Upgrading Existing ISA Server 2000 Systems to ISA Server 2004

Part of an ISA design process involves examining existing ISA deployments and migrating those servers to ISA Server 2004. Fortunately, Microsoft provides for a robust and straightforward set of tools to migrate existing ISA 2000 servers to ISA Server 2004. From a design perspective, it is important to understand first what are the functional differences between ISA 2000 and ISA Server 2004, so that the design can take them into account.

Exploring Differences Between ISA 2000 and ISA Server 2004

ISA 2000 was a very capable product that provided for a great deal of firewall and proxy capabilities. Compared to the features of ISA Server 2004, however, the older version of the software falls short in several key categories. This new functionality, along with a higher overall degree of security, drives organizations to upgrade to the newer version.

The following key features comprise the bulk of the new features and improvements introduced to ISA Server 2004:

• Multi-network support One of the most visible changes between ISA 2000 and ISA 2004 is the capability of ISA 2004 to support multiple defined networks, each with its own defined relationships. This allows for unique policies that can be applied to each network, and the networks can be used as part of firewall rules.

• Improved Application-layer filtering The Layer 7 (Application layer) filtering capabilities of ISA Server 2004 have been greatly enhanced to include per-rulebased HTTP stateful inspection, RPC filtering support, and link translator features.

• Enhanced monitoring and reporting Another welcome improvement to ISA 2004 is the introduction of robust and real-time log viewing. This greatly aids in the troubleshooting of firewall rules and connections. The addition of monitoring and reporting features such as connection verifiers, report publishing, MSDE logging options, and real-time session monitoring greatly improves this area for ISA admins.

• Greatly improved management interface The GUI Admin tool in ISA Server 2004 was streamlined and greatly improved over the ISA 2000 console. In addition to overall ease of use, ISA 2004 added multiple wizards to help with common tasks, network templates that can easily be applied, and centralized logging, reporting, and storage of firewall policy in the Enterprise version of the software.

• Export and import functionality The capability of ISA Server 2004 to export out individual elements or entire ISA configurations to simple XML text files that can be imported into separate servers greatly enhances the backup and restore options available to ISA admins.

• Virtual private network improvements ISA Server 2004 added new VPN enhancements such as support for VPN Quarantine, SecureNAT client support, stateful filtering for VPN clients, and support for third-party IPSec tunnel mode for site-to-site VPNs.

• Content caching updates The web and FTP proxy options for ISA have been expanded to include RADIUS support for authentication, improved cache rules, and the creation of CARP-enabled caching arrays in the Enterprise version.

• Enhanced firewall rules Support for multiple default protocols has been added to ISA, including the capability to support complex protocols when using the ISA Firewall client. In addition, enhancements to server publishing for services such as OWA, websites, SharePoint, FTP sites, and other firewall rules have been included.

Exporting ISA 2000 Settings to ISA Server 2004

There are two basic procedures for migration of ISA 2000 settings to ISA Server 2004. The first procedure involves an in-place upgrade of an existing ISA 2000 server to ISA Server 2004. It is highly recommended that you avoid this technique at all costs because it does not always produce desirable results and can produce a system with existing security holes and the mess left over from migrating from one environment to another.

The preferred migration option for ISA Server 2004 is to run the ISA Server Migration tool to export out the settings of an ISA 2000 server to an XML file, which can then be imported on another newly installed ISA Server 2004 system running on Windows Server 2003. This option allows for the creation of a brand-new ISA Server from scratch, without any of the configuration or operating system problems of the ISA 2000 server.

To perform this type of ISA 2000 migration to ISA Server 2004, perform the following steps:

NOTE

To upgrade the Standard version of ISA 2000, the Standard version CD for ISA Server 2004 must be used. Likewise, to upgrade from the Enterprise version of ISA 2000, the ISA Server 2004 Enterprise CD must be used. If the intent is to upgrade between different versions (that is, ISA 2000 Standard to ISA Server 2004 Enterprise), the only supported migration path is to run the migration wizard, copy the configuration to the same version, and then export the rules to XML files and transfer them over to the new version of the server.

The exported XML file, if opened from Notepad, looks similar to the one shown in Figure 4.2. At this point, the file is ready to import to an ISA Server 2004 system.

Figure 4.2. Viewing the export XML file for ISA Server 2004.

After the XML file has been physically made accessible from the new server, it can then be imported via the following process:

1.	On the ISA Server 2004 system, open the ISA Console.
2.	Right-click the server name in the Scope pane and click on Import.
3.	When prompted with the warning dialog box in Figure 4.3, click Yes. Figure 4.3. Importing the ISA 2000 Settings onto an ISA Server 2004 System. CAUTION As the dialog box indicates, performing this restore operation results in any current settings being overwritten. Ensure that there are no customizations in place on the server before restoring from an ISA 2000 Export file.
4.	Select the XML file from the ISA 2000 backup procedure and click Import.
5.	Click OK when the import is finished.
6.	Click Apply at the top of the Central Details pane.

Cleaning Up ISA 2000 Rules and Migration Components

One of the most noticeable characteristics of an ISA Server 2004 server that has just had ISA 2000 migration rules exported to it is the sheer number of confusing and redundant rules set up in the Firewall Policy. The ISA Server Migration Wizard exports out all unique rules on the server itself, which are then imported onto the ISA 2004 server. In many cases, however, this creates many rules that are already covered by System Policy rules or other default rules that may be configured on a server.

Taking this into account, this may be an ideal time to clean up some of the old ISA 2000 rules. To mitigate the risk associated with this action, it is ideal to simply disable the rules for a period of time before they are deleted completely. This way, if a rule turns out to have been necessary, it can be easily reenabled and nothing needs to be created from scratch.