Forefront TMG includes a backup and restore feature that enables you to export its configuration to an .xml file, and then import that configuration back to the Forefront TMG.
In Forefront TMG, backing up is referred to as exporting, and restoring as importing. This import/export feature is flexible, in that you can export on many levels in Forefront TMG. For example, you can export (and subsequently import) an entire firewall policy, a single rule, or a single network object. Also, you can back up your entire configuration so that you can restore it at a later date.
This topic provides information on:
- Preparing for a
backing up and restoring Forefront TMG configuration
- About backing
up SSL certificates
Preparing for a disaster
Backing up the configuration is important for disaster recovery purposes, and for reverting to a previous configuration, if necessary. It is recommended that you back up the entire configuration after:
- The initial configuration of your Forefront
- Any major modifications, including, changing
cache size or location, modifying firewall policy, configuring
system rules, creating network definitions or network rules, and
delegating administrative rights or removing delegation of
Adhering to this guidance will assist you in the case of a catastrophic loss, as you will be able to restore the configuration from a current backup file.
About backing up and restoring Forefront TMG configuration
Before backing up or restoring your configuration, note the following:
- You must be a Forefront TMG Enterprise
Administrator or Enterprise Auditor to back up and restore
- To back up and restore enterprise-level
confidential information, you must be a Forefront TMG Enterprise
- You must be a Forefront TMG Array
Administrator to export array-level confidential information.
- For maximum security, it is recommended that
you save the backup file to an NTFS file system disk partition.
Only administrators of the Forefront TMG computer should have read
permissions to the directory.
- When you export an entire configuration,
certificate settings are also exported. The certificate settings on
the Forefront TMG computer to which you are importing the
configuration, must match the certificate settings in the exported
file. If you import to a Forefront TMG computer with different
certificates, the Microsoft Firewall service will fail to
- When you export confidential details, such as
user passwords, secure information in the backup file is encrypted.
You will be asked to specify a password that is required to open
the file and decrypt the information when you import the
configuration. It is recommended that you specify a strong password
to ensure proper protection of encrypted information. A password is
considered strong if it provides an effective defense against
unauthorized access. A strong password should not contain all or
part of the user account name. It should contain at least three of
the following four categories of characters: uppercase characters,
lowercase characters, base 10 digits, and symbols found on the
keyboard (such as !, @, and #).
The following describes:
Backing up a configuration
Forefront TMG provides the Export Wizard to walk you through the process of exporting the Forefront TMG configuration to an .xml file.
When you export a configuration, all general configuration information is exported. The backup file includes all policy information and all other organization-specific information. It also includes the access rules, publishing rules, rule elements, alert configuration, cache configuration, and other Forefront TMG properties, such as, cache drives and Secure Sockets Layer (SSL) certificate keys.
|The backup and restore process backs up and restores SSL certificate keys, which indicate to Forefront TMG which certificates to use. This is not the same as backing up and restoring the certificates themselves. It is recommended that you maintain a backup of SSL certificates, which you should do manually to a secure location.|
When creating the backup file, in addition to exporting all general configuration information, you can export user permission settings and confidential information, such as, user passwords. Confidential information included in the exported file is encrypted, by using the password specified as part of the export process. Confidential information includes user credential passwords (such as, passwords used for logging on to a computer running Microsoft SQL Server), Remote Authentication Dial-In User Service (RADIUS) shared secrets, and preshared Internet Protocol security (IPsec) keys. When confidential details are exported with the file, the password specified during the export process is requested to open and decrypt the secure information. Note that general configuration data in the exported backup file is not encrypted. The exported Forefront TMG configuration data in the backup files should be treated as sensitive data that has the potential for information disclosure.
Restoring a configuration
Restoring the configuration is done by importing the backup configuration file to Forefront TMG. During the import process, the configuration that was saved in the backup .xml file is copied to the Forefront TMG server.
The restore process reconstructs most configuration information. When you import the .xml configuration file, you can select to overwrite the existing configuration, or import the configuration details into the existing configuration. When restoring a configuration, you should always select to overwrite the existing configuration; this option replaces the existing configuration with the configuration in the import file.
About backing up SSL certificates
SSL certificates are stored in the machine’s local certificate storage. You can use Certutil.exe, a command-line program that is installed as part of Certificate Services, to back up and restore Certification Authority components, such as the SSL certificate. For information about Certutil.exe, see Tools to Create, View, and Manage Certificates (http://go.microsoft.com/fwlink/?LinkId=152904) and Certutil (http://go.microsoft.com/fwlink/?LinkId=152902).
You can also back up the SSL certificates using an MMC snap-in for managing certificates. For information, see How to back up a server certificate (http://go.microsoft.com/fwlink/?LinkId=152903).