Microsoft Forefront TMG (Threat Management Gateway) is the upcoming successor of ISA Server 2006 and will be available in 2009. This article is based on a beta version of Microsoft Forefront TMG. If you want to evaluate Forefront TMG, a public beta is available at the following website: Forefront TMG. If you want to have a look at a special version of Microsoft Forefront TMG which is already RTM, you should evaluate Microsoft Windows Essential Business Server 2008 which contains Forefront Threat Management Gateway, Medium Business Edition. But keep in mind that this is not the same version of TMG which Microsoft will publish in 2009 as a standalone product.
Before we start upgrading ISA Server 2006 to Microsoft Forefront TMG, we have to understand the following upgrade and migration limitations:
- You cannot update ISA Server 2006 to Forefront TMG on the same machine, because ISA Server 2006 is running only on 32 Bit systems, Forefront TMG will only run on Windows 2008 64 Bit.
- ISA Server 2006 cannot be upgraded to Forefront TMG during an in-place upgrade of Windows Server 2003 to Windows Server 2008.
- Microsoft Forefront TMG does not support more than 300 licensed users.
- It is not possible to migrate from ISA Server 2006 Enterprise to Microsoft Forefront TMG.
- It is not possible to migrate from ISA Server 2000 and 2004 to Forefront TMG, you first have to update both older versions to ISA Server 2006.
- You cannot upgrade ISA Server 2006 Standard Edition in workgroup mode to Forefront TMG. ISA 2006 must be a member of a domain, but it is possible to migrate ISA 2006 to Forefront TMG which is not part of a Windows domain.
- If you have enabled the Local Host network to listen for Web proxy client requests, this setting is not migrated.
- The migration process doesn’t migrate custom log fields you selected in ISA Server 2006.
- Report configuration settings are not migrated.
- All features from the ISA Server 2006 Supportability Pack are not available after the migration, but I think that many of these feature will be part of Forefront TMG when the product is finalized.
- Before you upgrade to Forefront TMG you should check if installed third party software is compatible with Microsoft Forefront TMG.
Setup requirements for Forefront Threat Management Gateway
- A PC with a 64-bit processor
- Windows Server 2008 64-bit operating system
- 1 GB RAM or more
- 150 MB free hard disk space and some more disk space for additional log files, cache drives and temporary Anti Malware files (Attention: The setup process of TMG says that about 630 MB are needed!)
- A local hard disk partition that is formatted with NTFS
- A minimum of one network adapter if Forefront TMG should be used only as a proxy or reverse publishing Server. One or more additional network adapters are needed for full Firewall functionality
There are some more considerations when you plan to use Forefront TMG. I gathered this information from the Microsoft Forefront TMG website:
Forefront TMG installed in an Essential Business Server scenario drops all IPv6 traffic. For a following Forefront TMG installation note the following:
- Forefront TMG denies all IPv6 traffic
- ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is disabled
- The 6to4 interface is disabled. This mechanism allows IPv6 packets to be transmitted over an IPv4 network.
- Whenever the Forefront TMG Control service restarts the Forefront TMG server reregisters with DNS to ensure that there is only an A record registered for the server, and no AAAA (IPv6) record. It also clears the DNS, Address Resolution Protocol (ARP), and Neighborhood Discovery (IPv6 version of ARP) caches.
- Changing the Forefront TMG installation folder is not supported.
- By default Forefront TMG is configured to log to a local SQL Server Express database. Forefront TMG installs a number of SQL Server Express components, including an instance for logging and an instance for reporting.
- Forefront TMG installs the Web Server (IIS) role. Note that this component is not removed if Forefront TMG is uninstalled.
- Services and driver files installed by Forefront TMG are placed in the Forefront TMG installation folder.
- You can use Forefront TMG on a computer that has only one network adapter. Typically, you will do so when another firewall is located on the edge of the network, connecting your corporate resources to the Internet.
OK, now that we have discussed some limitations about the migration process and the installation requirements of Microsoft Forefront TMG, I will show you the high level steps to upgrade your ISA Server 2006 to Microsoft Forefront TMG:
- Export the ISA Server 2006 configuration to an XML file
- Install Microsoft Forefront TMG on a 64 Bit Windows Server 2008 machine
- Import the exported ISA Server 2006 XML file into the Forefront TMG management console
- Check functionality, available hotfixes, event logs and more
- Modify certificate and VPN authentication settings if required
- Take your old ISA Server 2006 down and bring Forefront TMG into your production environment
This article deals with a beta version of Forefront TMG. You should not use the beta version of Forefront TMG as a production server.
As a first step log on to your ISA Server 2006 machine, start the ISA Server 2006 management console and click the Server object to Export (Back Up) the entire ISA Server 2006 configuration.
Figure 1: Export / Backup the entire ISA Server 2006 configuration
It is possible to export confidential information like RADIUS shared secrets or ISA Server role settings. If you want to export confidential information you must specify a password which protects the XML file for unauthorized import attempts.
Figure 2: Export confidential information
As a next step specify a file name for the ISA Server 2006 configuration file.
Forefront TMG Installation
Start the Forefront TMG installation and choose the setup scenario you want to establish. If you want to install a complete set of Forefront TMG services without dependencies, select the first installation option.
Figure 3: Choose which setup scenario is the right for you
Select the components you want to install. In this case we install every component available.
Figure 4: Modify which features you want to use
Installing Forefront TMG takes a while longer than ISA Server 2006 installations, so you should have the time for a short coffee break.
After the Forefront TMG installation is successful, the first time Forefront TMG management console starts the Getting Started Wizard which will guide you through some basic setup steps. This step is not required if you want to import an ISA Server 2006 configuration. You can use the Getting Started Wizard after a successful migration of the ISA Server 2006 settings.
Figure 5: Forefront TMG Getting Started Wizard
Import (Restore) the ISA Server 2006 configuration.
Figure 6: Import (Restore) the exported ISA Server 2006 configuration
Specify the file name with the exported ISA Server 2006 configuration.
Figure 7: Specify the XML file with the exported ISA Server 2006 configuration
During the migration process, the Microsoft ISA Server 2006 configuration will be updated to Forefront TMG.
Figure 8: ISA 2006 configuration is getting updated to TMG format
Enter the password which you had to enter when you exported the ISA Server 2006 configuration with the Export confidential settings enabled.
Figure 9: Enter the password required for opening the Export file
Forefront TMG will now import and convert the settings from the ISA Server 2006 configuration. This could take a few minutes, depending on the size of the exported ISA Server 2006 configuration and the performance of the Forefront TMG machine.
Figure 10: Depending on the Server performance and the amount of import data, importing the configuration can take while
After all settings are successfully imported, click Apply to save the configuration changes.
It is now time to test if all ISA settings have successfully migrated. Some settings may not be imported because they differ between ISA Server 2006 and Forefront TMG.
Figure 11: Congratulation, the Firewall policy was successfully imported
The ISA Server 2006 forms part of the Windows 2003 domain and the Windows group which has access to the VPN functions of ISA Server. The destination Forefront TMG Server is member of a workgroup, so the account information in the VPN configuration gets orphaned. You manually have to remove these and other settings.
Figure 12: Orphaned Windows user group because the destination Server is not part of the same domain/Forest
For the migration process, the statically configured VPN client address ranges were not successfully imported. The Forefront TMG dashboard displayed a configuration error that the VPN client address range is empty. I think that this issue is specific to my machine or if not, Microsoft will address this problem in the final version of Forefront TMG.
Figure 13: The are some configuration errors after the configuration has been imported
Microsoft Forefront TMG has many log files which will be created during the TMG installation process or while the import process from ISA Server 2006 is running. You should have a look at these files if you are experiencing problems with the migration process.
Figure 14: There are a lot of TMG log files created during the installation of TMG / the import process
Decommissioning ISA 2006
After successfully importing the configuration into Forefront TMG, it is time to replace the ISA Server with Forefront TMG. These are the necessary steps:
- Disconnect Forefront TMG from all networks
- Assign all IP addresses from ISA Server to Forefront TMG
- Turn off the TMG Server
- Connect all network cables from ISA Server to the TMG Server
- Shutdown ISA Server
- Start the Forefront TMG Server
- Check that the Forefront TMG server is working properly
- Start ISA Server again with no network connection and uninstall ISA Server from the old machine
In this article, I have tried to show you how to migrate your ISA Server 2006 configuration to a new Microsoft Forefront TMG Server. There is no in-place update possible because Microsoft Forefront TMG will only run under Windows Server 2008 64 Bit and ISA Server 2006 only runs on 32 Bit platforms, so you have to export the configuration from a running ISA Server 2006 and import this configuration on a newly installed Microsoft Forefront TMG Server. The migration process is similar to updating ISA Server 2004 to ISA Server 2006 but please keep in mind that this article is based on a beta version of Microsoft Forefront TMG and some things could change when the final version of Microsoft Forefront TMG is released.