If you've previously used ISA Server 2000 to protect your Windows network and want to move to ISA Server 2004, you can't just blindly run Setup and hope that everything will turn out okay. Deb Shinder shows you the proper way to upgrade an older ISA Server 2000 server to ISA Server 2004.
Upgrading your ISA Server 2000 firewall/Web caching server to ISA Server 2004 raises many issues because of the differences between the two products. ISA Server 2004's networking model is very different; the dependence on the local address table (LAT) is gone, and multinetworking is supported in ISA 2004.
On the other hand, several features that were present in ISA 2000 have not been carried over to ISA 2004, such as bandwidth rules, the H.323 Gatekeeper, and active caching. ISA Server 2004 doesn't use packet filter configuration, and third-party Web and application filters designed for ISA 2000 aren't compatible with ISA 2004.
For these reasons, even though the upgrade process itself is straightforward, you'll find that many of your settings won't be migrated or will be migrated in a way that might have unexpected results. In this article, I'll discuss some of the primary upgrade considerations, how to perform an in-place upgrade installation, and how to use the Migration tool to save your ISA Server 2000 configuration information and apply it to a "clean" installation of ISA Server 2004.
If you're using ISA 2000 Enterprise Edition, you won't be able to upgrade to ISA 2004 Standard Edition. You can upgrade only from Standard to Standard and Enterprise to Enterprise. In addition, Service Pack 1 (SP1) for ISA 2000 must be installed before you can upgrade to ISA 2004.
There are three levels of migration:
- You can do a full in-place upgrade. This means you install ISA 2004 over the ISA 2000 installation. Your configuration (although this doesn't include all settings) is migrated to the new installation without using any special utilities.
- You can use the Migration tool that's included with ISA 2004 to capture the configuration information from your ISA 2000 computer, do a clean install of ISA 2004 on the same or a different computer, and then apply the captured configuration.
- You can use the Migration tool to migrate only your RRAS VPN settings.
You can also use the Migration tool on a computer that is currently running ISA 2000 to remove ISA 2000 and then install ISA 2004 and apply the ISA 2000 configuration settings. The configuration information captured by the Migration tool is saved in an .xml file. This file is then imported into the new ISA 2004 installation. In the section "How to use the Migration tool," I'll show you the step-by-step process for doing this.
An important consideration in upgrading is whether you have third-party add-in products installed on the ISA 2000 computer. Add-ins such as application filters and Web filters designed for ISA 2000 aren't compatible with ISA 2004. You'll have to uninstall them before doing the upgrade, and then contact the third-party vendor(s) for new versions of the add-ins.
It's important to note that permission settings and logging and reporting configurations are not migrated from ISA 2000 to ISA 2004 (however, most alert definitions are migrated). These will have to be configured on the new installation.
Server publishing rules and Web publishing rules are migrated, but they are changed to be compatible with ISA 2004. Most of the ISA 2000 policy elements (such as client address sets, content groups, destination sets, and protocol definitions) are upgraded. Each ISA 2000 routing rule becomes two rules: a cache rule and a routing rule. Most cache configuration settings are migrated, but active caching is not supported in ISA 2004. Note that any preshared keys that are configured for RRAS will not be exported.
We recommend that you thoroughly document your current ISA Server 2000 configuration before performing an upgrade or migration. You can do this manually, or you can use the isainfo tool created by Jim Harrison. Download this tool at www.isatools.org.
How to perform an in-place upgrade
To perform an in-place upgrade, insert the ISA 2004 installation CD in the computer running ISA 2000, or connect to the installation files over the network. If Setup doesn't start automatically, double-click ISAautorun.exe.
As with a clean install, you can choose from these setup types: Typical (this installs the main features and requires about 27 MB of disk space, exclusive of space needed for caching); Complete (this installs all features); and Custom (this lets you select the features you want to install). You can also click the Change button to change the path location to which the ISA files will be installed.
During the installation process, the configuration will be automatically migrated. If your ISA 2000 Server is a Web caching server, the cache drive will be migrated (as opposed to a new installation of ISA 2004, in which the cache drive is set to 0 and caching is disabled). However, these settings will not be migrated: bandwidth rules; logging and reporting settings and information; System Access Control Lists (SACLs); permissions you've set on particular objects; packet filter configuration; and third-party application filters.
Also note that the H.323 Gatekeeper will be removed during the upgrade. Although third-party application filters are not migrated, some built-in application filters are migrated directly (such as the DNS and POP intrusion-detection filters) or upgraded (such as the RPC, SMTP, and FTP Access filters), while others (such as the HTTP redirection filter) are not supported in ISA 2004.
How to use the Migration tool
The Migration tool is located on the ISA 2004 CD. To use it, log on as an administrator, open a command prompt window, and type <path to ISA 2004 installation files>\ISA2KExport.exe.
The path can be to the installation CD or a network share where you've copied the installation files. Either way, this starts the Migration Tool Wizard. Follow these steps:
- Click Next on the Welcome page.
- On the next page, you'll be asked to enter a location and filename for the .xml file where the configuration information will be saved. You can save the file to the local disk, a network location, or removable media. Of course, if you plan to format the local disk before installing ISA 2004, you shouldn't save the file there.
- On the following page, you can create a password to protect any sensitive information in the ISA configuration. This will cause the .xml file to be encrypted so it can't be accessed by others. You'll have to enter this password again to decrypt the file when you import it to the new ISA 2004 installation.
- The next page (Firewall Policy Settings) allows you to choose whether you want to block or allow traffic from the internal network to the ISA Server. If clients on the internal network don't require any services from the ISA computer, you can block traffic. If you have services such as DHCP or DNS running on the ISA computer that are needed by the internal clients, you should allow traffic.
- The following page will start the migration process when you click the Migrate button. Click Finish when the wizard is done.
Now you can do a clean installation of ISA 2004 on this or another computer. After installation is complete, you must import the .xml file you created with the Migration tool to migrate your old settings. Open the ISA Management Console. In the left pane, click the name of the ISA Server. On the Tasks tab in the right pane, click Import From An Exported ISA Configuration File.
Browse to or enter the filename of the .xml file where the ISA 2000 configuration is saved. If you exported user permissions, you have the option to import them by clicking Import User Permissions Settings.
If you exported server-specific settings (for example, cache drive settings), you have the option to import them by clicking Import Server Specific Settings. If you set a password on the .xml file, you'll need to enter it to import the file. The new configuration settings will be imported and applied.
Upgrade, but be careful
If you're currently running ISA Server 2000 as a firewall and/or Web caching server and want to upgrade to ISA Server 2004 to take advantage of its new multinetworking support, VPN Quarantine, and other new and enhanced features, you have two choices. You can perform an in-place upgrade by running the ISA Server 2004 Setup program on your ISA Server 2000 machine, or you can use the Migration tool to save your ISA 2000 configuration settings to an .xml file, which you can then import into and apply to your new ISA Server 2004 installation.
Either way, you'll find that some of your settings will be migrated while others won't. This is because of the many differences between ISA 2000 and ISA 2004. Some configuration information, such as certain rules, will be migrated and modified to be compatible with ISA 2004. Others will be lost completely because ISA 2004 doesn't support some of the functions of ISA 2000.
Whichever way you choose to migrate your settings, I suggest that after doing so, you go through the configuration dialog boxes in the new ISA 2004 installation to check and ensure that the configurations are what you expect.