL Server, see the SQL Server product documentation.

File log format

To back up ISA Server log files that are configured in file format, copy the files to an alternate location. The default location for log files is C:\Program Files\Microsoft ISA Server\ISALogs.

Cache files

To back up ISA Server 2004 cache files, copy the files to an alternate location. The default location for cache files is <cache drive>\urlcache.

Run ISA Server 2006 Setup

When you run the ISA Server 2006 Setup program, it detects an existing valid version of ISA Server 2004 Standard Edition and performs the upgrade.

Important

If SMTP Message Screener or Firewall Client Share is currently installed, it must be uninstalled before upgrading, because these components are no longer supported in ISA Server 2006.

Note the following:

  • During the upgrade, ISA Server services are not operational. We therefore recommend that you disconnect the ISA Server computer from the External network until the upgrade is complete.
  • During the upgrade, ISA Server services are not operational and users will experience an interruption of services until the upgrade is complete. We recommend that you notify users before the upgrade that ISA Server services will be unavailable during the upgrade process.
  • Monitoring applications, such as Microsoft Operations Manager (MOM) agent, use ISA Server files and may interfere with ISA Server setup and removal. To avoid issues, stop these applications before running Setup.

The following procedure describes how to run ISA Server 2006 Setup. Perform the following procedure on the existing ISA Server 2004 computer.

To run ISA Server 2006 Setup

  1. Insert the ISA Server 2006 Standard Edition CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006 and follow the instructions in the wizard to upgrade to ISA Server 2006 as outlined in the following table

Page Field or property Setting

Welcome

None

Click Next.

License Agreement

License Agreement

Select I accept the terms in the license agreement, and click Next.

Customer Information

User Name

Organization

Product Serial Number

Enter user name.

Enter organization name.

Enter product serial number.

Upgrade Checklist

Review the upgrade checklist.

Click Next.

Destination Folder

Shows the folder location.

Click Next to accept the default folder location.

Services Warning

Review services that will be stopped and services that will be disabled if you continue.

Click Next.

Ready to Install the Program

None

Click Install.

Migration

This scenario enables you to export your existing ISA Server 2004 configuration to a new computer, with a clean installation of ISA Server 2006, and then import the saved configuration. When the new ISA Server 2006 computer is fully configured, you can replace the existing ISA Server 2004 computer with the new ISA Server 2006 computer.

Note

If needed, you can perform a migration on the existing ISA Server 2004 computer. In this scenario, you would export your existing ISA Server 2004 configuration, uninstall ISA Server 2004, install ISA Server 2006, and then import the saved configuration.

With a migration, you can:

  • Minimize the amount of downtime required to upgrade to ISA Server 2006.
  • Move ISA Server 2006 to new equipment.
  • Upgrade the ISA Server 2004 firewall that is currently running on an operating system that is not supported, such as Microsoft Windows® 2000 Server.

This section provides step-by-step instructions about how to migrate to ISA Server 2006 Standard Edition:

  • Information Collection

  • Export the Configuration of the Existing ISA Server 2004 Computer

  • Install ISA Server 2006 on New Equipment

  • Export Clean ISA Server 2006 Configuration

  • Import ISA Server 2004 Configuration

  • Swap the Servers

    Note

    Confirm that ISA Server 2004 is properly functioning before beginning the upgrade process.

Information Collection

Before you begin the migration process, we recommend that you collect information about your existing ISA Server 2004 deployment.

This section describes the information that you should gather before beginning the migration process.

Networking

You should gather networking information about the ISA Server 2004 computer, as described in the following sections.

General information

Update the following table with information about the fully qualified domain name (FQDN).

Property Value

FQDN

__________________

Internal network adapter

Update the following table with information about an internal network adapter.

Property Value Property Value

IP address

___.___.___.___

Subnet mask

___.___.___.___

Default gateway

___.___.___.___

Not applicable

Not applicable

Preferred DNS server

___.___.___.___

Alternate DNS server

___.___.___.___

External network adapter (not required for a single adapter deployment)

Update the following table with information about an external network adapter.

Property Value Property Value

IP address

___.___.___.___

Subnet mask

___.___.___.___

Default gateway

___.___.___.___

Not applicable

Not applicable

Preferred DNS server

___.___.___.___

Alternate DNS server

___.___.___.___

Perimeter network adapter (only required if additional network adapters are installed and configured)

Update the following table with information about a perimeter network adapter.

Property Value Property Value

IP address

___.___.___.___

Subnet mask

___.___.___.___

Default gateway

___.___.___.___

Not applicable

Not applicable

Preferred DNS server

___.___.___.___

Alternate DNS server

___.___.___.___
ISA Server services

The following table lists additional tasks that might need to be taken on the ISA Server 2006 computer after migration, if the following ISA Server 2004 features are currently being used.

ISA Server 2004 function Required actions

Web publishing listening for HTTPS traffic

Export the existing Secure Sockets Layer (SSL) certificate on the ISA Server 2004 computer and import the SSL certificate on the new ISA Server 2006 computer.

Bb794775.note(en-us,TechNet.10).gifNote:
If a new SSL certificate is installed, you will need to modify the affected Web listener and select the new SSL certificate.

VPN tunnel encryption with server certificates:

  • Internet Protocol security (IPsec) tunnel mode
  • Layer Two Tunneling Protocol (L2TP) over IPsec
  • VPN client access using L2TP over IPsec

Install a new server certificate from the same internal certification authority (CA) that issued the server certificate for the ISA Server 2004 computer.

User account for:

  • L2TP over IPsec
  • Point-to-Point Tunneling Protocol (PPTP)

For a remote site to initiate a site-to-site connection, there must be a user account matching the remote network name. If the user account was created as a local user account on the ISA Server 2004 computer, you must create an account with the same user name and password on the ISA Server 2006 computer. The user account must be granted dial-in permissions.

For information about how to export and import digital certificates, see "Digital Certificates for ISA Server" at the Microsoft TechNet Web site.

Export the Configuration of the Existing ISA Server 2004 Computer

The following procedure describes how to back up your ISA Server 2004 configuration. Perform the following procedure on your existing ISA Server 2004 computer.

To export the ISA Server 2004 configuration to a file

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2004, and then click Server_Name.

  2. On the Tasks tab, click Backup this ISA Server Configuration.

  3. In Save in, specify the folder in which the export file will be saved.

  4. In File name, type a name for the exported file, and then click Backup.

  5. In Password and Confirm password, type a password that will be required.

Note

When exporting an ISA Server configuration that will be imported to an ISA Server 2006 firewall, you must have the Server_Name node selected when performing the export. ISA Server 2006 can only import an ISA Server 2004 exported file when the export was run from the Server_Name node.

Install ISA Server 2006 on New Equipment

Perform the following procedure to install ISA Server 2006 on the new computer.

To install ISA Server 2006

  1. Install Microsoft Windows Server 2003 with SP1 or Windows Server 2003 R2.

    Note

    The internal network adapter must be connected and enabled to install ISA Server 2006. If the ISA Server computer will be connected to the same network as the ISA Server 2004 computer, a different IP address must be assigned to the ISA Server 2006 computer internal network adapter during ISA Server 2006 setup.

  2. Install ISA Server 2006 Standard Edition. For more information, see the ISA Server 2006 Standard Edition Installation Guide.

Note

If you have third-party filters installed on the ISA Server 2004 computer, you need to install the filters on the ISA Server 2006 computer. For specific instructions regarding upgrades, refer to the third-party vendor documentation.

Export Clean ISA Server 2006 Configuration

Export the clean ISA Server 2006 configuration to a file. This enables you to restore to a clean ISA Server 2006 state, if any issues arise during the import of the ISA Server 2004 exported configuration file.

The following procedure describes how to export your ISA Server 2006 configuration. Perform the following procedure on your new ISA Server 2006 computer.

To export ISA Server 2006 configuration

  1. In the console tree of ISA Server Management, select Microsoft Internet Security and Acceleration Server 2006, and then click Server_Name.

  2. On the Tasks tab, click Export (Back Up) this ISA Server Configuration.

  3. Follow the on-screen instructions.

    Important

    Select the following Export Preferences: Export confidential information and Export user permission settings.

Import ISA Server 2004 Configuration

The following procedure describes how to import your ISA Server 2004 configuration. Perform this procedure on the new ISA Server 2006 computer.

To import ISA Server 2004 configuration file

  1. Copy the export file from the ISA Server 2004 computer to the ISA Server 2006 computer.

  2. In the console tree of ISA Server Management, select Microsoft Internet Security and Acceleration Server 2006, and then click Server_Name.

  3. On the Tasks tab, click Import (Restore) this ISA Server Configuration.

  4. Follow the on-screen instructions.

    Important

    Make sure the following Import Preferences are selected: Import server-specific information and Import user permission settings.

  5. Click the Apply button in the details pane to save the changes and update the configuration.

Swap the Servers

Perform the following procedure to replace your ISA Server 2004 firewall with your new ISA Server 2006 computer.

Note

During the swap procedure, ISA Server services are not operational and users will experience an interruption of services until the swap has been completed. We recommend that you notify users before the migration that ISA Server services will be unavailable when the swap is in progress.

To replace an ISA Server 2004 computer with an ISA Server 2006 computer

  1. Disconnect the ISA Server 2006 computer from all networks.

  2. Make sure IP addresses on the ISA Server 2006 computer match the IP addresses on the ISA Server 2004 computer.

  3. Turn off the ISA Server 2006 computer.

  4. Mark the network cables on the ISA Server 2004 computer as External network, Internal network, and perimeter network.

  5. Shut down and disconnect the ISA Server 2004 computer from the network.

  6. Connect the ISA Server 2006 computer to the required networks and turn on the computer.

  7. Check that functions and connectivity in ISA Server 2006 are working properly.

Appendix A: Build-to-Build Upgrade

In addition to the product upgrade, ISA Server 2006 also supports a build-to-build upgrade. This allows you to upgrade a beta version of ISA Server 2006 to a new build of the same product. The following build-to-build upgrades are supported:

  • Beta to RC
  • RC to RTM

Perform the following procedures for build-to-build upgrades:

  • Export ISA Server 2006 Configuration
  • Uninstall ISA Server 2006
  • Install ISA Server 2006
  • Import Exported ISA Server 2006 Configuration

Export ISA Server 2006 Configuration

Perform the following procedure to export your ISA Server 2006 configuration to a file.

To export ISA Server 2006 configuration

  1. In the console tree of ISA Server Management, select Microsoft Internet Security and Acceleration Server 2006, and then click Server_Name.

  2. On the Tasks tab, click Export (Back Up) this ISA Server Configuration.

  3. Follow the on-screen instructions.

    Important

    Select the following Export Preferences: Export confidential information and Export user permission settings.

Uninstall ISA Server 2006

The following procedure describes how to uninstall ISA Server 2006.

To uninstall ISA Server

  1. Click Start, click Control Panel, and then double-click Add or Remove Programs.

  2. In Microsoft ISA Server 2006, click Change/Remove.

  3. On the Welcome page, click Next.

  4. On the Program Maintenance page, select Remove.

  5. On the Generated Files Removal page:

    • Select Do not remove Microsoft ISA Server 2006 log files, to save log files.
    • Select Do not remove Microsoft ISA Server 2006 cache files, to save cache files.

  6. Click Remove, to uninstall ISA Server 2006 from the computer.

  7. Click Finish to exit the wizard, when the removal process is complete.

Note the following:

  • Monitoring applications, such as Microsoft Operations Manager (MOM) agent, use ISA Server files and may interfere with ISA Server setup and removal. To avoid issues, stop these applications before taking any of the following actions:
    • Repair or modify
    • Uninstall
    • Install or uninstall of a service pack or hotfix
    • Upgrade
  • Before removing ISA Server, be sure to close ISA Server Management and ISA Server Performance Monitor.

Install ISA Server 2006

Perform the following procedure to install a newer build of ISA Server 2006.

To install ISA Server 2006

  • Install ISA Server 2006 Standard Edition. For more information, see the ISA Server 2006 Standard Edition Installation Guide.

Import Exported ISA Server 2006 Configuration

The following procedure describes how to import your configuration in ISA Server 2006.

To import ISA Server 2006 configuration file

  1. In the console tree of ISA Server Management, select Microsoft Internet Security and Acceleration Server 2006, and then click Server_Name.

  2. On the Tasks tab, click Import (Restore) this ISA Server Configuration.

  3. Follow the on-screen instructions.

    Important   Make sure the following Import Preferences are selected: Import server-specific information and Import user permission settings.

  4. Click the Apply button in the details pane to save the changes and update the configuration.

  5. Check that functions and connectivity in ISA Server 2006 are working properly.