Migrating an ISA Server 2000 Configuration to a Clean ISA Server 2004 Server | Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)

When you choose to take an existing ISA Server 2000 configuration and move it to new servers, follow these steps:

Export the ISA Server 2000 configuration.
Install ISA Server 2004.
Import the ISA Server 2000 configuration to the ISA Server 2004 server.

Exporting the ISA Server 2000 Configuration

To export the ISA Server configuration from ISA Server 2000 to ISA Server 2004, follow these steps:

Note

You must run this utility under the context of an Administrator. You may log on to the server with an Administrative account only for the time it takes to install the ISA Server software, or log on under the context of a user account, and use Secondary Logon (RunAs) to run the program under the context of an Administrative account. For more information, see Windows Help.

Insert the ISA Server 2004 CD, and then wait for the Microsoft ISA Server 2004 Setup screen to appear. Click Run Migration Wizard.

Note
If the Server Setup screen does not appear, navigate to the CD and run the Isaautorun.exe file.
The Welcome To The ISA Server Migration Tool page appears. Click Next.
On the File Location page, enter the location and filename for the file you wish to export. This is the name of the Extensible Markup Language (XML) document that contains the ISA Server 2000 configuration information. Click Next.

On the Select The Default Firewall Policy page, you choose between two options:

Do Not Allow Clients On The Internal Network Access To The ISA Server 2004 Computer You can use this option if the clients on the internal network don't need to access any resources on the ISA server itself, such as file or print sharing.
Allow Clients On The Internal Network To Access The ISA Server 2004 Computer Use this option if clients need to access the ISA server.

Note

These options configure the system policies that control access to the LocalHost network, which is the default setting in ISA Server 2000. The LocalHost network controls access to the ISA server itself. To provide the most secure environment possible, it's best to block unnecessary traffic to the ISA server.

Click an option, and then click Next. On the Create Migration File page, click Create, wait for the migration to complete, and then click Next.
On the Completing The Migration File Creation page, make a note of the location of the exported file (and the log file detailing items not migrated), and then click Finish.

Installing ISA Server 2004

Follow the procedures described in Chapters 2 and 3 to install ISA Server 2004 Standard Edition or Enterprise Edition.

Importing the ISA Server Configuration

To import a configuration, follow these steps:

In the ISA Server Management console, select the ISA server in the Console tree.
In the Task pane, click the Tasks tab, and click Import From An Exported ISA Server Configuration File.
In the Import Configuration dialog box, navigate to the XML file you exported from your ISA Server 2000 computer. Select the ISA Server Import Options to match those you chose when exporting the file.

Note
A message might appear directing you to clear a check box if the information was not exported into the configuration file.
Watch the progress bar. When it is completed, click OK.
Click Apply to commit the changes.
When prompted to choose between Save The Changes, But Don't Restart The Services and Save The Changes And Restart The Services, select the option you wish, then click OK.
The Apply New Configuration progress bar appears. When it completes, click OK.

Migrating RRAS Configuration

In ISA Server 2000, RRAS is used to configure and allow VPN connections. In fact, any VPN installation can be ported to ISA Server 2004, even without ISA Server 2000 installed. To migrate a portion of those settings, perform one of the following two sets of instructions:

Option 1 Install ISA Server 2004 on the computer. The settings will be migrated automatically (with the qualifications listed in Table 5-2).
Option 2 Use the Migration Wizard, as described previously.

Table 5-2: RRAS Settings Migrated During an ISA Server 2000 Upgrade
Feature	Condition
VPN Client Connections	The number of VPN clients allowed to connect to the ISA server will be set to the larger of the number of Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) ports. An exception is when IP addresses are statically assigned, and the number of IP addresses is smaller than the number of PPTP or L2TP ports—in this case the number of connections is limited to the number of statically assigned IP addresses.
Preshared Keys	To protect the security of the information, preshared keys are not exported from RRAS or for site-to-site connections.
DNS and Windows Internet Naming Service (WINS) IP Addresses	If the server has an invalid IP addresses for the DNS and WINS servers, the IP addresses won't be migrated; the IP addresses from the DHCP server (if one is installed) will be used instead.
PPTP or L2TP Preferred On Site-to-Site Connections	When RRAS is migrated to ISA Server 2004, it uses the tunneling protocol (either PPTP or L2TP) that was configured first on that connection.
RRAS Credentials On Site-to-Site Connections	Site-to-site RRAS credentials are not exported for security reasons. You must reconfigure them.

Table 5-2 shows the state of migrated VPN settings.