Migrating from ISA Server to Forefront Threat Management Gateway
For organizations that currently have a Microsoft ISA Server 2004/2006 deployment, performing an in-place upgrade to Forefront Threat Management Gateway (TMG) 2010 is not an option. ISA only runs on 32-bit Windows, while TMG runs exclusively on 64-bit Windows. Since there is no direct upgrade path from 32-bit to 64-bit Windows, migrating policies and configuration settings from ISA to TMG is the only alternative. Migration to TMG is supported from the following versions of ISA Server:
ISA Server 2004 Standard/Enterprise with Service Pack 3
ISA Server 2006 Standard/Enterprise with Service Pack 1
Depending on the version of ISA Server you are running, there are four migration paths available when migrating from ISA to TMG (not including TMG MBE):
ISA Server 2004/2006 Standard Edition to TMG Standard Edition
ISA Server 2004/2006 Standard Edition to TMG Enterprise Edition (standalone)
ISA Server 2004/2006 Enterprise Edition (single array/single array member) to TMG Enterprise Edition (standalone)
ISA Server 2004/2006 Enterprise Edition (single or multi-array) to TMG Enterprise Edition (EMS-managed)
Preparation
Migrating from previous versions of ISA server to TMG requires careful planning, consideration, and attention to detail. You should consider thoroughly documenting your existing environment as part of the migration process. This will include:
IP Addressing – Document IP addresses for all network interfaces, including the intra-array interface and any virtual IP addresses when using NLB. If you are using VPN services, be sure to record IP address ranges for remote access clients and site-to-site networks.
Routing – Document any static routes required for “network behind a network” scenarios.
DNS – Record any and all A host records or CNAME alias records in DNS associated with your ISA firewall. This will include statically configured host records for the ISA firewalls themselves, alias records for the proxy array, or WPAD records for client configuration.
WPAD – If you are using DHCP for client configuration, be sure to plan for those changes as well.
Certificates – Be sure to export any and all certificates (along with the private keys) required for operation. This includes machine certificates in a workgroup scenario and SSL certificates used for HTTPS publishing rules. Be advised that Windows Server 2008R2 includes fewer trusted root CA’s by default, so check your certificates carefully.
Active Directory – If you have published web sites utilizing Kerberos Constrained Delegation (KCD), configure the computer account of the new system for delegation. If you have created a Service Principal Name (SPN) entry in the Kerberos database for the Configuration Storage Server (CSS), review and update that information as necessary.
Third-party Plug-ins – If any third-party plug-ins are installed on ISA they will be disabled after being migrated to TMG. Visit the vendor’s web site to see if an updated plug-in for TMG is available.
Scheduled and Custom Reports – Document all reports, as they will not be migrated to TMG.
Do not assume that migrating to TMG will resolve any existing problems in your current environment. Use the ISA Best Practices Analyzer to perform a system health check and resole any outstanding issues prior to migration.
System capacity should be evaluated when planning a migration from ISA to TMG. Although there are performance benefits when running on the latest 64-bit Windows operating system, TMG includes many new advanced protection features, and these capabilities consume additional resources. Use the Forefront TMG 2010 Capacity Planning Tool to determine if you have adequate hardware resources to support your implementation requirements.
Once the planning phase has been completed and the configuration of the new TMG system has passed initial testing, you can begin the actual migration from ISA to TMG.
Exporting from ISA
On the source (ISA 2004/2006 Standard Edition) system, open the management console and highlight the root node. Right-click and choose Export (Backup)…
For ISA Enterprise Edition, be sure to select the root node for the Enterprise, as shown here.
The Export Wizard dialog box opens.
Select the option to Export confidential information and enter a strong password, then select the option to Export user permission settings.
Specify a location to save the XML export file. This file will be copied to the TMG system for import later.
Review the settings and then choose Finish to begin the export.
Importing to TMG
Before importing a configuration to TMG, make certain that the Getting Started Wizard has not been run. This wizard will configure basic access rules that may prevent a configuration from importing properly. If the wizard has been used, remove any existing access policies created by the wizard prior to importing a configuration.
Note: When migrating from ISA Server 2004/2006 Enterprise Edition to TMG Enterprise Edition (EMS-managed) you must import the configuration on the EMS prior to creating an array or adding array members. Also, migrating from ISA Enterprise Edition (single array/single array member) to TMG Enterprise Edition in standalone mode requires an additional step before importing to TMG. For more information, please refer to the note at the end of this post.
On the target (TMG Standard or Enterprise standalone) system, open the management console and highlight the root node. Right-click and choose Import (Restore)…
For TMG Enterprise Edition (EMS-managed only), be sure to select the root node for the Enterprise, as show here.
The Import Wizard dialog box opens.
Copy the previously exported XML file to the local TMG system, and then specify that location here.
TMG indicates that the export file is from an earlier version and that it will be upgraded to Forefront TMG.
Enter the password created during the original export.
Review the settings and then choose Finish to begin the import.
Import complete.
After successfully completing the migration process, TMG indicates that additional steps may be required. Address any issues as necessary.
Click Apply to save changes and update the configuration.
Note: If you have imported any web publishing rules that use HTTPS, verify that the correct SSL certificate is bound to the appropriate web listener used by the publishing rule before applying the configuration.
Exporting from ISA Enterprise (single array/single array member)
Before importing the configuration from ISA Enterprise (with a single array and a single array member) to TMG Enterprise standalone, it will first be necessary to convert the export file to a format recognized by TMG Enterprise standalone. This is required because the ISA Enterprise export contains Enterprise-level configuration and policies which are not supported by TMG Enterprise standalone. To convert the file, download and install the EE Single Server Conversion Tool for Forefront TMG included in the Forefront TMG Tools and SDK.
After installing the conversion tool and copying the ISA Enterprise configuration file to the TMG system, open a command prompt and navigate to C:\Program Files (x86)\Microsoft Forefront TMG Tools\EESingleServerConversion and enter the following command:
EESingleServerConversion.exe /s <source XML file> /t <target XML file>
This will convert the ISA Enterprise configuration file to a format supported on TMG Enterprise standalone. Once the file conversion is complete, the process of importing from ISA Enterprise single array/single array member to TMG Enterprise standalone is the same as importing from ISA Standard Edition.
Connect
Richard Hicks' Forefront TMG Blog 
Great post Richard!! Very useful!
Have you tried this yourself This program does not seem to work. I can’t get the syntax correct to run it and I’ve tried multiple variations. I’ve researched but can’t seem to find any other documentation than with the tool, which is minimal. Any help would be greatly appreciated.
Hi Greg – yes, I have tried this and it worked for me without issue. Make certain you are exporting from the root node and be sure to include the option to export confidential information as well as permissions, otherwise it will fail. Documentation for the EESingleServerConversion utility can be found in the installation folder for the tool.
I’m having problem exporting from ISA 2006 Standalone (not enterprise) to TMG 2010. Although I am exporting with the security checkbox on and a password, the import process gives me the error message about the import fails in TMG with the error I have not exported with inclusion of these settings from the the condifential information. Since I can manually create my policies quicker than trying to workaround this bug (?), I am going to do so, but it is annoying.
In cases where the configuration isn’t complex, recreating rules is certainly an option. As long as you are exporting from the root node and including confidential information and permissions it should work. Keep in mind that the import may fail if you have completed the TMG ‘Getting Started Wizard’ prior to importing your ISA configuration.
Hi Richard,
Helpful post thanks. Hope you can help.
All migration guides I have came across suggest using the same server name on the new TMG server.
Would there be any implications of using a different name on the new TMG server?
Cheers, Steve.
How to Migrating from ISA Server Enterprise Edition to Forefront Threat Management Gateway Standard Edition?
No implications at all, Steve. I’ve had no trouble at all migrating from ISA to TMG where the server names are different. Thanks!
There is no migration path from ISA Enterprise Edition to TMG Standard Edition. You must migrate ISA EE to a TMG EE.
Thanks Richard, ready for migration now!
Is there a way to perform a rolling upgrade instead of all at once?
Unfortunately, no. The operating system is the roadblock here, I’m afraid. Since it is not possible to upgrade a 32-bit operating system to a 64-bit operating system, the only option is forklift upgrade.
Is there any way to gradually move say one group of people from the old ISA 2006 array to the new TMG 2010 array while keeping them up and running in parallel?
How are the clients configured? Are they Web Proxy or Firewall clients? Or are they SecureNAT clients?
It appears that they are a combination of Web Proxy and Firewall clients.
You’ve got a few options. If you are using DNS for WPAD, that will be a challenge because all of your clients will resolve that name to the same IP address(es). If you are using DHCP for WPAD, you can simply change the name of the proxy for different subnets. If you are using group policy to deploy proxy settings, create a separate GPO with the new settings and assign that selectively.
I was performing a test migration and I noticed that if you still have NLB enabled on your EMS server before you join a new TMG server to the array, the new TMG server will fail.
I’ve found it best to disable NLB after performing the restore on the new TMG EMS server and then join the new TMG servers to the array and then re-enable TMG.
Has anyone else noticed this?
I noticed that when you perform the ISA migration from CSS to EMS that the old ISA servers remain. Do you typically just delete the old ISA servers from the array after performing the migration?
Excellent point, Mike. I’ll update this document to include that information. Thanks for the great tip! 😀
Yes, you can safely delete those orphaned array members in the TMG management console prior to adding members to the array.
Is it possible for you to do a blog entry on the supported method for using SecureNAT, Firewall Client and the Web Proxy Client in a NLB scenario?
As I understand it, the below list is what is supported by Microsoft. Yet, I see numerous companies using iterations thereof. Such as, FWC using NLB (officially unsupported). Also, as I understand it, the Web Proxy Client rotates randomly between array members at random (obtained and downloaded via wpad.dat). Therefore, even if you issue a DRAIN STOP on a NLB array member your Web Proxy Clients will still connect to the array member that you issued a DRAIN STOP on!
SecureNAT is supported by NLB
Firewall Client is supported by DNS Round Robin
Web Proxy Client is supported by CARP
Thanks.
Excellent idea, Mike. I’ll put that on my to-do list for sure. Thanks for the suggestion! 🙂
say you have isa 2006 enterprise with 3 arrays (one per branch). What is the approach to migrating to TMG. do you have to migrate all 3 arrays at the same time? ie, can you have branch isa arrays within TMG EE?
Hi John,
No, you don’t have to migrate all three arrays at the same time. You can easily migrate in stages, one array at a time. Since ISA 2006 and TMG cannot coexist in the same enterprise, you’ll essentially have two separate environments while you are migrating but that shouldn’t be a problem at all. You can export your configuration from our current ISA environment, build a new TMG EMS, then import the configuration there (remember to do this before you add members to the arrays!). After that you can add array members at the first site and point clients to the new TMG firewalls while the remaining arrays are still running ISA. Once you’ve completed the first array migration you can proceed with the remaining arrays when you decide.
Ok so how do you delete the orphaned array members from ems server?
In the TMG management console, highlight the system node in the navigation tree, select the servers tab in the main console window, then right-click the orphaned firewall and choose delete. If this firewall is the reporting server for the array, you’ll be reminded to update that setting later. If that fails, you may need to use ADSIEDIT to manually remove the array or array members.
Excellent article Richard. I’m currently looking to setup a new TMG Enterprise alongside my existing ISA 2006 Enterprise and then move services over piece by piece.
I’ve just setup my first EMS of the Enterprise, and the first TMG server, but before I get to the point of joining it to the array I’m forced to enter the Internal networking configuration. I copied this from the existing ISA array, but then I could see traffic on the new TMG!! I hit the panic button and turned the box off and everything seems to be running as it was.
Is it possible to run the two in tandem on a live network? I don’t want any traffic going to the new TMG array until I tell it to.
Hi Andi,
ISA 2006 and TMG can peacefully coexist on your network without conflict, normally. Unless you specifically configured clients to use the new TMG firewall on your network, perhaps what you saw was just noise? The TMG firewall processes a fair amount of traffic on a busy network even if it is just standing idle without clients pointing to it. You might need to light it back up and watch the logs closely to see what those requests actually were. \
Thanks for your reply, I did plug it in and found the traffic to be just broadcast traffic. I just panicked.
Better safe than sorry I guess. 🙂
when I use (EESingleServerConversion.exe)tool I get the following: Error: This tool supports files exported from the root node only.
I have tried exporting the config from all parts of the server with the same result. pls suggest how to solve this issue
I’ve only used the tool a few times and haven’t had any issues. Make sure you are exporting from the root node (sounds like you did) and don’t forget the prerequisites. Make sure you have ISA 2006 SP1 installed too.
Hi, i would like to migrate ISA 2006 standard edition to TMG 2010 EMS. When i try to import the ISA 2006 configuration i get this error:
The configuration could not be upgraded. Upgrading a standard edition configuration to a Forefront TMG Enterprise Management Server is not supported.
Other then going through a very Labor Intensive process of manually recreating the firewall rules, what are my options?
This is a supported upgrade path. It does require that you import the ISA configuration in to Forefront TMG 2010 before you join the firewall to an EMS, however. Give that a try and you should be successful.
hi i am getting catastrophic failure (error 0x80000ffff), while importing the configuration file into TMG. please help me…
This error is often encountered when some type of corruption has occured. I would look very closely at your existing configuration and make sure that everything looks good prior to exporting the configuration.
hi~ you say
I’ve only used the tool a few times and haven’t had any issues. Make sure you are exporting from the root node (sounds like you did) and don’t forget the prerequisites. Make sure you have ISA 2006 SP1 installed too.
so i must install EESingleServerConversion.exe in ISA Server too??
my ISA server version is 2004
You can run the EESingleServerConversion tool on any machine you wish. It does not have to be run on the ISA server or the Forefront TMG 2010 server. It should work with any supported migration path, either ISA Server 2004 SP3 or ISA Server 2006 SP1.
Hi Rick:
I’m currently performing an ISA EE Single server/Single Array to TMG Standalone array migration. I was able to export and convert the configuration and the importing process progresses to about 95% and then I get a catastrophic failure error 0x8000ffff. Is there any way to find out exactly what I’m doing wrong by maybe turn on diagnostics on TMG?
Thanks in advance
In my experience this is often caused by a corrupt object in the configuration or policy on ISA. I’d suggest installing the TMG BPA and running in rerpo mode while you’re attempting to import the configuration. That should yield some additional information. Others have also encountered this error message when the EMS is installed on a domain controller, which hopefully isn’t the case here. Thought I’d mention it just in case though.
Is there a path to migrate an Enterprise ISA 2004 multi server array to a TMG Enterprise standalone array without using an EMS server? I tried using the EESingleServerConversion tool but it comes back with the message:Error: This tool supports files exported from a single server configuration only. Help please.
You can use the EESingleServerConversion tool to migrate from ISA to Forefront TMG 2010 Enterprise standalone, but it requires that your ISA enterprise be configured with only a single array, and that array must have only a single server. If your current configuration doesn’t meet these requirements you’ll have to migrate to TMG with an EMS.
Can I migrate using the EMS server and then get rid of the EMS server and make a standalone Enterprise single NLB server array after the migration. I basically want to end up with a NLB single array without EMS.
Not to my knowledge. If you migrate to Forefront TMG 2010 with EMS, then later remove the array member from the EMS-managed array, the policy stays on the EMS and the array member has only the default policy. Depending on your configuration it might be easier to create a new standalone TMG array and recreate your policy, or you could just leave the EMS in place. Honestly, I’d stick with the EMS. In my experience there are more problems with standalone arrays than with EMS-managed arrays.
I was just trying to stay away from having an extra server just for EMS since I’ll only going to have a single NLB array. Is there any impact on the existing 2004 array during a migration. I am worried that the migration might plug in current IPs from my existing 2004 array to the new TMG array and I could have conflicts. I basically want to build the TMG parallel to my production ISA and then switch over to the new TMG after TMG is completed and tested.
Also, what if I didn’t export the root node of the Enterprise ISA array and built the standalone TMG array. Could I then export at the ISA array configuration level and then import that into TMG. I don’t see much in my ISA enterprise policy anyway. I just want to import my array system policy and firewall rules.
The existing VIPs on your current ISA 2004 array will be imported to your new environment. If you can, I’d suggest disabling and removing the NLB configuration prior to exporting your configuration. However, this is increasingly looking like a good candidate for recreating configuration and policy as opposed to export/import.
Doesn’t work, I’m afraid. When migrating from ISA to TMG you absolutely must export from the root node. If not, the import process fails every time.
What are the implications of editing the xml file from an ISA 2004 export of the firewall policy and importing that into TMG. I have sucessfully done that and imported into TMG. Basically I uddated the values in the XML that define the ISA version and the scope values from 1 to 0 (multi to single server). My rules imported fine and look correct.
Not sure. I certainly wouldn’t recommend this method, but if it works for you and your testing checks out, it must be ok. I’d caution that it may not be supported though, so again, I personally wouldn’t recommend that anyone do this without a very good reason. And if they do, please proceed cautiously and make sure you have good backups! 🙂
How to migrating from Forefront 6.0 MBE to TMG 2010 ?
Honestly, I’m not certain. I don’t have any personal experience with Forefront TMG 2010 MBE.
Hello Richard.
Very good article, indeed!
I need to migrate from ISA 2006 EE (without CSS and no array) to TMG EMS fresh install.
I tried to import the config but I had an error: “The exported file contains an object of type Array which cannot be imported into an object of type Item.”
Is it possible to do what I am looking for? If not, is there some possibility to migrate at first to TMG Standalone Server and then to TMG EMS?
Thanks a lot!
Since it is technically impossible to have ISA 2006 EE installed without a CSS or array, I’m going to assume you mean that you have one ISA firewall running EE with the CSS installed on the same host and a single array. Migrating from your configuration to Forefront TMG 2010 with a single serer (standard or enterprise edition) requires the use of the EESingleServerConversion.exe tool that comes with the SDK. Read the last part of this article closely as it includes detailed instructions on how to accomplish that.
Thanks!
Thank you Richard for the fast reply!
I am sorry, I have ISA 2006 Standard Edition and need to pass its config to a new TMG EE Array managed by TMG EMS. This is a new implementation of TMG EE, the array servers are fresh installed and the EMS Server has no configuration. So I am looking for the way to import the ISA 2006 SE config to the EMS Server.
Tnahks in advance!
In that case you’ll need to import the ISA configuration in to TMG *before* joining the TMG firewall to the array. When you join the TMG firewall to the array, select the option to include the current configuration in the new array.
Hi, I will be moving our clients TMG mbe version to TMG 2010 Standard edition. Is there a direct upgrade option or does it require a rebuild of TMG on the server?
I don’t believe you can perform an in-place upgrade from TMG MBE to TMG standard edition. However, you should be able to export your configuration from TMG MBE and import to TMG. I’ve not tried that myself though, so if you do please share your experience here. Thanks! 🙂
Hi Richard… great post…. I am performing a migration from ISA 2006 Standard to TMG 2010 Enterprise (standalone array, with 2 nodes in NLB configuration)…. Will the trick, of importing the configuration beforore building the array, will work?… thank you in advance
The way to accomplish this is to migrate from your existing ISA Server 2006 box to a single Forefront TMG 2010 enterprise edition box. After that, build out the EMS infrastrucutre and join that TMG firewall to the array, selecting the option to use the existing policy on the new array. Should work like a charm. 🙂
Hi Richard – thanks for the Post – very interessting.
I´m having a Single EE ISA 2006 and want that box migrate to EMS controlled TMG Array. Exprort/Import works, but if I want to delete the old Server (under System-Server) there comes “there is a weblistener with certificates…:”. Then I´m looking at the Proberties of that Weblistener and click on “Certificates” there comes “RPC Server not available..” – of course not, it´s offline. When I try to install an other TMG to the array – “an old Version of TMG..
So, what can I do – do you have an idea??
Thank you in advance…
If you can’t successfully delete the old server from the EMS, you may need to manually delete it from the configuration using ADSIEdit. You can really make a mess of things if you don’t do this correctly, however. I’d suggest that you open a support case with Microsoft to resolve the issue.
Hi Richard!
thanks for this article, this is very qualified and useful so far. But now i also have a question because i want to migrate a ISA2006 EE Single-Array to TMG2010 EE EMS-Managed.
And now i’m stuck at this point…
In ISA2006 i have a config-server, MGMT1 and two array-servers FW1 and FW2.
FW2 was deleted from config and freshly installed with W2K8R2SP1.
I already exported config and successfully imported it to a newly installed MGMT2 with TMG-EMS.
Now i want to install TMG2010-Firewall-services on FW2 to re-use it as array-member for the “new” TMG-2010-array. It hangs at “initializing configuration agent”… i see the configuration storage service running and see incoming connections from the old array-configuration server MGMT1 (ISA2006) on port 3847?
All servers are domain-members of the same domain, could this be a problem?
Is co-existence in the same domain a problem?
Thanks in advance…
Assuming your rebuilt TMG firewall is using the same name/IP address as the old box? If so, it sounds like the old ISA server is still trying to communicate with your new TMG system. However, I don’t think that would cause any problems. To eliminate the possibility you might want to delete FW2 from your old ISA CSS just for good measure.
Thanks a lot.
FW2 was already deleted from ISA CSS…
We solved this by moving FW2 out of the domain into a workgroup, then installed TMG2010 Firewall-services and after that we re-added the computer to the domain. In this way, no more communication came from the old configuration server MGMT1 on port 3847.
Thank you!
Trying to move from ISA 2006 to ?? Talked with a MS rep and they said Forefront TMG is no longer and suggested I continue to use ISA 2006. Do you know of any other options to upgrade from ISA? Thanks.
Depending on your deployment scenario, migrating to Forefront TMG 2010 might still be a good idea. Although TMG is official end-of-life, it is still an excellent product. The challenge will be obtaining licensing for it, as I understand that OEM appliance providers are the only way to obtain them going forward. If you are interested in secure remote access, Forefront UAG is a good choice. Microsoft does not have an alternative for outbound (forward) proxy, however.
Richard:
We performed the ISA to TMG scenario and for some reason half of our rules did not work. When we installed and what is not show in your example is when initially installing TMG it asks to define the addresses of the TMG box. I think the issue here is we assigned it a temporary static address and when we imported the configuration and changed the static address TMG did not pick that up. Any suggestions on this?
Importing won’t change the IP addresses assigned to the network interfaces on the TMG firewall. It will, however, change the internal network definition in the TMG policy. If this doesn’t match your new firewall’s network interface configuration it will definitely cause some issues. I’d suggest clearing the Internal network definition and rebuilding by clicking on “add adapter”.
Hello Richard: Not sure if you’re still monitoring this since it’s quite old, but I’m having a perplexing issue with our migration from ISA 2006 to TMG 2010. In a nutshell, we use DNS for WPAD.dat distribution. To test the WPAD.Dat from TMG before I make a global change in DNS, I have changed the HOSTS record of a group of WIndows7 users in our pilot group. When I look at their IE, all proxy settings are correct with the new TMG server, as is the automatically detected Forefront Server in their Forefront TMG client (we run that on all workstations here.) However, their internet traffic is still going through the old ISA server. I found that Internet traffic will only go through TMG if I delete the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad on the workstation (the subkeys of this key are loaded with wpad.dat pointers to the existing ISA server. Any idea what the problem might be? I don’t particularly want to delete this key on all our workstations unless there’s a good reason to. Thanks!
Did you export your existing ISA configuration in to TMG by chance?
Yes, I did. Could that have caused an issue? I feel like I’ve checked and double-checked everything with TMG’s configuration. All seems good except for the misdirected outbound web traffic. As soon as I delete the WPAD key, no more traffic goes through the old ISA server and all is good. Thanks for the quick reply!
One other tidbit I just discovered is that the current ISA 2006 server in production has a CNAME DNS record instead of an A record. Been that way for years and has been working fine, but I notice that some folks recommend an A Record instead. Not sure if that has any significance or not, but thought I’d mention it. Thanks!
Okay, one more clue. Apparently my new TMG server isn’t using port 80 for publishing wpad.dat even though port 80 is specicified on the AutoDiscovery tab of TMG. If I use :8080 in http://servername.com:8080/wpad.dat it downloads. Could this be an issue? I’m not able to actually download the wpad.dat file because my entry in the HOSTS file is unable to look for anything besides port 80? Any idea how to fix TMG to actually publish on port 80 like it’s supposed to? I don’t have IIS running on the TMG server, but I do have an internal listener that uses port 80. Our ISA server has the same listener configured, however it does publish wpad.dat correctly on port 80. Sorry for polluting this thread!
Absolutely. The imported configuration includes the original server name. You’ll have to edit the web proxy server settings on the new server to include the name of the new proxy. Email me if you need help. 🙂
You’ll need to also update the CNMAME record to point to the hostname of the new TMG server. That along with the changes to the configuration I mentioned earlier should resolve your issue.
This is two different things completely. The autodiscovery component does run on port 80, but it sounds like you have the web proxy listener itself configured to run on port 8080. BTW, you’re not polluting the thread at all. All relevant questions! 🙂
Richard, I am doing a belated migration from an ISA 2006 Enterprise Edition Array to TMG 2010 Enterprise Edition. We have 2 servers with one as the CSS. We have limited kit and need to stick with 2 servers and so a Standalone TMG2010 Array without an EMS will be used. This means I need to manually reconfigure TMG and then I plan to configure Load Balancing by using the old Load balanced VIP. The query is, is it possible to remove the non CSS server from the Array and then export the config so that as far as TMG concerned the import comes from a single TMG server with CSS and therefore is supported for migration?
Yes, that’s correct. Take the ISA server node that does not have the CSS installed on it out of the array. Export the configuration and then use the conversion tool I outlined at the end of this post. After you’ve converted the XML file using the tool, import it in to the TMG server and then create your standalone array after that. Should work just fine!
Thanks. You mentioned in earlier posts that new server names shouldn’t be an issue. Do we need to change the names in the exported XML file for our new server name? Also we want to use new IP addresses for the new TMG servers network cards, but configure the VIP as before as that talks to the firewalls etc. I believe the earlier advice is to remove load balancing configuration prior to the export, then reconfigure the VIP on switchover. Will the import overwrite the IP’s of the network cards on the new TMG server (i.e. normal IP’s and not VIP’s) or will they remain?
There’s no need to edit the XML file to change server names. If you are going to import the XML file to a server with a different hostname, you’ll need to go in to the TMG management console after you’ve completed the import and change the name of the proxy server, if you’re using that feature. I do recommend removing NLB prior to export and reconfiguring afterwards. Not doing so will surely be problematic. Also, the import will not overwrite any IP addresses on the new TMG server at all.
Many thanks for the excellent advice. We don’t use the proxy server feature and so that’s fine. Last query is that we plan to transition our Pre-Live test environment first, use the process to get that environment to TMG 2010. Then export the TMG 2010 configuration in Pre-Live into the identical setup on live servers on kit built alongside the current live environment (so a TMG 2010 export and import). Should I still disable load balancing prior the export\import when going from TMG 2010 to TMG 2010?
Based on my experience, I would still recommend disabling NLB. It doesn’t take that much to configure it again afterward and it could save you a lot of grief. 🙂