Migrating from Microsoft ISA Server 2004/2006 to Forefront Threat Management Gateway (TMG) 2010



Similar documents
Owner of the content within this article is Written by Marc Grote

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Owner of the content within this article is Written by Marc Grote

Installing and Configuring vcenter Multi-Hypervisor Manager

Owner of the content within this article is Written by Marc Grote

Introduction to Mobile Access Gateway Installation

Installation and configuration guide

Owner of the content within this article is Written by Marc Grote

AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2

Installation Guide Supplement

WHITE PAPER Citrix Secure Gateway Startup Guide

Installation and configuration guide

icrosoft TMG Replacement with NetScaler

Introduction to the EIS Guide

Sametime Gateway Version 9. Deploying DMZ Secure Proxy Server

MCSE Objectives. Exam : TS:Exchange Server 2007, Configuring

Deploying Windows Streaming Media Servers NLB Cluster and metasan

etoken Enterprise For: SSL SSL with etoken

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

Integrated Citrix Servers

Installing and Configuring vcloud Connector

Citrix XenServer Workload Balancing Quick Start. Published February Edition

Configuring Windows Server Clusters

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Wavecrest Certificate

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

Jeff Schertz MVP, MCITP, MCTS, MCP, MCSE

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

F-Secure Messaging Security Gateway. Deployment Guide

Upgrade Guide BES12. Version 12.1

McAfee SMC Installation Guide 5.7. Security Management Center

Managing Multi-Hypervisor Environments with vcenter Server

Installing and Configuring vcenter Support Assistant

FTP, IIS, and Firewall Reference and Troubleshooting

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

WhatsUp Gold v16.3 Installation and Configuration Guide

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

App Orchestration 2.5

StarWind iscsi SAN & NAS: Configuring HA Storage for Hyper-V October 2012

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

Juris Installation / Upgrade Guide

Moving the TRITON Reporting Databases

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Secure Messaging Server Console... 2

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Product Manual. Administration and Configuration Manual

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Owner of the content within this article is Written by Marc Grote

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

Configuring Global Protect SSL VPN with a user-defined port

Installing GFI MailSecurity

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

BlackBerry Enterprise Server for Microsoft Exchange Version: 4.1 Service Pack: 7. Upgrade Guide

Veritas Cluster Server Application Note: Disaster Recovery for Microsoft SharePoint Server

Backup and Restore the HPOM for Windows 8.16 Management Server

Acronis and Acronis Secure Zone are registered trademarks of Acronis International GmbH.

Installation Guide for Pulse on Windows Server 2012

Deploying F5 to Replace Microsoft TMG or ISA Server

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Migrating MSDE to Microsoft SQL 2008 R2 Express

Updating Your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

Installation Guide for Pulse on Windows Server 2008R2

BlackBerry Enterprise Service 10. Version: Configuration Guide

Installing GFI MailEssentials

Using IIS Application Request Routing to Publish Lync Server 2013 Web Services

QUANTIFY INSTALLATION GUIDE

DSView 4 Management Software Transition Technical Bulletin

Installing GFI MailArchiver

Owner of the content within this article is Written by Marc Grote

TIBCO ActiveMatrix BusinessWorks Plug-in for TIBCO Managed File Transfer Software Installation

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

ISA 2006 Array Step by step configuration guide

Installing GFI MailSecurity

RSA Security Analytics

Network Configuration Settings

Buffalo Technology: Migrating your data to Windows Storage Server 2012 R2

Moving the Web Security Log Database

Cloud Services for Backup Exec. Planning and Deployment Guide

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Burst Technology bt-loganalyzer SE

Getting Started with ESXi Embedded

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

This feature is available on the AppWall standalone and AppWall VA devices. It is not available on the AppWall module within Alteon.

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS)

XenDesktop Implementation Guide

Installation of MicroSoft Active Directory

Installation Notes for Outpost Network Security (ONS) version 3.2

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Active Directory Infrastructure Design Document

Installing and Setting up Microsoft DNS Server

Migrating Trend Micro Mobile Security for Enterprise (TMMS) 8.0 to TMMS 9.0

NetSpective Global Proxy Configuration Guide

0651 Installing PointCentral 8.0 For the First Time

Transcription:

Migrating from Microsoft ISA Server 2004/2006 to Forefront Threat Management Gateway (TMG) 2010 Richard Hicks Forefront MVP MCSE, MCITP:EA, WCE-WS Senior Sales Engineer Product Specialist Edge Security Solutions Celestix Networks, Inc. (510)667-0800 x6734 rhicks@celestix.com

Introduction For organizations that currently have a Microsoft ISA Server 2004/2006 deployment, performing an in-place upgrade to Forefront Threat Management Gateway (TMG) 2010 is not an option. ISA only runs on 32-bit Windows, while TMG runs exclusively on 64-bit Windows. Since there is no direct upgrade path from 32-bit to 64-bit Windows, migrating policies and configuration settings from ISA to TMG is the only alternative. Migration to TMG is supported from the following versions of ISA Server: ISA Server 2004 Standard/Enterprise with Service Pack 3 ISA Server 2006 Standard/Enterprise with Service Pack 1 Depending on the version of ISA Server you are running, there are four migration paths when migrating from ISA to TMG (not including TMG MBE): ISA Server 2004/2006 Standard Edition to TMG Standard Edition ISA Server 2004/2006 Standard Edition to TMG Enterprise Edition in standalone mode ISA Server 2004/2006 Enterprise Edition (single array/single array member) to TMG Enterprise Edition in standalone mode ISA Server 2004/2006 Enterprise Edition (single or multi-array) to TMG Enterprise Edition in EMS-managed mode Migrating from previous versions of ISA server to TMG requires careful planning, consideration, and attention to detail. You should consider thoroughly documenting your existing environment as part of the migration process. This will include: IP Addressing Document IP addresses for all network interfaces, including the intraarray interface and any virtual IP addresses when using NLB. If you are using VPN services, be sure to record IP address ranges for remote access clients and site-to-site networks. Routing Document any static routes required for network behind a network scenarios. DNS Record any and all A host records or CNAME alias records in DNS associated with your ISA firewall. This will include statically configured host records for the ISA firewalls themselves, alias records for the proxy array, or WPAD records for client configuration. WPAD If you are using DHCP for client configuration, be sure to plan for those changes as well. Certificates Be sure to export any and all certificates (along with the private keys) required for operation. This includes machine certificates in a workgroup scenario and SSL certificates used for HTTPS publishing rules. Be advised that Windows Server 2008R2 includes fewer trusted root CA s by default, so check your certificates carefully. Active Directory If you have published web sites utilizing Kerberos Constrained Delegation (KCD), configure the computer account of the new system for delegation. If you have created a Service Principal Name (SPN) entry in the Kerberos database for the Configuration Storage Server (CSS), review and update that information as necessary. Third-party Plug-ins If any third-party plug-ins are installed on ISA they will be disabled after being migrated to TMG. Visit the vendor s web site to see if an updated plug-in for TMG is available. Scheduled and Custom Reports Document all reports, as they will not be migrated to TMG. Migrating from ISA to TMG - Page 2 of 12

Do not assume that migrating to TMG will resolve any existing problems in your current environment. Use the ISA Best Practices Analyzer to perform a system health check and resole any outstanding issues prior to migration. System capacity should be evaluated when planning a migration from ISA to TMG. Although there are performance benefits when running on the latest 64-bit Windows operating system, TMG includes many new advanced protection features, and these capabilities consume additional resources. Use the Forefront TMG 2010 Capacity Planning Tool to determine if you have adequate hardware resources to support your implementation requirements. The Microsoft Forefront Threat Management Gateway (TMG) 2010 Capacity Planning Tool can be downloaded at: http://www.microsoft.com/downloads/details.aspx?familyid=01b2f7a5-8165-4ead- 9693-994504f66449&displaylang=en Once the planning phase has been completed and the configuration of the new TMG system has passed initial testing, you can begin the actual migration from ISA to TMG. Exporting from ISA On the source (ISA 2004/2006 Standard Edition) system, open the management console and highlight the root node. Right-click and choose Export (Backup) Migrating from ISA to TMG - Page 3 of 12

For ISA Enterprise Edition, be sure to select the root node for the Enterprise, as shown here. The Export Wizard dialog box opens. Migrating from ISA to TMG - Page 4 of 12

Select the option to Export confidential information and enter a strong password, then select the option to Export user permission settings. Specify a location to save the XML export file. This file will be copied to the TMG system for import later. Migrating from ISA to TMG - Page 5 of 12

Review the settings and then choose Finish to begin the export. Migrating from ISA to TMG - Page 6 of 12

Importing to TMG Before importing a configuration to TMG, make certain that the Getting Started Wizard has not been run. This wizard will configure basic access rules that may prevent a configuration from importing properly. If the wizard has been used, remove any existing access policies created by the wizard prior to importing a configuration. Note: When migrating from ISA Server 2004/2006 Enterprise Edition to TMG Enterprise Edition (EMS-managed) you must import the configuration on the EMS prior to creating an array or adding array members. Also, migrating from ISA Enterprise Edition (single array/single array member) to TMG Enterprise Edition in standalone mode requires an additional step before importing to TMG. For more information, please refer to the note at the end of this document. On the target (TMG Standard or Enterprise standalone) system, open the management console and highlight the root node. Right-click and choose Import (Restore) For TMG Enterprise Edition (EMS-managed only), be sure to select the root node for the Enterprise, as show here. Migrating from ISA to TMG - Page 7 of 12

The Import Wizard dialog box opens. Copy the previously exported XML file to the local TMG system, and then specify that location here. Migrating from ISA to TMG - Page 8 of 12

TMG indicates that the export file is from an earlier version and that it will be upgraded to Forefront TMG. Enter the password created during the original export. Migrating from ISA to TMG - Page 9 of 12

Review the settings and then choose Finish to begin the import. Import complete. After successfully completing the migration process, TMG indicates that additional steps may be required. Address any issues as necessary. Migrating from ISA to TMG - Page 10 of 12

Click Apply to save changes and update the configuration. Note: If you have imported any web publishing rules that use HTTPS, verify that the correct SSL certificate is bound to the appropriate web listener used by the publishing rule before applying the configuration. Migrating from ISA to TMG - Page 11 of 12

Exporting from ISA 2004/2006 Enterprise (single array/single array member) to TMG Enterprise Edition in standalone mode Before importing the configuration from ISA Enterprise (with a single array and a single array member) to TMG Enterprise standalone, it will first be necessary to convert the export file to a format recognized by TMG Enterprise standalone. This is required because the ISA Enterprise export contains Enterprise-level configuration and policies which are not supported by TMG Enterprise standalone. To convert the file, download and install the EE Single Server Conversion Tool for Forefront TMG included in the Forefront TMG Tools and SDK. The Microsoft Forefront Threat Management Gateway (TMG) 2010 Tools and Software Development Kit (SDK) can be downloaded at: http://www.microsoft.com/downloads/details.aspx?familyid=8809cfda-2ee1-4e67- b993-6f9a20e08607&displaylang=en After installing the conversion tool and copying the ISA Enterprise configuration file to the TMG system, open a command prompt and navigate to C:\Program Files (x86)\microsoft Forefront TMG Tools\EESingleServerConversion and enter the following command: EESingleServerConversion.exe /s <source XML file> /t <target XML file> This will convert the ISA Enterprise configuration file to a format supported on TMG Enterprise standalone. Once the file conversion is complete, the process of importing from ISA Enterprise single array/single array member to TMG Enterprise standalone is the same as importing from ISA Standard Edition. Migrating from ISA to TMG - Page 12 of 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information