Before start migrating…
- Record Fully qualified domain name (FQDN) of the computer running ISA Server.
- Record IP address, subnet mask, default gateway, and DNS server address of all the network adapters connected to the internal, external network (Internet) and perimeter (DMZ) network.
- Install ISA Service Pack 3 if migrating from ISA 2004
- Export complete ISA configuration
- A complete backup of ISA server for peace of mind.
To export the ISA Server configuration
In the ISA Server Management console, in the tree, access the root node:
On an ISA Server computer, expand Microsoft Internet Security and Acceleration Server, and then click ServerName.
In the Tasks pane, click Export ISA Server Configuration to a File.
In the Export Wizard, on the Export Preferences page, select the following options:
Export confidential information. Specify a password of at least eight characters.
When you export confidential information, the following are included in the exported data:
On the Export File Location page, specify a name and location for the exported backup file. If you intend to upgrade this computer to Windows Server 2008 and install Forefront TMG on it, copy the exported file to a network location, so that it won’t be deleted before the migration process is complete.
On the Apply Changes bar, click Apply.
Important! To import the configuration into Forefront TMG, you must select the option Export confidential information, regardless of whether such information exists in the system. It is recommended that you export the entire configuration from the root node. The other option is to export only the specific nodes you want to migrate to Forefront TMG. Note that only the following nodes can be migrated individually: URLSet, DomainNameSet, ComputerSet, Computer, Subnet and AddressRange. If you are running any report in back ground you must stop it during export operation. You have to delete scheduled report that is running in ISA Server otherwise you will be prompted with error.
To move a machine certificate
To export a certificate, follow these steps:
- From the computer where the certificate was installed, start Microsoft Management Console (MMC).
- Add the Certificates snap-in to the console. When you are prompted, click My user account as the account to be managed.
- In the MMC console, double-click Certificates – Current User, double-click Personal, and then click Certificates.
- In the right pane, right-click the certificate that you want to export, point to All Tasks, and then click Export.
- When the Certificate Export Wizard starts, click Next.
- On the Export Private Key page, click Yes, export the private key.
The private key is required for the encrypted messages to be read from the computer where the key will be imported.
- On the Export File Format page, leave the default settings, and then click Next.
- On the Password page, type password for the private key.
- On the File to Export page, type the path and the name for the exported certificate file, and then click Next.
The file name has a .pfx extension. This file is the .pfx file that is imported to other computers.
- Click Finish.
To import a certificate, follow these steps:
- On the computer that the certificate is to be imported to, locate the .pfx file that was exported in the procedure described earlier in this article.
- Right-click the file, and then click Install PFX.
- When the Certificate Import Wizard starts, click Next.
- On the File to Import page, click Next.
- On the Password page, type the password for the private key in the Password box, and then click Next.
You do not have to select the option to make the key exportable, because you already have an exported copy.
- On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.
- Click Finish.
Installation of Operating Systems
Perform a clean installation of Windows 2008 (SP2 64 bit or R2) on the computers. This applies both to new computers and the computers on which ISA Server was installed. In place upgrades from a 32 bit Windows 2003 to a 64 bit Windows 2008 are not supported however you can upgrade a 64 bit Windows Server 2003 . Join TMG server in the Active Directory Domain with same FQDN. Import Certificates as mentioned above.
To run Forefront TMG 2010 installation
Insert the Forefront TMG DVD into the DVD drive, or run autorun.hta from a shared network drive.
On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.
On the main setup page, click Run Preparation Tool to launch the Preparation Tool.
On the main setup page, click Run Installation wizard to launch the Forefront TMG Installation Wizard.
On the Installation Type page, click the Forefront TMG services and Management button.
On the Installation Path page, specify the Forefront TMG installation path.
On the Define Internal Network page, click Add, click Add Adapter or IP addresses to the internal network , and then select the adapter which is connected to the main corporate network.
On the Ready to Install the Program page, click Install.
- Installation will take a while. Click Finish once Done.
Important! DO NOT RUN initial Configuration as you are going to import complete configuration.
To import the configuration into Forefront TMG
In the Forefront TMG Management console, in the tree, access the root node:
On a Forefront TMG computer, expand Microsoft Forefront Threat Management Gateway, and then click ServerName.
On an EMS computer, click Microsoft Forefront Threat Management Gateway.
On the Tasks tab, click Import (Restore) configuration.
In Look in, browse to the folder that contains the file you are importing.
In the Select the Import File step, in File name, specify the file name of the .xml file you are importing.
Specify the password required to decrypt the confidential information.
On the Apply Changes bar, click Apply.