MIGRATE ISA SERVER 2006 TO NEW HARDWARE

I need to migrate my ISA server to new hardware.  I have a new machine built with ISA installed however the network cards are different than in the original server.  I have a backup copy of my system and firewall policies.

Is there a good guideline to carry out this migration?  The environment is a single ISA server that has one interface for the private network and one interface for the connection to the Internet.  The internal connection has one IP address and the Internet card has multiple IP addresses bound to it.

Do I need to keep the server name the same?  Is there anything I need to do with the NIC cards to allow the policy restores to know which card is which, etc.?

Any help is appreciated.

Dave
LVL 1
ModernAgeAsked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Maybe this was my understanding - in the first post you mentioned the nics are different - I assumed you meant different ip addresses etc. If you just mean different make/model then no issues at all on that front.

If the server name is identical also then import the entire configuration - job done. If the server name is different then edit the .xml (notepad, not wordpad or anything else) and scroll down - you'll find the server name - change it and resave before importing. Careful when editing though - don't add any carriage returns etc....

0
 
Keith AlabasterEnterprise ArchitectCommented:
The best way to do this is to export just the firewall rules, not the user assignments. ISA does not associate its standard rules to ip addresses but to ISA Networks as defined.

For example if the old machine had a nic with 192.168.0.5 and the new machine has a nic of 10.0.0.4, this would not affect a rule, for example, that said allow all http from internal to external - the rule says allow http traffic from the ip addresses defined in the internal network LAT in the ISA gui. therefore changing the entries in your lat table would define what is 'INTERNAL'.

Yes, the server name should be the same and the nics should be configured the same to make it a true migration using the policies.

Either way you will need to do some reconfiguration. Key point is to make sure you have set the new machine to match the ISA version and service pack that the configuration was exported from.

0
 
ModernAgeAuthor Commented:
so you are saying...ONLY the firewall policy, not a backup of the entire configuration or the system policy as well?  The IP addresses will be the same and have been defined on the new server in the same capacity so I should be ok there.  When you say "reconfiguration", what will I need to be reconfiguring?  I'd like to make sure I have an accurate checklist before proceeding.

Thanks,

Dave
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
ModernAgeAuthor Commented:
I see...so if I want to change the server name I simply need to change all server name references in the full configuration backup XML file to reflect the new name.  Yeah, I know about that CR in those XML files.  I think I have a Notepad XML version from Microsoft's web site that can be used to edit XML files...that should work. :-)

IP addresses are exactly the same so we should be good there.  I noticed when I set up the new server with ISA that it asked for the Internal and External boundaries so that's cool how it references it...nice design :-)
0
 
Keith AlabasterEnterprise ArchitectCommented:
:)
0
 
ModernAgeAuthor Commented:
well the upgrade will be this evening so I'll let you know how it goes.  Thanks for your insight on this one, it's nice to have an expert in this area bless my project plan.  :-)
0
 
ModernAgeAuthor Commented:
one more thing...is there anything GUID related in the export that would be a problem by me recreating the computer account for the same server name in the domain?

Dave
0
 
Keith AlabasterEnterprise ArchitectCommented:
Don't know about an expert.... but I get by :) I am homne now (uk time) so will be about if you get stuck

Keith
0
 
ModernAgeAuthor Commented:
worked fairly well but it appears to have missed some of the rules on the import.  I'm not sure why.  The ones missing seem to be sporadic in nature so it doesn't appear to have been one give type of access rule or published resource.  Nevertheless I'm trying to put them back as I discover them.  I did run into an issue recreating a rule for a SharePoint site that I'll post as another question if you'd like to take a crack at that.

I had nearly 60 rules in the firewall policy and it brought in 48.  So far I've discovered an FTP published rule and a SharePoint published rule that didn't appear to come over properly.  Again, I defined the "internal" network exactly as it was on the old server, the NIC's had the same IP addresses bound to it and the machine name is identical to what was on the old hardware, simply recycled the computer account.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Hmmm - if ISA has an issue with any part of a rule it drops the whole rule. Is there anything consistent in the ones missing? An AD group that no loger exists? A local group?
0
All Courses

From novice to tech pro — start learning today.