Migrating from ISA Server to Forefront Threat Management Gateway
For organizations that currently have a Microsoft ISA Server 2004/2006 deployment, performing an in-place upgrade to Forefront Threat Management Gateway (TMG) 2010 is not an option. ISA only runs on 32-bit Windows, while TMG runs exclusively on 64-bit Windows. Since there is no direct upgrade path from 32-bit to 64-bit Windows, migrating policies and configuration settings from ISA to TMG is the only alternative. Migration to TMG is supported from the following versions of ISA Server:
ISA Server 2004 Standard/Enterprise with Service Pack 3
ISA Server 2006 Standard/Enterprise with Service Pack 1
Depending on the version of ISA Server you are running, there are four migration paths available when migrating from ISA to TMG (not including TMG MBE):
ISA Server 2004/2006 Standard Edition to TMG Standard Edition
ISA Server 2004/2006 Standard Edition to TMG Enterprise Edition (standalone)
ISA Server 2004/2006 Enterprise Edition (single array/single array member) to TMG Enterprise Edition (standalone)
ISA Server 2004/2006 Enterprise Edition (single or multi-array) to TMG Enterprise Edition (EMS-managed)
Preparation
Migrating from previous versions of ISA server to TMG requires careful planning, consideration, and attention to detail. You should consider thoroughly documenting your existing environment as part of the migration process. This will include:
IP Addressing – Document IP addresses for all network interfaces, including the intra-array interface and any virtual IP addresses when using NLB. If you are using VPN services, be sure to record IP address ranges for remote access clients and site-to-site networks.
Routing – Document any static routes required for “network behind a network” scenarios.
DNS – Record any and all A host records or CNAME alias records in DNS associated with your ISA firewall. This will include statically configured host records for the ISA firewalls themselves, alias records for the proxy array, or WPAD records for client configuration.
WPAD – If you are using DHCP for client configuration, be sure to plan for those changes as well.
Certificates – Be sure to export any and all certificates (along with the private keys) required for operation. This includes machine certificates in a workgroup scenario and SSL certificates used for HTTPS publishing rules. Be advised that Windows Server 2008R2 includes fewer trusted root CA’s by default, so check your certificates carefully.
Active Directory – If you have published web sites utilizing Kerberos Constrained Delegation (KCD), configure the computer account of the new system for delegation. If you have created a Service Principal Name (SPN) entry in the Kerberos database for the Configuration Storage Server (CSS), review and update that information as necessary.
Third-party Plug-ins – If any third-party plug-ins are installed on ISA they will be disabled after being migrated to TMG. Visit the vendor’s web site to see if an updated plug-in for TMG is available.
Scheduled and Custom Reports – Document all reports, as they will not be migrated to TMG.
Do not assume that migrating to TMG will resolve any existing problems in your current environment. Use the ISA Best Practices Analyzer to perform a system health check and resole any outstanding issues prior to migration.
System capacity should be evaluated when planning a migration from ISA to TMG. Although there are performance benefits when running on the latest 64-bit Windows operating system, TMG includes many new advanced protection features, and these capabilities consume additional resources. Use the Forefront TMG 2010 Capacity Planning Tool to determine if you have adequate hardware resources to support your implementation requirements.
Once the planning phase has been completed and the configuration of the new TMG system has passed initial testing, you can begin the actual migration from ISA to TMG.
Exporting from ISA
On the source (ISA 2004/2006 Standard Edition) system, open the management console and highlight the root node. Right-click and choose Export (Backup)…
For ISA Enterprise Edition, be sure to select the root node for the Enterprise, as shown here.
The Export Wizard dialog box opens.
Select the option to Export confidential information and enter a strong password, then select the option to Export user permission settings.
Specify a location to save the XML export file. This file will be copied to the TMG system for import later.
Review the settings and then choose Finish to begin the export.
Importing to TMG
Before importing a configuration to TMG, make certain that the Getting Started Wizard has not been run. This wizard will configure basic access rules that may prevent a configuration from importing properly. If the wizard has been used, remove any existing access policies created by the wizard prior to importing a configuration.
Note: When migrating from ISA Server 2004/2006 Enterprise Edition to TMG Enterprise Edition (EMS-managed) you must import the configuration on the EMS prior to creating an array or adding array members. Also, migrating from ISA Enterprise Edition (single array/single array member) to TMG Enterprise Edition in standalone mode requires an additional step before importing to TMG. For more information, please refer to the note at the end of this post.
On the target (TMG Standard or Enterprise standalone) system, open the management console and highlight the root node. Right-click and choose Import (Restore)…
For TMG Enterprise Edition (EMS-managed only), be sure to select the root node for the Enterprise, as show here.
The Import Wizard dialog box opens.
Copy the previously exported XML file to the local TMG system, and then specify that location here.
TMG indicates that the export file is from an earlier version and that it will be upgraded to Forefront TMG.
Enter the password created during the original export.
Review the settings and then choose Finish to begin the import.
Import complete.
After successfully completing the migration process, TMG indicates that additional steps may be required. Address any issues as necessary.
Click Apply to save changes and update the configuration.
Note: If you have imported any web publishing rules that use HTTPS, verify that the correct SSL certificate is bound to the appropriate web listener used by the publishing rule before applying the configuration.
Exporting from ISA Enterprise (single array/single array member)
Before importing the configuration from ISA Enterprise (with a single array and a single array member) to TMG Enterprise standalone, it will first be necessary to convert the export file to a format recognized by TMG Enterprise standalone. This is required because the ISA Enterprise export contains Enterprise-level configuration and policies which are not supported by TMG Enterprise standalone. To convert the file, download and install the EE Single Server Conversion Tool for Forefront TMG included in the Forefront TMG Tools and SDK.
After installing the conversion tool and copying the ISA Enterprise configuration file to the TMG system, open a command prompt and navigate to C:\Program Files (x86)\Microsoft Forefront TMG Tools\EESingleServerConversion and enter the following command:
EESingleServerConversion.exe /s <source XML file> /t <target XML file>
This will convert the ISA Enterprise configuration file to a format supported on TMG Enterprise standalone. Once the file conversion is complete, the process of importing from ISA Enterprise single array/single array member to TMG Enterprise standalone is the same as importing from ISA Standard Edition.
Great post Richard!! Very useful!
Have you tried this yourself This program does not seem to work. I can’t get the syntax correct to run it and I’ve tried multiple variations. I’ve researched but can’t seem to find any other documentation than with the tool, which is minimal. Any help would be greatly appreciated.
Hi Greg – yes, I have tried this and it worked for me without issue. Make certain you are exporting from the root node and be sure to include the option to export confidential information as well as permissions, otherwise it will fail. Documentation for the EESingleServerConversion utility can be found in the installation folder for the tool.
I’m having problem exporting from ISA 2006 Standalone (not enterprise) to TMG 2010. Although I am exporting with the security checkbox on and a password, the import process gives me the error message about the import fails in TMG with the error I have not exported with inclusion of these settings from the the condifential information. Since I can manually create my policies quicker than trying to workaround this bug (?), I am going to do so, but it is annoying.
In cases where the configuration isn’t complex, recreating rules is certainly an option. As long as you are exporting from the root node and including confidential information and permissions it should work. Keep in mind that the import may fail if you have completed the TMG ‘Getting Started Wizard’ prior to importing your ISA configuration.
Hi Richard,
Helpful post thanks. Hope you can help.
All migration guides I have came across suggest using the same server name on the new TMG server.
Would there be any implications of using a different name on the new TMG server?
Cheers, Steve.
How to Migrating from ISA Server Enterprise Edition to Forefront Threat Management Gateway Standard Edition?
No implications at all, Steve. I’ve had no trouble at all migrating from ISA to TMG where the server names are different. Thanks!
There is no migration path from ISA Enterprise Edition to TMG Standard Edition. You must migrate ISA EE to a TMG EE.
Thanks Richard, ready for migration now!
Is there a way to perform a rolling upgrade instead of all at once?
Unfortunately, no. The operating system is the roadblock here, I’m afraid. Since it is not possible to upgrade a 32-bit operating system to a 64-bit operating system, the only option is forklift upgrade.
Is there any way to gradually move say one group of people from the old ISA 2006 array to the new TMG 2010 array while keeping them up and running in parallel?
How are the clients configured? Are they Web Proxy or Firewall clients? Or are they SecureNAT clients?
It appears that they are a combination of Web Proxy and Firewall clients.
You’ve got a few options. If you are using DNS for WPAD, that will be a challenge because all of your clients will resolve that name to the same IP address(es). If you are using DHCP for WPAD, you can simply change the name of the proxy for different subnets. If you are using group policy to deploy proxy settings, create a separate GPO with the new settings and assign that selectively.
I was performing a test migration and I noticed that if you still have NLB enabled on your EMS server before you join a new TMG server to the array, the new TMG server will fail.
I’ve found it best to disable NLB after performing the restore on the new TMG EMS server and then join the new TMG servers to the array and then re-enable TMG.
Has anyone else noticed this?
I noticed that when you perform the ISA migration from CSS to EMS that the old ISA servers remain. Do you typically just delete the old ISA servers from the array after performing the migration?
Excellent point, Mike. I’ll update this document to include that information. Thanks for the great tip!
Yes, you can safely delete those orphaned array members in the TMG management console prior to adding members to the array.
Is it possible for you to do a blog entry on the supported method for using SecureNAT, Firewall Client and the Web Proxy Client in a NLB scenario?
As I understand it, the below list is what is supported by Microsoft. Yet, I see numerous companies using iterations thereof. Such as, FWC using NLB (officially unsupported). Also, as I understand it, the Web Proxy Client rotates randomly between array members at random (obtained and downloaded via wpad.dat). Therefore, even if you issue a DRAIN STOP on a NLB array member your Web Proxy Clients will still connect to the array member that you issued a DRAIN STOP on!
SecureNAT is supported by NLB
Firewall Client is supported by DNS Round Robin
Web Proxy Client is supported by CARP
Thanks.
Excellent idea, Mike. I’ll put that on my to-do list for sure. Thanks for the suggestion!
say you have isa 2006 enterprise with 3 arrays (one per branch). What is the approach to migrating to TMG. do you have to migrate all 3 arrays at the same time? ie, can you have branch isa arrays within TMG EE?
Hi John,
No, you don’t have to migrate all three arrays at the same time. You can easily migrate in stages, one array at a time. Since ISA 2006 and TMG cannot coexist in the same enterprise, you’ll essentially have two separate environments while you are migrating but that shouldn’t be a problem at all. You can export your configuration from our current ISA environment, build a new TMG EMS, then import the configuration there (remember to do this before you add members to the arrays!). After that you can add array members at the first site and point clients to the new TMG firewalls while the remaining arrays are still running ISA. Once you’ve completed the first array migration you can proceed with the remaining arrays when you decide.
Ok so how do you delete the orphaned array members from ems server?
In the TMG management console, highlight the system node in the navigation tree, select the servers tab in the main console window, then right-click the orphaned firewall and choose delete. If this firewall is the reporting server for the array, you’ll be reminded to update that setting later. If that fails, you may need to use ADSIEDIT to manually remove the array or array members.
Excellent article Richard. I’m currently looking to setup a new TMG Enterprise alongside my existing ISA 2006 Enterprise and then move services over piece by piece.
I’ve just setup my first EMS of the Enterprise, and the first TMG server, but before I get to the point of joining it to the array I’m forced to enter the Internal networking configuration. I copied this from the existing ISA array, but then I could see traffic on the new TMG!! I hit the panic button and turned the box off and everything seems to be running as it was.
Is it possible to run the two in tandem on a live network? I don’t want any traffic going to the new TMG array until I tell it to.
Hi Andi,
ISA 2006 and TMG can peacefully coexist on your network without conflict, normally. Unless you specifically configured clients to use the new TMG firewall on your network, perhaps what you saw was just noise? The TMG firewall processes a fair amount of traffic on a busy network even if it is just standing idle without clients pointing to it. You might need to light it back up and watch the logs closely to see what those requests actually were. \
Thanks for your reply, I did plug it in and found the traffic to be just broadcast traffic. I just panicked.
Better safe than sorry I guess.
when I use (EESingleServerConversion.exe)tool I get the following: Error: This tool supports files exported from the root node only.
I have tried exporting the config from all parts of the server with the same result. pls suggest how to solve this issue
I’ve only used the tool a few times and haven’t had any issues. Make sure you are exporting from the root node (sounds like you did) and don’t forget the prerequisites. Make sure you have ISA 2006 SP1 installed too.
Hi, i would like to migrate ISA 2006 standard edition to TMG 2010 EMS. When i try to import the ISA 2006 configuration i get this error:
The configuration could not be upgraded. Upgrading a standard edition configuration to a Forefront TMG Enterprise Management Server is not supported.
Other then going through a very Labor Intensive process of manually recreating the firewall rules, what are my options?
This is a supported upgrade path. It does require that you import the ISA configuration in to Forefront TMG 2010 before you join the firewall to an EMS, however. Give that a try and you should be successful.
hi i am getting catastrophic failure (error 0x80000ffff), while importing the configuration file into TMG. please help me…
This error is often encountered when some type of corruption has occured. I would look very closely at your existing configuration and make sure that everything looks good prior to exporting the configuration.
hi~ you say
I’ve only used the tool a few times and haven’t had any issues. Make sure you are exporting from the root node (sounds like you did) and don’t forget the prerequisites. Make sure you have ISA 2006 SP1 installed too.
so i must install EESingleServerConversion.exe in ISA Server too??
my ISA server version is 2004
You can run the EESingleServerConversion tool on any machine you wish. It does not have to be run on the ISA server or the Forefront TMG 2010 server. It should work with any supported migration path, either ISA Server 2004 SP3 or ISA Server 2006 SP1.