The following migration paths from Microsoft Internet Security and Acceleration (ISA) Server 2006 to Forefront TMG are supported:

Before you migrate from ISA Server to Forefront TMG, read the following information:

Important:
If you are installing Forefront TMG on a server other than the server on which ISA Server is installed, it is strongly recommended that you maintain the functionality of your production ISA Server until the migration is complete, and you have verified that Forefront TMG is functioning as expected.

Migrating to Forefront TMG consists of the following tasks:

  1. Collecting information required for installation. For details, see Collecting information.

  2. Exporting the ISA Server configuration. For details, see Exporting the ISA Server configuration.

  3. Exporting the server certificates used by ISA Server. For instructions on exporting a server certificate in Windows 2003, see Importing and exporting certificates (http://go.microsoft.com/fwlink/?LinkId=152428).

  4. If you are installing Forefront TMG on the server that was running ISA Server:

  5. Installing Forefront TMG:

  6. Importing the server certificate into the Forefront TMG server. For details, see Move Certificates (http://go.microsoft.com/fwlink/?LinkId=152430).

  7. Importing and applying the ISA Server configuration in the Forefront TMG management console. For details, see Importing the configuration into Forefront TMG.

  8. Restoring ISA Server report jobs and Firewall logging properties on Forefront TMG. For information, see Configuring Forefront TMG reports and Configuring Forefront TMG logs.

  9. If you are installing Forefront TMG on a clean server, that is, on a server that was not previously running ISA Server, update your production environment with the new server information, such as internal and external IP addresses, and Domain Name System (DNS) server address.

Collecting information

Before you begin the migration process, collect the following information about your existing ISA Server deployment:

  • Fully qualified domain name (FQDN) of the computer running ISA Server.

  • IP address, subnet mask, and DNS server address of the network adapter connected to the main corporate network. This network adapter will be associated with the default Forefront TMG Internal network.

  • IP address, subnet mask, default gateway, and DNS server address of the network adapter connected to the external network (usually the Internet). If you are installing Forefront TMG with a single network adapter only, external adapter settings are not required.

  • IP address, subnet mask, and DNS server address of network adapters connected to any other networks, such as a perimeter network.

Exporting the ISA Server configuration

Use the following procedure to export the current ISA Server configuration.

To export the ISA Server configuration

  1. In the ISA Server Management console, in the tree, access the root node:

    • On an ISA Server computer, expand Microsoft Internet Security and Acceleration Server, and then click ServerName.

      Note:
      It is recommended that you export the configuration from the root node. You can, however, export the following nodes individually, and then import them into Forefront TMG: URLSet, DomainNameSet, ComputerSet, Computer, Subnet, AddressRange.
    • On a Configuration Storage Server computer, click Microsoft Internet Security and Acceleration Server.

  2. In the Tasks pane, click Export ISA Server Configuration to a File.

  3. In the Export Wizard, on the Export Preferences page, select the following options:

    • Export confidential information. Specify a password of at least eight characters.

    • Export user permission settings.

    When you export confidential information, the following is included in the exported data:

    • Credentials used for alerts, logging, reports, report jobs, primary and backup routes, dial-up connections, and Web publishing.

    • The shared secret specified if a RADIUS server is used.

    • The preshared key specified for Internet Protocol security (IPsec) configuration.

    Confidential information is encrypted during the export process. The password is used to decrypt the information during the import process.

    Important:
    In order to import the configuration into Forefront TMG, you must select the option Export confidential information, regardless of whether such information exists in the system.

  4. On the Export File Location page, specify a name and location for the exported backup file. If you intend to upgrade this computer to Windows Server 2008 and install Forefront TMG on it, copy the exported file to a network location, so that it won’t be deleted before the migration process is complete.

  5. On the Apply Changes bar, click Apply.

Importing the configuration into Forefront TMG

Use the following procedure to import the ISA Server configuration into Forefront TMG.

To import the configuration into Forefront TMG

  1. In the Forefront TMG Management console, in the tree, access the root node:

    • On a Forefront TMG computer, expand Microsoft Forefront Threat Management Gateway, and then click ServerName.

    • On an EMS computer, click Microsoft Forefront Threat Management Gateway.

  2. On the Tasks tab, click Import (Restore) Configuration.

  3. In Look in, browse to the folder with the file you are importing.

  4. In the Select the Import File step, in File name, specify the file name of the .xml file you are importing.

  5. Specify the password required to decrypt the confidential information.

  6. On the Apply Changes bar, click Apply.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.