When upgrading ISA Server 2000 to ISA Server 2004, an in-place upgrade is the most straightforward method. If you are upgrading Enterprise Edition, there are some additional steps required, which we outline in the section entitled "Upgrading ISA Server Enterprise Edition" later in this chapter.
|Best Practices|| |
Before making any changes to your ISA Server environment, make a backup of your existing environment. A good utility to create a complete backup that can be restored to the same computer or another ISA Server 2000 computer is found at Jim Harrison's ISATools.org site at http://www.isatools.org/ISAExportImport.zip.
Your ISA server will be offline for the time it takes to complete the installation. When performing an upgrade, you should always disconnect the ISA server from the Internet and other untrusted networks to protect your computer while it is installing.
To upgrade ISA Server 2000 Standard Edition, ensure that Service Pack 1 or higher is installed, then follow these steps:
Insert the ISA Server 2004 Standard Edition disk, or connect to the media and double-click the ISAautorun.exe file. The Microsoft ISA Server 2004 Setup splash screen will appear, as shown in Figure 5-1.
Click Install ISA Server 2004. The Welcome To The Upgrade Wizard For ISA Server 2004 page shows the components that will be upgraded. Review the list, and then click Next.
On the License Agreement page, read the EULA, select I Accept The Terms In The License Agreement, and then click Next.
On the Customer Information page, enter your user name, organization, and serial number in the appropriate text boxes, then click Next.
On the Destination Folder page, click Change and specify a new path if you so desire. Otherwise, click Next.
On the Export Microsoft ISA Server 2000 Configuration page, click Export to back up your configuration settings. The Welcome To The ISA Server Migration Tool page appears. Click Next.
On the Select The Default Firewall Policy page, you choose between two options, as shown in Figure 5-2:
Do Not Allow Clients On The Internal Network Access To The ISA Server 2004 Computer You can use this option if the clients on the internal network don't need to access any resources on the ISA server itself, such as file or print sharing.
Allow Clients On The Internal Network To Access The ISA Server 2004 Computer Use this option if clients need to access the ISA server.
These options configure the system policies that control access to the LocalHost network. The LocalHost network controls access to the ISA server itself. To maintain the most secure environment possible, it's best to block unnecessary traffic to the ISA server.
Click an option, and then click Next. On the Create Migration File page, click Create to export the migration information, wait for the progress bar to complete, then click Next.
On the Completing The Migration File Creation page, click Finish.
The Export Wizard provides a very helpful file called ISA2k_config.log that will be stored in the %SystemRoot%\ISA2k_Upgrade folder. This document reveals the items that will not be migrated into the new system. Pay close attention to these items, and address the issues accordingly. For more information, see the ISA Server Migration Guide on your ISA CD.
On the Export Microsoft ISA Server 2000 Configuration page, click Next. If the Next button is unavailable, you need to click Create The Migration Data.
Read the conditions explained on the ISA Server 2000 Generated Files page, then click Next.
Remember that it's very important to protect your ISA server when upgrading, as the upgrade stops the services that protect your server. Disconnect the ISA server from all networks, even internal networks, because of the possibility of an unknown worm or virus presence on the network. While disconnecting, do it in such a way as to keep the network cards in the Connected state. This can be done by leaving the network cable plugged into the switch, and then using the switch management tool to block traffic going to the ISA server. Alternatively, you can disconnect all other connections from the hub or switch.
On the Ready To Install The Program page, click Install. The installation begins. Watch the Status progress bar to monitor the installation.
On the Installation Wizard Completed page, click Finish. When you are prompted to restart the server, click Yes.
After the server reboots, and you log in, you will see the Protect The ISA Server Computer Web page, which you should read carefully.
Ensure that the Firewall service is started by opening the ISA Server Management console, expanding your ISA Server's node, clicking the Monitoring node, and then looking in the Details pane at the Services area. If the Firewall status reads Started, you may reconnect the ISA server to your networks.
Figure 5-1: From this screen you can read supporting documentation, run the Migration Wizard, or start the installation of ISA Server.
Figure 5-2: This dialog box sets the level of protection for ISA Server.