MIGRATE ISA SERVER 2006 TO NEW HARDWARE

I need to migrate my ISA server to new hardware.  I have a new machine built with ISA installed however the network cards are different than in the original server.  I have a backup copy of my system and firewall policies.

Is there a good guideline to carry out this migration?  The environment is a single ISA server that has one interface for the private network and one interface for the connection to the Internet.  The internal connection has one IP address and the Internet card has multiple IP addresses bound to it.

Do I need to keep the server name the same?  Is there anything I need to do with the NIC cards to allow the policy restores to know which card is which, etc.?

Any help is appreciated.

Dave
LVL 1
ModernAgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
The best way to do this is to export just the firewall rules, not the user assignments. ISA does not associate its standard rules to ip addresses but to ISA Networks as defined.

For example if the old machine had a nic with 192.168.0.5 and the new machine has a nic of 10.0.0.4, this would not affect a rule, for example, that said allow all http from internal to external - the rule says allow http traffic from the ip addresses defined in the internal network LAT in the ISA gui. therefore changing the entries in your lat table would define what is 'INTERNAL'.

Yes, the server name should be the same and the nics should be configured the same to make it a true migration using the policies.

Either way you will need to do some reconfiguration. Key point is to make sure you have set the new machine to match the ISA version and service pack that the configuration was exported from.

0
ModernAgeAuthor Commented:
so you are saying...ONLY the firewall policy, not a backup of the entire configuration or the system policy as well?  The IP addresses will be the same and have been defined on the new server in the same capacity so I should be ok there.  When you say "reconfiguration", what will I need to be reconfiguring?  I'd like to make sure I have an accurate checklist before proceeding.

Thanks,

Dave
0
Keith AlabasterEnterprise ArchitectCommented:
Maybe this was my understanding - in the first post you mentioned the nics are different - I assumed you meant different ip addresses etc. If you just mean different make/model then no issues at all on that front.

If the server name is identical also then import the entire configuration - job done. If the server name is different then edit the .xml (notepad, not wordpad or anything else) and scroll down - you'll find the server name - change it and resave before importing. Careful when editing though - don't add any carriage returns etc....

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ModernAgeAuthor Commented:
I see...so if I want to change the server name I simply need to change all server name references in the full configuration backup XML file to reflect the new name.  Yeah, I know about that CR in those XML files.  I think I have a Notepad XML version from Microsoft's web site that can be used to edit XML files...that should work. :-)

IP addresses are exactly the same so we should be good there.  I noticed when I set up the new server with ISA that it asked for the Internal and External boundaries so that's cool how it references it...nice design :-)
0
Keith AlabasterEnterprise ArchitectCommented:
:)
0
ModernAgeAuthor Commented:
well the upgrade will be this evening so I'll let you know how it goes.  Thanks for your insight on this one, it's nice to have an expert in this area bless my project plan.  :-)
0
ModernAgeAuthor Commented:
one more thing...is there anything GUID related in the export that would be a problem by me recreating the computer account for the same server name in the domain?

Dave
0
Keith AlabasterEnterprise ArchitectCommented:
Don't know about an expert.... but I get by :) I am homne now (uk time) so will be about if you get stuck

Keith
0
ModernAgeAuthor Commented:
worked fairly well but it appears to have missed some of the rules on the import.  I'm not sure why.  The ones missing seem to be sporadic in nature so it doesn't appear to have been one give type of access rule or published resource.  Nevertheless I'm trying to put them back as I discover them.  I did run into an issue recreating a rule for a SharePoint site that I'll post as another question if you'd like to take a crack at that.

I had nearly 60 rules in the firewall policy and it brought in 48.  So far I've discovered an FTP published rule and a SharePoint published rule that didn't appear to come over properly.  Again, I defined the "internal" network exactly as it was on the old server, the NIC's had the same IP addresses bound to it and the machine name is identical to what was on the old hardware, simply recycled the computer account.
0
Keith AlabasterEnterprise ArchitectCommented:
Hmmm - if ISA has an issue with any part of a rule it drops the whole rule. Is there anything consistent in the ones missing? An AD group that no loger exists? A local group?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.