I have been involved with many ISA migrations over the past months, and recently I have been involved with a cache array on which ISA 2000 Enterprise was running, of course, in this case my client had loads of objects, namely Destination Sets as they were called in ISA 2000, which, for those who do not know, are now called by other names such as URL Sets, Computer Sets, Computers and Domain Name Sets. Bearing in mind that in the scenario I will discuss here, the servers are not being upgraded in place, but are being installed in a non-production environment with all new hardware.
The obvious problem here is, as in my last import/export articles…
…is that people do not want to re-type all this stuff back into an Enterprise firewall policy.
So, back to the importing and exporting of XML. The first issue of course, is that ISA 2000 configurations do not export into XML, in fact you can only back them up to a .BEF backup file which backs up a portion of the schema of the Active Directory in the Enterprise version, and in the standard version, backs up the configuration from the registry, but it also ends up in a .BEF file.
The answer to this is a little application called ISA2KEXPORT.EXE. This app ONLY exists on the ISA 2004 Standard and Enterprise media, therefore if you are going to upgrade to ISA 2006, you will need to get this application off the ISA 2004 media. It can be found on any ISA 2004 CD/DVD under ..\TOOLS\ISA2KEXPORT.EXE.
This is a very neat application which you can run on your ISA 2000 Server. If the ISA 2000 is in an enterprise, you can run it on an array member to grab the configs.
Also, a quick note to this, in my last ISA 2000 Migration there were approximately 20 servers, one was offline, but still existed in the config, if this is the case, or you cannot contact all the ISA 2000 Servers from your array member, the application will fail. The solution is to install ISA Management (2000) on any machine that has access to all the ISA Array Members and run the tool from there.
When you run this tool, which is very self explanatory, you will be able to retrieve an .XML file which contains all of what you need to import Destination Sets into ISA 2004 or 2006, Enterprise or Standard.
Remember, the purpose of this export/import is to be able to save typing time with the Destination Sets in ISA 2000 (and other objects if you wish to spend the time). All the other information is exported, but it can be very difficult and even more time consuming to re-hash it to be able to be imported into an Enterprise/Firewall Policy. Other than that, it is extremely messy.
So let’s get to the meaty stuff, welcome to my ISA test lab, enter ISA 2000 Enterprise:
What follows is an ISA 2000 Enterprise Policy which I am going to export using the ISA2KExport tool and put it into an ISA 2006 Enterprise Policy Domain Name Set.
In my ISA 2000 Enterprise Policy I have created a Destination Set called ISA Server Dot Org as you can see here, I have just added some random sites into it, and I also created one called ISA Test Destinations which also contains some websites, so that we can export two destination sets:
Figure 1
So, I have these two, fairly small for demonstration purposes, Destination Sets. These could potentially have hundreds of sites, or you could have lots of Destination Sets, either way, it’s a real pain to re-type everything, so let’s see what ISA2KEXPORT does:
Figure 2
Oops, first problem, you will need your ISA 2000 Environment to be patched to make this work properly. 🙂
After you have installed SP1 for 2000, you should follow the following screens:
Figure 3
Click Next.
Figure 4
Specify the location of your exported .XML file.
Figure 5
Click Create to create the XML file from the 2000 Configuration.
Figure 6
If all goes well, you should see a screen like the one above.
Figure 7
There were apparently errors exporting this config file. If you examine the log file which will be in the same directory as your .XML file, you should see many errors which have a note saying that the exported component is not supported in ISA 2004, these are usually for alerts and packet filters which do not concern us in this article.
Now you have a file, in this example called ISA2KEXPORT.XML. If you open this file in notepad, there will be a section, quite far down in the file, you can use one of your sites which are known to you to do a search, in my case, I searched on “bui.co.za” and you should fine the following:
Figure 8
As you can see here, this section of XML is 2004 and 2006 compatible.
Now for the magic…
Enter ISA 2006 Enterprise…
If you start up your ISA Management console, and, in this example we are going to use an Enterprise object (you could be using ISA 2004/2006 Standard as well), you can view in your Toolbox the following Domain Name Sets:
Figure 9
Create another domain name set called something like “Test”, don’t add any domains to it. Then, right click on “Test” and select Export Selected.
Figure 10
Save the exported file as TEST.XML.
Your exported file, opened in notepad, should look like this:
Figure 11
Can you see some similarities here? If you look carefully, you will see that the XML Tags:
<fpc4:DomainNameSets StorageName=”DomainNameSets” StorageType=”0″>
<fpc4:DomainNameSet StorageName=”{8EA65CB9-235F-4E86-84DA-BF55677EAC73}” StorageType=”1″>
<fpc4:DomainNameStrings/>
<fpc4:Name dt:dt=”string”>Test</fpc4:Name>
</fpc4:DomainNameSet>
Now, if we look in our other file, the ISA2KEXPORT.XML file, we can see similar tags at the beginning and end of the important section, remember, your TEST.XML file does not contain any sites, but the other one does.
Copy and paste the section between the <fpc4:DomainNameSets StorageName=”DomainNameSets” StorageType=”1″> tag and the </fpc4:DomainNameSet> tag and overwrite that section in the TEST.XML file.
Your file should look something like:
Figure 12
Now, let’s try the import. Right click on Domain Name Sets, and select “Import All”. Browse to the TEST.XML file and complete the import.
Figure 13
Success! Now, if you expand Domain Name Sets in ISA Management, you will see:
Figure 14
So now you can be sure you can import ‘some’ ISA 2000 Configuration into 2004 or 2006. I have tested this with ISA 2000 Destination Sets to:
-
ISA 2006(Std/Ent) Domain Name Sets
-
If your URLs have an HTTP in them, use URL Sets to create the export XML file.
You may have noticed that the one site I used, *.microsoft.com, I had added a path called “/isa/*” this does not appear in the new import. Why you may ask? And I answer, the Domain Name Set object in ISA 2004/2006 does not support paths, although it does let you type them in using ISA Management!
Figure 15
So, if we look in our exported XML we find:
Figure 16
So it has the brain to look and see if it has paths attached, and creates a URL set in which paths ARE supported. So, they will be added to a section of the XML called <fpc4:URLSets StorageName=”URLSets” StorageType=”1″>, makes sense as these are in fact URL Sets in ISA 2004 and ISA 2006. So you can carry out the same procedure to import them, and it will work just fine!
To all the people on the newsgroups to whom I mentioned that this may not be possible, here is the answer, well, for objects anyhow!
Hope this can be of help to someone. If you need assistance, let me know!
