Administering ISA Server

The only way to administer ISA Server is by using the ISA Management MMC snap-in, but unfortunately there are no command prompt administration tools provided.

However, the ISA Management console is a pretty nifty tool for administering ISA Server. It provides three ways of navigating administrative tasks:

• Using the Getting Started Wizard
• Using the taskpad (Web-like interface on the right side of the console, shown in Figure 31-28)
• Using the console tree to locate the exact part of ISA Server to administer as if you were using Windows Explorer

Figure 31-28. The ISA Management window.

We discuss how to accomplish most tasks in the section entitled Initial Configuration earlier in this chapter, so we won't repeat those instructions here. The same settings are available from the console tree (described next and in the following sections) as from the wizard, so for most tasks, we refer you to the Initial Configuration section.

All three methods lead you to the same settings, and are somewhat complementary, so how you decide to access settings is up to you. After initial configuration, we usually navigate using the console tree, and then use the taskpad to accomplish the desired task, so this is how we'll instruct you for the rest of the chapter.

To work with the ISA Management snap-in, use the following procedure:

1. Launch the ISA Server snap-in by clicking Start, pointing to Programs, pointing to Microsoft ISA Server, and then choosing ISA Management.
2. If you're not already connected to the desired ISA server, click the Internet Security And Acceleration Server icon at the top of the console tree, choose Connect To from the Action menu, and enter the name of the server to which to connect.

   To remotely administer an ISA server, you can either install the ISA Management tools on the desired computer using the ISA Server installation CD, or you can use a Terminal Services connection to remotely control the ISA server (this is discussed in Chapter 26).

   If you don't see the taskpad on the right side of the ISA Management console, you probably have the Taskpad view turned off. To turn it on, choose Taskpad from the View menu.

3. To configure enterprise policies, expand the Enterprise container in the console tree and use the Policies container to create, edit, and delete enterprise policies, or use the Policy Elements container to modify the policy elements available for your policies.
4. To administer a specific server or array, expand the Servers And Arrays container, and then select the desired server or array. A few common tasks are listed in the taskpad, as shown in Figure 31-29. To change additional settings, navigate to the desired setting under the server or array.

   

   Figure 31-29. An array displayed in the console tree and taskpad.

You can use the tabs at the bottom of the taskpad to navigate, as well as to display related tasks. When you navigate using the taskpad, the console tree is updated to reflect your new position in the console tree.

Administering Arrays

As discussed earlier in this chapter, you can group a number of computers running ISA Server Enterprise Edition together into an array. These computers then appear to clients as a single server, and they can also be centrally administered.

The following sections show you how to create new arrays, as well as add servers to an existing array.

Before you can use arrays on your network you need to install the ISA Server schema into Active Directory. To do so, see the section entitled Enterprise Initialization earlier in this chapter.

Creating New Arrays

To create a new array, use the following procedure:

1. On an ISA server that belongs to an array, open the ISA Management MMC snap-in and select Servers And Arrays from the console tree.
2. Choose New-Array from the Action menu.
3. In the first screen of the New Array Wizard, enter a unique name for the array (you should use a fully qualified domain name to ensure uniqueness), and then click Next.
4. Choose which site and domain in which to locate the array, and then click Next, as shown in Figure 31-30.

   

   Figure 31-30. Specifying to which array the site and domain should belong.

   Unfortunately you can't create a new array using the ISA Management snap-in on a remote machine. To remotely create a new array, use Windows 2000 Terminal Services facilities.

5. In the next screen, choose the Create A New Array option to create a new array, or choose the Copy This Array option and select an existing array to copy settings from, and then click Next (if you chose to copy settings from an existing array, click Finish in the next screen to complete the wizard).
6. In the next screen (shown in Figure 31-31), leave the Use Default Enterprise Policy Settings option selected. Alternatively, select the Do Not Use Enterprise Policy option to use only array policies, or Use Custom Enterprise Policy Settings and then select the desired policy. Click Next to continue.

   

   Figure 31-31. Choosing how to apply enterprise policies to the new array.

7. If you chose to use a custom enterprise policy, select Allow Publishing Rules to enable arrays to publish (make available to the Internet) Web servers and other servers. Also choose whether to select Force Packet Filtering, which forces the array to use packet filtering. Click Next to continue.
8. Choose which mode of ISA Server to use: Firewall Mode for security purposes only, Cache Mode for Internet acceleration purposes only, or Integrated Mode, which provides security and acceleration services (the recommended mode). Click Next to continue.
9. Review the array settings and then click Finish.

Promoting Stand-Alone Servers to Become Arrays

You can easily promote a stand-alone server to become a member of a new ISA Server array. To do so, follow these steps:

1. Open the ISA Management MMC snap-in, right-click the stand-alone server in the console tree that you want to promote, and then choose Promote from the shortcut menu.
2. Click Yes when asked if you're sure (assuming you are sure).
3. In the next screen, leave the Use Default Enterprise Policy Settings option selected. Alternatively select the Do Not Use Enterprise Policy option to use only array policies, or Use Custom Enterprise Policy Settings to select a specific policy. Click Next or OK to continue the promotion.
4. If you chose to use a custom enterprise policy, select Allow Publishing Rules to enable arrays to publish (make available to the Internet) Web servers and other servers. Also choose whether to force the array to use packet filtering. Click OK to promote the server.

Removing Servers from an Array

To remove a server from an array, use the following steps:

1. Open the Computer container in the console tree under the desired array's name.
2. Right-click the server to be removed and then choose Delete from the shortcut menu, as shown in Figure 31-32.

   

   Figure 31-32. Removing a computer from an array.

3. To completely remove ISA Server from the deleted array member, uninstall the software using Add/Remove Programs in Control Panel.

Publishing Internal Servers to the Internet

To allow users on the Internet to access servers on your internal network, such as your Web server or e-mail server, you need to "publish" them with ISA Server. When you do this, you create a mapping that transfers external requests through the ISA server to the specific computer and service you specify on your internal network. This maximizes the security of your network while still allowing external clients access to the servers you want to make publicly available.

Permitting Incoming Requests and Enabling Reverse Caching

Before you can publish servers to the Internet, you need to set up ISA Server to permit incoming requests (by default all incoming requests are denied). To do so, use the following procedure:

1. Open the ISA Management MMC snap-in, right-click the server or array in the console tree on which to allow incoming requests, and then choose Properties from the shortcut menu.
2. Click the Incoming Web Requests tab, shown in Figure 31-33.

   

   Figure 31-33. Permitting incoming requests.

3. To use the same listener configuration on all IP addresses on the server or array, choose the Use The Same Listener Configuration For All IP Addresses option. To configure each IP address individually, leave the Configure Listener Individually Per IP Address option selected.

   A listener is just a configuration setting that tells ISA Server to monitor the specified IP address for incoming connections.

4. If you chose to configure each IP address individually, click Add to set up an IP address for incoming connections. Otherwise click Edit to display the same dialog box, which is shown in Figure 31-34.

   

   Figure 31-34. Configuring a listener.

5. Select the desired server from the Server list box, and then choose the IP address of the external interface from the IP Address box (if available).
6. Optionally enter a display name for the IP address, and choose whether to use a server certificate to authenticate the server to Web clients (you must to enable SSL access to your internal Web servers). You can also change the Authentication method, although this is not recommended unless you have a good reason for doing so. Click OK when you finish creating or editing the listener.
7. Back in the Incoming Web Requests tab shown in Figure 31-33, optionally enable ISA Server to listen for Secure Socket Layer (SSL) requests by selecting the Enable SSL Listeners check box.

   Don't change the default TCP and SSL ports, unless you have a specific reason for doing so and have examined the repercussions of this action.

8. At the bottom of the dialog box, select the Resolve Requests Within Array Before Routing check box to enable reverse caching. Reverse caching allows ISA Server to accelerate the perceived speed of your Web server to external clients by caching frequently requested pages from your Web server. Thus, when an Internet client requests a page, the ISA Server might be able to provide it directly from its cache rather than referring the request to your Web server.
9. Click OK when you're finished. ISA Server asks if you want to save the settings and immediately restart the Web Proxy and Scheduled Download services. Select the Save The Changes And Restart The Service(s) option and click OK to do so; otherwise restart the services at a later time (just realize that no incoming requests will be accepted until you do).

Creating Internal Destination Sets

When publishing servers to the Internet, limit the computers on your network that external (Internet) clients can access. To do this, create destination sets that contain only those computers on the internal network that you want to make accessible from the Internet. This is the opposite of the way destination sets are normally used—to limit which Internet sites your internal network clients have access to—but is actually a much more important use of destination sets.

To create a destination set for internal servers to publish, use the following procedure:

1. To make the destination set available to all arrays in the enterprise, open the Enterprise-Policy Elements-Destination Sets container in the console tree. To make the destination set available only on a particular server or array, open the Policy Elements-Destination Sets container located under the desired server.
2. Click the Create Destination Set link to open the New Destination Set dialog box.
3. Enter a name for the destination set such as Internal Web Servers, and then click Add to display the Add/Edit Destination dialog box, shown in Figure 31-35.

   

   Figure 31-35. Adding destinations to a destination set.

4. Add the computer(s) that you want to allow external clients to access using one of the following methods:
   • To add computers or domains by their DNS name, select the Destination option and enter the host name in the box provided, or click Browse to search Active Directory.
   • To specify a range of IP addresses, select the IP Addresses option and enter the beginning and ending IP addresses in the boxes provided.
   • To optionally specify a particular path in the destination set, enter the path in the Path box. This allows you to provide access only to the publishing directory on a Web server, for example. To include all files in a folder, enter the path followed by an asterisk, for example /Inetpub/wwwroot/*.
5. Click OK when you're finished, add any additional destinations to the destination set, and then click OK to close the destination set.

Publishing Web Servers

To publish a Web server so that external (Internet) users can access it, use the following procedure:

1. In the console tree of the ISA Management MMC snap-in, navigate to the Publishing object under the stand-alone server or array you want to use, and then select the Web Publishing Rules object, as shown in Figure 31-36.

   To publish a mail server, see the section entitled Publishing Mail Servers later in this chapter. To publish another type of server, from the Publishing object in the console tree, click the Publish Servers link and then follow the instructions on screen.

   

   Figure 31-36. The Publish Web Servers taskpad.

2. To create a new rule allowing Internet users to access a Web server on the internal network, click the Create A Web Publishing Rule link.
3. In the first screen of the New Web Publishing Rule Wizard, enter a descriptive name for the rule and then click Next.
4. Choose Specified Destination Set from the first list box (shown in Figure 31-37) and then in the Name box, choose the destination set containing only the internal server(s) that you want to allow access to (see the section entitled Creating Internal Destination Sets earlier in this chapter for more information). Click Next to continue.

   

   Figure 31-37. Specifying a destination set to which you want to allow access.

5. In the Client Type screen, choose how to apply the publishing rule. Most likely you'll select Any Request to apply the rule to all incoming requests. Click Next.
6. If you chose Specific Computers in the previous screen, specify which Client Address Sets to permit to access the Web server. If you chose the Specific Users And Groups option, select the groups to allow in, and then click Next.

   When you control access by users and groups, only users with an account that's a member of one of the groups you specify can gain access to the Web server. Additionally, the users must be using the ISA Server Firewall client software. For this reason, avoid controlling incoming access using users and groups.

7. Select the Redirect The Request To This Internal Web Server option, and then enter the IP address or fully qualified domain name of the Web server to which you want to allow access, as shown in Figure 31-38.
8. If you need to change the port addresses, do so and then click Next. For example, if you're hosting a Web site from the same computer that's running ISA Server, you need to configure Internet Information Services (IIS) to use a different port than port 80 because ISA Server uses that port. Typically you'll set up IIS to use port 81, but in any case, enter the port numbers that the Web server uses in the boxes provided.
9. Review the publishing rule and then click Finish to implement the rule.

   

   Figure 31-38. Specifying where incoming Web requests should be directed.

Real World

The Last Rule

Most parts of ISA Server that are configured with rules come preconfigured with a rule named Last. This rule is usually very restrictive (for Web publishing, it denies all access), and serves as the default rule that is applied to any condition that doesn't match any rules you create (which are processed first). To ensure that the security of the network isn't inadvertently compromised, don't modify this rule. Instead, create additional rules that allow the level of access you want.

Publishing Mail Servers

To provide mail services to external (Internet) clients, you first need to create a publishing rule that gives external users access to the internal mail servers. To do so, use the following procedure:

1. In the console tree of the ISA Management MMC snap-in, navigate to the Publishing object under the stand-alone server or array you want to use, and then click the Secure Mail Server link.
2. Click Next in the first screen of the Mail Server Security Wizard.
3. Select the protocols to allow as shown in Figure 31-39, and then click Next.

   

   Figure 31-39. Publishing a mail server.

4. Enter the external IP address of the ISA server (click Browse to locate it), and then click Next.
5. Enter the IP address of the internal mail server, or select the On The Local Host option if the ISA server is also a mail server. Click Next.
6. Review the publishing rule you created and then click Finish.

Once you've published a mail server, you can enable and configure the SMTP application filter (located under the Extensions container in the console tree). This filter allows you to filter out incoming messages based on a number of criteria such as size and attachment type (for example, you could automatically delete incoming messages that may contain a virus, such as messages with .VBS, .BAT, or .EXE extensions).

Creating Protocol Definitions

ISA Server comes preconfigured with definitions for most protocols. However, there might come a time when you need to use a protocol that ISA Server doesn't already know about. To use it, you'll need to create a protocol definition for it and then create a protocol rule enabling the use of the new protocol definition (unless you've allowed all IP traffic).

To create a protocol definition, use the following steps:

1. To make the protocol definition available to all arrays in the enterprise, open the Enterprise-Policy Elements-Protocol Definitions container in the console tree. To make the protocol definition available only on a particular server or array, open the Policy Elements-Protocol Definition container located under the desired server.
2. Scan the list of protocol definitions to make sure that there isn't already a suitable definition, and then click the Create A Protocol Definition link if there isn't.
3. In the first screen of the New Protocol Definition wizard, enter the protocol name and then click Next.
4. Enter the port number used by the protocol, the protocol type, and the direction of information transfer, as shown in Figure 31-40, and then click Next.

   Do not edit any of the protocol definitions that are shipped with ISA Server unless you know a great deal about TCP/IP and you know why you're changing any given protocol.

5. If the protocol uses secondary connections, select the Yes option in the next screen, and then click New to specify a port range, type, and direction for secondary connections. Click Next to continue.

   

   Figure 31-40. Creating a new protocol definition.

6. Review the settings and then click Finish. To use the protocol definition, add it to a protocol rule or create a new protocol rule allowing the use of the newly created protocol definition.

Changing Cache Properties

Although most cache configuration is performed when you install ISA Server or go through the Getting Started Wizard (discussed earlier in this chapter), you can configure additional settings or change the settings you specified. Use the following sections to change the size of the cache and what drives are used for caching, and set up specific Web sites or objects for scheduled downloading into the ISA Server cache.

To change the cache policy, click the Configure Cache Policy link in the Cache Configuration taskpad, and then refer to the section entitled Configuring Cache Policy earlier in this chapter.

Changing the Size and Location of the Cache

To change which drives are used to store the ISA Server cache and how much disk space is used on each drive, use the following steps:

1. Open the Cache Configuration container located under the desired server or array in the console tree.
2. Click the Configure Cache Size link, as shown in Figure 31-41.

   

   Figure 31-41. The Cache Configuration taskpad.

3. In the dialog box shown in Figure 31-42, select a drive from the list and then enter how much disk space to allocate for the ISA Server cache on that drive. Click Set to save the setting, and then configure any other drives. Click OK when you're finished.

   

   Figure 31-42. Changing ISA Server's cache location and size.

Setting Up Content for Scheduled Downloading

You can set up ISA Server to automatically download individual Web pages or even entire Web sites on a set schedule. This ensures that the desired content is always available and fresh in ISA Server's cache.

This ability can come in handy in a couple of instances, the most obvious of which is when your users routinely need access to a particular site, such as a reference site or the site of a partner company.

You can also use ISA Server's scheduled download functionality to accelerate performance of the internal Web server for external (Internet) clients, provided you have reverse caching enabled (covered earlier in this chapter). Set up the ISA server to automatically download the Web site from the internal Web server and then when Internet clients request pages from the Web site, they're served directly from the ISA server (this also enhances the security of the network because external clients no longer even access the internal Web server; they stay on the ISA server).

To schedule ISA Server to download content automatically, use the following steps:

1. Open the Cache Configuration-Scheduled Content Download container located under the desired server or array in the console tree.
2. Choose New-Job from the Action menu.
3. Enter a descriptive name for the download job and then click Next.
4. Specify the date and time the download job should begin, and then click Next.
5. Specify the frequency with which ISA Server should perform the download job, as shown in Figure 31-43, and then click Next.

   

   Figure 31-43. Creating a new scheduled download job.

6. Enter the URL to download, and specify whether to download only linked pages within the same site by selecting Content Only From URL Domain. You can also control whether or not ISA Server caches dynamic content. Click Next to continue.

   If the dynamic content requires user authentication or identification (including the use of cookies), it won't cache properly.

7. Specify how ISA Server should deal with the Time to Live (TTL) of objects it downloads, as discussed here and shown in Figure 31-44:
   • Always Override Object's TTL Gives all downloaded objects the TTL you specify in the box provided (default is 60 minutes)
   • Override TTL If Not Defined Writes the TTL you specify on downloaded objects only if they don't have a specified TTL

   

   Figure 31-44. Specifying how many links ISA Server should download and how it should set their TTL.

   Web page authors can specify a Time to Live (TTL) for Web pages to indicate how long the content is "fresh" (how long it should hang around before getting checked for a new copy). When the TTL expires, ISA Server considers the page invalid and automatically checks for an updated copy if active caching is enabled and the page is popular. If active caching isn't enabled, ISA Server updates the page the next time it's requested.

8. Select the Cache Up To Maximum Links Depth Of option and enter the number of links ISA Server should follow in the box (or just leave No Limit On Maximum Depth selected). ISA Server follows all links on the page you specified and continues following all links on each linked page up to the maximum link depth.
9. Optionally change the maximum number of objects ISA Server caches during the scheduled download operation, and then click Next. Review the settings and then click Finish.

Configuring the Local Address Table

Your local addresses are maintained in the LAT that was created during initial installation. You can change this LAT at any point using the ISA Management MMC snap-in. To configure the LAT, use the following procedure:

1. Open the Network Configuration container located under the desired server or array in the console tree, and then select the Local Address Table (LAT) object under it in the console tree. This displays the LAT, as shown in Figure 31-45.

   

   Figure 31-45. The local address table.

2. To add address ranges manually, choose New-LAT Entry from the Action menu, and then enter the address range in the New LAT Entry dialog box.
3. To reconstruct the LAT, choose Construct LAT from the Action menu to display the dialog box shown in Figure 31-46. To add the private IP addresses automatically, select the Add The Following Private Ranges check box. To allow Windows to use the internal IP routing table, specify the network card or cards connected to the internal network (do not select the adapter connected to the Internet or external network). When you've made your selections, click OK.

   

   Figure 31-46. The Construct LAT dialog box.

4. Click OK to return to the local address table shown in Figure 31-45.
5. To remove any external addresses from the LAT, right-click the incorrect LAT entry and choose Delete from the shortcut menu. To edit the entry, choose Properties from the shortcut menu.

Configuring the Local Domain Table

Because network namespaces are growing increasingly complex, it is no longer simple to discern the difference between internal network names and external network names. For this reason, you can create a list of domains that are on the local network.

When a Firewall client requests a location by name, it first checks its local copy of the local domain table (LDT), which is updated frequently by the ISA server (SecureNAT clients must use DNS). If the requested location is a member of a local domain, the client bypasses ISA Server and directly accesses the location. Otherwise it goes to the ISA Server to fulfill the request.

To configure the LDT, use the following steps:

1. Open the Network Configuration container located under the desired server or array in the console tree, and then select the Local Domain Table (LDT) object under it in the console tree. This displays the LDT, as shown in Figure 31-47.

   

   Figure 31-47. The local domain table.

2. To add an entry to the LDT, choose New-LDT Entry from the Action menu.
3. In the New LDT Entry dialog box shown in Figure 31-48, enter the local domain or subdomain name, or click Browse to select one. To include all subdomains of the specified domain, precede the domain with an asterisk. Click OK when you're finished.

   

   Figure 31-48. Creating a new LDT entry.

4. To remove an LDT entry, right-click the entry and choose Delete from the shortcut menu. To edit an entry, right-click it and choose Properties from the shortcut menu.

Working with VPNs

ISA Server can work with Windows 2000 Routing and Remote Access service to provide a secure network link across the Internet using a virtual private network (VPN) connection.

There are two types of VPN connections that you can set up with ISA Server. You can use a VPN connection as a WAN link to connect two networks together, or you can set up the ISA server as a VPN server and allow clients to securely connect to the local network from across the Internet. Both methods are discussed in the following sections.

More Info

For background information on VPNs and Routing and Remote Access, see Chapter 32.

Connecting Two Networks

Until just recently, if you wanted to connect two networks together with a permanent network connection, you needed to use a dedicated WAN link, which can be very expensive and a hassle to set up. However, with the advent of VPN connections, companies can now use their Internet connection to create a virtual WAN link between separate networks at a fraction of the cost and time required by a traditional WAN link.

To connect two networks with a VPN, you first need to set up the VPN link on the ISA server located on the primary network. Then you set up the ISA server located on the other network (both sides of the VPN need to be using an ISA server).

Setting Up a VPN on the Primary Network

When setting up a VPN connection between two networks, you need to start at one end or the other. Start on the primary network, the main network with which you want to connect other networks.

For example, your company might have a main business location in Seattle with some branch offices scattered around the country. Set up the VPN in Seattle first, and then connect each branch office later, as described in the section entitled Setting Up a VPN on a Secondary Network later in this chapter.

To set up an ISA server to receive VPN connections from your company's secondary networks, use the following procedure on an ISA server on the primary network:

1. Open the Network Configuration container located under the desired server or array in the console tree.
2. Click the Configure A Local Virtual Private Network (VPN) link.
3. Click Next in the first screen, and then click Yes (if prompted) to start the Windows Routing and Remote Access service.
4. Follow the on-screen directions.

Setting Up a VPN on a Secondary Network

To finish creating a WAN link between two networks using a VPN connection, after setting up an ISA server on the primary network, follow these steps on an ISA server at the secondary network:

1. Open the Network Configuration container located under the desired server or array in the console tree.
2. Click the Configure A Remote Virtual Private Network (VPN) link.
3. Click Next in the first screen, and then click Yes (if prompted) to start the Windows Routing and Remote Access service.
4. Follow the on-screen directions.

Allowing Client VPN Connections

Setting up ISA Server to accept incoming VPN connections from clients such as home users or traveling employees is simple:

1. Open the Network Configuration container located under the desired server or array in the console tree.
2. Click the Configure A Client Virtual Private Network (VPN) link.
3. Click Next in the first screen, and then click Yes (if prompted) to start the Windows Routing and Remote Access service.
4. Click Finish. ISA Server configures Routing and Remote Access to accept properly authenticated and encrypted VPN connections, and creates a static packet filter to allow L2TP and PPTP protocols to work with the IP Security (IPSec) protocol. Click Yes when asked if you want to restart the Routing and Remote Access service.

To accept L2TP connections, you need to configure the server with a server certificate. Certificates are discussed in Chapter 20.

Backing Up and Restoring ISA Server

You can (and should) back up the ISA Server configuration after every major configuration change, such as changing enterprise policies, changing array membership, or changing the cache configuration. This allows you to restore most of the configuration changes should you have to reinstall ISA Server or re-create the settings on another machine.

Backing up a stand-alone ISA Server is no different from backing up a normal Windows 2000 Server; use Backup as described in Chapter 35 (all configuration information is stored in the registry or configuration files located on the local hard drive).

Backing up enterprise policies or arrays is a little different however, because the configuration information is stored in Active Directory. To back up enterprise policies or an ISA Server array, you need to use ISA Server's backup tool, as described in the following steps:

1. Click the Internet Security And Acceleration Server object in the console tree (it's the highest level object).
2. Click the Backup tab at the bottom of the taskpad to display the Backup taskpad, shown in Figure 31-49.

   

   Figure 31-49. The Backup taskpad.

3. Click the Backup Enterprise Policy Definitions link to back up enterprise policies, or select an array and then click the Backup Selected Server Or Array Configuration link to back up an array's settings.
4. Enter the path and filename for the backup file (or click Browse) and enter a description of the file in the boxes provided (see Figure 31-50).

   

   Figure 31-50. Backing up enterprise or array configuration settings.

Be careful about where you save the backup file. Place it in a secure folder on an NTFS volume.

To restore a backed-up configuration, restore the server to an operational state (with ISA Server installed) and then follow these steps:

1. Click the Internet Security And Acceleration Server object in the console tree (it's the highest level object).
2. Click the Backup tab at the bottom of the taskpad to display the Backup taskpad, shown in Figure 31-49.
3. Click the Restore Enterprise Policy Definitions link to restore enterprise policies, or select an array and then click the Restore Selected Server Or Array Configuration link to restore an array's settings.
4. Click Yes when asked if you want to overwrite existing settings.
5. Click Browse to locate the backup file, click Open, and then click OK.
6. Review the backup information and then click OK to restore the backup.