Part of an ISA design process involves examining existing ISA deployments and migrating those servers to ISA Server 2004. Fortunately, Microsoft provides for a robust and straightforward set of tools to migrate existing ISA 2000 servers to ISA Server 2004. From a design perspective, it is important to understand first what are the functional differences between ISA 2000 and ISA Server 2004, so that the design can take them into account.
Exploring Differences Between ISA 2000 and ISA Server 2004
ISA 2000 was a very capable product that provided for a great deal of firewall and proxy capabilities. Compared to the features of ISA Server 2004, however, the older version of the software falls short in several key categories. This new functionality, along with a higher overall degree of security, drives organizations to upgrade to the newer version.
The following key features comprise the bulk of the new features and improvements introduced to ISA Server 2004:
Exporting ISA 2000 Settings to ISA Server 2004
There are two basic procedures for migration of ISA 2000 settings to ISA Server 2004. The first procedure involves an in-place upgrade of an existing ISA 2000 server to ISA Server 2004. It is highly recommended that you avoid this technique at all costs because it does not always produce desirable results and can produce a system with existing security holes and the mess left over from migrating from one environment to another.
The preferred migration option for ISA Server 2004 is to run the ISA Server Migration tool to export out the settings of an ISA 2000 server to an XML file, which can then be imported on another newly installed ISA Server 2004 system running on Windows Server 2003. This option allows for the creation of a brand-new ISA Server from scratch, without any of the configuration or operating system problems of the ISA 2000 server.
To perform this type of ISA 2000 migration to ISA Server 2004, perform the following steps:
To upgrade the Standard version of ISA 2000, the Standard version CD for ISA Server 2004 must be used. Likewise, to upgrade from the Enterprise version of ISA 2000, the ISA Server 2004 Enterprise CD must be used. If the intent is to upgrade between different versions (that is, ISA 2000 Standard to ISA Server 2004 Enterprise), the only supported migration path is to run the migration wizard, copy the configuration to the same version, and then export the rules to XML files and transfer them over to the new version of the server.
The exported XML file, if opened from Notepad, looks similar to the one shown in Figure 4.2. At this point, the file is ready to import to an ISA Server 2004 system.
Figure 4.2. Viewing the export XML file for ISA Server 2004.
After the XML file has been physically made accessible from the new server, it can then be imported via the following process:
Cleaning Up ISA 2000 Rules and Migration Components
One of the most noticeable characteristics of an ISA Server 2004 server that has just had ISA 2000 migration rules exported to it is the sheer number of confusing and redundant rules set up in the Firewall Policy. The ISA Server Migration Wizard exports out all unique rules on the server itself, which are then imported onto the ISA 2004 server. In many cases, however, this creates many rules that are already covered by System Policy rules or other default rules that may be configured on a server.
Taking this into account, this may be an ideal time to clean up some of the old ISA 2000 rules. To mitigate the risk associated with this action, it is ideal to simply disable the rules for a period of time before they are deleted completely. This way, if a rule turns out to have been necessary, it can be easily reenabled and nothing needs to be created from scratch.