Forefront TMG includes a backup and restore feature that enables you to export its configuration to an .xml file, and then import that configuration back to the Forefront TMG.

In Forefront TMG, backing up is referred to as exporting, and restoring as importing. This import/export feature is flexible, in that you can export on many levels in Forefront TMG. For example, you can export (and subsequently import) an entire firewall policy, a single rule, or a single network object. Also, you can back up your entire configuration so that you can restore it at a later date.

This topic provides information on:

Preparing for a disaster

Backing up the configuration is important for disaster recovery purposes, and for reverting to a previous configuration, if necessary. It is recommended that you back up the entire configuration after:

  • The initial configuration of your Forefront TMG computer.

  • Any major modifications, including, changing cache size or location, modifying firewall policy, configuring system rules, creating network definitions or network rules, and delegating administrative rights or removing delegation of administrative rights.

Adhering to this guidance will assist you in the case of a catastrophic loss, as you will be able to restore the configuration from a current backup file.

About backing up and restoring Forefront TMG configuration

Before backing up or restoring your configuration, note the following:

  • You must be a Forefront TMG Enterprise Administrator or Enterprise Auditor to back up and restore enterprise-level configuration.

  • To back up and restore enterprise-level confidential information, you must be a Forefront TMG Enterprise Administrator.

  • You must be a Forefront TMG Array Administrator to export array-level confidential information.

  • For maximum security, it is recommended that you save the backup file to an NTFS file system disk partition. Only administrators of the Forefront TMG computer should have read permissions to the directory.

  • When you export an entire configuration, certificate settings are also exported. The certificate settings on the Forefront TMG computer to which you are importing the configuration, must match the certificate settings in the exported file. If you import to a Forefront TMG computer with different certificates, the Microsoft Firewall service will fail to start.

  • When you export confidential details, such as user passwords, secure information in the backup file is encrypted. You will be asked to specify a password that is required to open the file and decrypt the information when you import the configuration. It is recommended that you specify a strong password to ensure proper protection of encrypted information. A password is considered strong if it provides an effective defense against unauthorized access. A strong password should not contain all or part of the user account name. It should contain at least three of the following four categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, and #).

The following describes:

Backing up a configuration

Forefront TMG provides the Export Wizard to walk you through the process of exporting the Forefront TMG configuration to an .xml file.

When you export a configuration, all general configuration information is exported. The backup file includes all policy information and all other organization-specific information. It also includes the access rules, publishing rules, rule elements, alert configuration, cache configuration, and other Forefront TMG properties, such as, cache drives and Secure Sockets Layer (SSL) certificate keys.

The backup and restore process backs up and restores SSL certificate keys, which indicate to Forefront TMG which certificates to use. This is not the same as backing up and restoring the certificates themselves. It is recommended that you maintain a backup of SSL certificates, which you should do manually to a secure location.

When creating the backup file, in addition to exporting all general configuration information, you can export user permission settings and confidential information, such as, user passwords. Confidential information included in the exported file is encrypted, by using the password specified as part of the export process. Confidential information includes user credential passwords (such as, passwords used for logging on to a computer running Microsoft SQL Server), Remote Authentication Dial-In User Service (RADIUS) shared secrets, and preshared Internet Protocol security (IPsec) keys. When confidential details are exported with the file, the password specified during the export process is requested to open and decrypt the secure information. Note that general configuration data in the exported backup file is not encrypted. The exported Forefront TMG configuration data in the backup files should be treated as sensitive data that has the potential for information disclosure.

Restoring a configuration

Restoring the configuration is done by importing the backup configuration file to Forefront TMG. During the import process, the configuration that was saved in the backup .xml file is copied to the Forefront TMG server.

The restore process reconstructs most configuration information. When you import the .xml configuration file, you can select to overwrite the existing configuration, or import the configuration details into the existing configuration. When restoring a configuration, you should always select to overwrite the existing configuration; this option replaces the existing configuration with the configuration in the import file.

About backing up SSL certificates

SSL certificates are stored in the machine’s local certificate storage. You can use Certutil.exe, a command-line program that is installed as part of Certificate Services, to back up and restore Certification Authority components, such as the SSL certificate. For information about Certutil.exe, see Tools to Create, View, and Manage Certificates ( and Certutil (

You can also back up the SSL certificates using an MMC snap-in for managing certificates. For information, see How to back up a server certificate (

Related Topics