Migrating from Microsoft

ISA Server 2004/2006 to

Forefront Threat
Management Gateway
(TMG) 2010

Richard Hicks – Forefront MVP

MCSE, MCITP:EA, WCE-WS
Senior Sales Engineer
Product Specialist – Edge Security Solutions
Celestix Networks, Inc.
(510)667-0800 x6734
rhicks@celestix.com
Introduction

For organizations that currently have a Microsoft ISA Server 2004/2006 deployment,
performing an in-place upgrade to Forefront Threat Management Gateway (TMG) 2010 is not
an option. ISA only runs on 32-bit Windows, while TMG runs exclusively on 64-bit Windows.
Since there is no direct upgrade path from 32-bit to 64-bit Windows, migrating policies and
configuration settings from ISA to TMG is the only alternative. Migration to TMG is supported
from the following versions of ISA Server:

• ISA Server 2004 Standard/Enterprise with Service Pack 3

• ISA Server 2006 Standard/Enterprise with Service Pack 1

Depending on the version of ISA Server you are running, there are four migration paths when
migrating from ISA to TMG (not including TMG MBE):

• ISA Server 2004/2006 Standard Edition to TMG Standard Edition

• ISA Server 2004/2006 Standard Edition to TMG Enterprise Edition in standalone mode
• ISA Server 2004/2006 Enterprise Edition (single array/single array member) to TMG
Enterprise Edition in standalone mode
• ISA Server 2004/2006 Enterprise Edition (single or multi-array) to TMG Enterprise
Edition in EMS-managed mode

Migrating from previous versions of ISA server to TMG requires careful planning, consideration,
and attention to detail. You should consider thoroughly documenting your existing
environment as part of the migration process. This will include:

• IP Addressing – Document IP addresses for all network interfaces, including the intra-
array interface and any virtual IP addresses when using NLB. If you are using VPN
services, be sure to record IP address ranges for remote access clients and site-to-site
networks.
• Routing – Document any static routes required for “network behind a network”
scenarios.
• DNS – Record any and all A host records or CNAME alias records in DNS associated with
your ISA firewall. This will include statically configured host records for the ISA
firewalls themselves, alias records for the proxy array, or WPAD records for client
configuration.
• WPAD – If you are using DHCP for client configuration, be sure to plan for those
changes as well.
• Certificates – Be sure to export any and all certificates (along with the private keys)
required for operation. This includes machine certificates in a workgroup scenario and
SSL certificates used for HTTPS publishing rules. Be advised that Windows Server
2008R2 includes fewer trusted root CA’s by default, so check your certificates carefully.
• Active Directory – If you have published web sites utilizing Kerberos Constrained
Delegation (KCD), configure the computer account of the new system for delegation. If
you have created a Service Principal Name (SPN) entry in the Kerberos database for the
Configuration Storage Server (CSS), review and update that information as necessary.
• Third-party Plug-ins – If any third-party plug-ins are installed on ISA they will be
disabled after being migrated to TMG. Visit the vendor’s web site to see if an updated
plug-in for TMG is available.
• Scheduled and Custom Reports – Document all reports, as they will not be migrated to
TMG.

Migrating from ISA to TMG - Page 2 of 12

 Do not assume that migrating to TMG will resolve any existing problems in your current
environment. Use the ISA Best Practices Analyzer to perform a system health check and resole
any outstanding issues prior to migration.

System capacity should be evaluated when planning a migration from ISA to TMG. Although
there are performance benefits when running on the latest 64-bit Windows operating system,
TMG includes many new advanced protection features, and these capabilities consume
additional resources. Use the Forefront TMG 2010 Capacity Planning Tool to determine if you
have adequate hardware resources to support your implementation requirements.

The Microsoft Forefront Threat Management Gateway (TMG) 2010 Capacity Planning
Tool can be downloaded at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=01b2f7a5-8165-4ead-
9693-994504f66449&displaylang=en

Once the planning phase has been completed and the configuration of the new TMG system has
passed initial testing, you can begin the actual migration from ISA to TMG.

Exporting from ISA

On the source (ISA 2004/2006 Standard Edition) system, open the management console and
highlight the root node. Right-click and choose Export (Backup)…

Migrating from ISA to TMG - Page 3 of 12

For ISA Enterprise Edition, be sure to select the root node for the Enterprise, as shown here.

The Export Wizard dialog box opens.

Migrating from ISA to TMG - Page 4 of 12

Select the option to Export confidential information and enter a strong password, then select
the option to Export user permission settings.

Specify a location to save the XML export file. This file will be copied to the TMG system for
import later.

Migrating from ISA to TMG - Page 5 of 12

Review the settings and then choose Finish to begin the export.

Migrating from ISA to TMG - Page 6 of 12

Importing to TMG
Before importing a configuration to TMG, make certain that the Getting Started Wizard has
not been run. This wizard will configure basic access rules that may prevent a configuration
from importing properly. If the wizard has been used, remove any existing access policies
created by the wizard prior to importing a configuration.

Note: When migrating from ISA Server 2004/2006 Enterprise Edition to TMG Enterprise Edition
(EMS-managed) you must import the configuration on the EMS prior to creating an array
or adding array members. Also, migrating from ISA Enterprise Edition (single array/single
array member) to TMG Enterprise Edition in standalone mode requires an additional step before
importing to TMG. For more information, please refer to the note at the end of this document.

On the target (TMG Standard or Enterprise standalone) system, open the management console
and highlight the root node. Right-click and choose Import (Restore)…

For TMG Enterprise Edition (EMS-managed only), be sure to select the root node for the
Enterprise, as show here.

Migrating from ISA to TMG - Page 7 of 12

The Import Wizard dialog box opens.

Copy the previously exported XML file to the local TMG system, and then specify that location
here.

Migrating from ISA to TMG - Page 8 of 12

TMG indicates that the export file is from an earlier version and that it will be upgraded to
Forefront TMG.

Enter the password created during the original export.

Migrating from ISA to TMG - Page 9 of 12

Review the settings and then choose Finish to begin the import.

Import complete.

After successfully completing the migration process, TMG indicates that additional steps may
be required. Address any issues as necessary.

Migrating from ISA to TMG - Page 10 of 12

Click Apply to save changes and update the configuration.

Note: If you have imported any web publishing rules that use HTTPS, verify that the correct SSL
certificate is bound to the appropriate web listener used by the publishing rule before applying
the configuration.

Migrating from ISA to TMG - Page 11 of 12

Exporting from ISA 2004/2006 Enterprise (single array/single array
member) to TMG Enterprise Edition in standalone mode
Before importing the configuration from ISA Enterprise (with a single array and a single array
member) to TMG Enterprise standalone, it will first be necessary to convert the export file to a
format recognized by TMG Enterprise standalone. This is required because the ISA Enterprise
export contains Enterprise-level configuration and policies which are not supported by TMG
Enterprise standalone. To convert the file, download and install the EE Single Server
Conversion Tool for Forefront TMG included in the Forefront TMG Tools and SDK.

The Microsoft Forefront Threat Management Gateway (TMG) 2010 Tools and
Software Development Kit (SDK) can be downloaded at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8809cfda-2ee1-4e67-
b993-6f9a20e08607&DisplayLang=en

After installing the conversion tool and copying the ISA Enterprise configuration file to the
TMG system, open a command prompt and navigate to C:\Program Files (x86)\Microsoft
Forefront TMG Tools\EESingleServerConversion and enter the following command:

EESingleServerConversion.exe /s <source XML file> /t <target XML file>

This will convert the ISA Enterprise configuration file to a format supported on TMG
Enterprise standalone. Once the file conversion is complete, the process of importing from ISA
Enterprise single array/single array member to TMG Enterprise standalone is the same as
importing from ISA Standard Edition.

Migrating from ISA to TMG - Page 12 of 12