Migrating from ISA 2004/2006 to Forefront TMG

The Internet Security & Acceleration (ISA) Server has been replaced by the Forefront Threat Management Gateway (TMG).

In this translation, we will look at the transition process from ISA 2004/2006 to Forefront TMG.

ISA Server 2004/2006 does not provide for switching to TMG with a regular update - FF TMG works only on 64-bit OS of the Windows family, while ISA works only on 32-bit.
')


Therefore, transferring the rules and configuration from ISA to TMG remains the only solution to this problem.
Such a transfer is possible with ISA 2004 SP3 or with ISA 2006 SP1.
Depending on what version of ISA you have, there are four possible migration options:
(excluding TMG MBE - Medium Business Edition)

• ISA Server Standard -> TMG Standard
• ISA Server Standard -> TMG Enterprise (server in isolated mode)
• ISA Server Enterprise (array of one server / server as part of an array) -> TMG Enterprise (server in isolated mode)
• ISA Server Enterprise (single server array / multiple arrays) -> TMG Enterprise (managed by EMS server)

Training

The transition from previous versions of ISA to TMG requires careful planning, analysis and attention to detail. Before you start the transition, collect and record all the most important information about the existing system, including:

IP Addressing - Record the IP addresses of all network interfaces, including the interface for communication between members within the array and the virtual IP addresses used by NLB (network load balancing). If you are using a VPN, also write down address ranges for remote access of clients and site-to-site networks (networks that are remote from each other).

Routing - write down all the static routes required by the network-by-network schemes.

DNS - save separately all “A host” records or CNAME aliases used by the ISA firewall. This includes statically configured ISA server host records, proxy server aliases, or WPAD (Proxy Auto-Configuration Proxy) client records.

WPAD - if your enterprise has a DHCP client configuration in your company, please note that the changes will affect them.

Certificates - export all certificates and keys required for migration to TMG, including computer certificates and SSL certificates used by the HTTPS publishing rules. Keep in mind that Windows Server 2008R2 defaults to much fewer root certificates (than Windows Server 2008 or previous versions of Windows Server).

Active Directory - if you have published websites using the Kerberos protocol extension - Constrained Delegation (KCD), set up a computer account with a new system for delegation. If you created an SPN (Service Principal Name Match) entry in the Kerberos database for a Configuration Storage Server (CSS), update it if necessary.

Third-party solutions - please note that if you installed third-party add-ons for ISA, they will not work after migration. Visit the developer pages to update the plug-ins already for TMG.

Regular and custom reports - save all reports, they will not be transferred to FF TMG either.

Do not think that the transition to TMG will solve all your existing problems with the current configuration of the ISA. Use the ISA Best Practices Analyzer utility to test the system and solve all problems before migration.
When planning the transition from ISA to TMG, system resources must also be taken into account. Despite the performance gains on 64-bit systems, TMG includes many new security and security features that will consume additional resources.
Use the Forefront TMG 2010 Capacity Planning Tool to determine if your hardware meets the TMG system requirements.
If you have completed the training and the new TMG configuration has already passed the initial testing, then you can proceed to the actual transition.

Export from Internet Security & Acceleration Server

So open the ISA Management Console -

• for Standard Edition:
  select the name of the ISA server and in the context menu select the item Export (Backup)
  
  
• for Enterprise Edition:
  also select Export (Backup) from the menu as shown below:
  
  

The export wizard will start.
Check the “Export confidential information” and “Export user permission settings” checkboxes, then set a password to encrypt the exported data.



Click “Next” and specify where to save the XML file. This file is later imported into TMG.

Import to Forefront Threat Management Gateway

Before importing settings to TMG, make sure that the Getting Started wizard does not start (this wizard creates basic access rules through the firewall). If it was launched, delete all the access rules created by this wizard - if this condition is met, the settings import into TMG should pass without errors.

NB: When migrating from ISA Server Enterprise to TMG managed by EMS, you must import the configuration into EMS before creating an array or adding array members .
Also, when migrating from ISA Server Enterprise (array from one server / server as part of an array) to TMG Enterprise (in stand-alone server mode), you will need to do one additional action - it will be written about it at the end of the post.

On the computer with TMG, open the management console -

• for Standard or Enterprise edition:
  select the name of the Forefront server and select Import (Restore) in the context menu
  
  
• For Enterprise Edition Managed by EMS:
  also select Import (Restore) from the menu as shown below:
  
  

The import wizard starts - enter here the path to the XML file to which we previously performed the export of settings and enter the password specified during the export.

After the import wizard reports that everything went well, click the Apply button to save the changes and update the Threat Management Gateway configuration.

Export from ISA Server Enterprise (array from one server / server as part of an array)

Before importing the ISA server settings (Enterprise Edition - an array from a single server or a server in an array) into TMG Enterprise (in isolated server mode), you must first convert the exported XML file to a format that the above version of TMG can work with. This is necessary because the exported ISA Enterprise file contains enterprise-level policies that are not supported by the TMG version in isolated server mode. Use the utility to convert
Forefront TMG EE Single Server Conversion Tool
After installing the file conversion utility, open a command prompt, go to the C: \ Program Files (x86) \ Microsoft Forefront TMG Tools \ EESingleServerConversion folder and give the command:

EESingleServerConversion.exe /s < XML-> /t < XML->

Then follow the same steps as described above for the ISA Standard version.

PS

1. Forefront TMG installs the Web Server (IIS) role. Please note that this component is not removed when Forefront TMG is removed;
2. Microsoft Forefront TMG does not support more than 300 licensed users.