In my previous article I explained how to import and export specific data to and from ISA Server Enterprise and Standard. This was very useful for working offline and building a compatible rule base from, say your house, on your own ISA Server (everyone should have one, everyone’s doing it these days!), and make your life easier. And now for something a little different…
I came across a client a few days ago who encountered the following error when exporting a rule base from the top level of ISA Server Management:
Figure 1
This was clearly a problem as we were not upgrading the current system, but moving it to new hardware, the process was to go as follows:
-
Export the ISA 2004 Rule base
-
Install ISA 2006 on a new machine
-
Import the 2004 rule base into the new 2006 hardware
With the problem above, exporting the entire configuration was not possible, so bearing in mind my previous discovery with the XML files, I started again.
I decided that considering the top level configuration did not export, I would do it piece by piece (there are not many pieces, so I guess it was a good idea)
The first step was to export the Firewall Policy from the ISA 2004 Machine. Which went very smoothly, the next step was to import it into the 2006 setup. Where I encountered the following error:
Figure 2 (Click to view enlarged image)
Ok, so we need to export the config with all the user permission settings, like this:
Figure 3
Oops, the user permissions box is greyed out! And, if we try with the confidential information ticked, we get the same error. This seemingly is with ISA 2004 only, so you should not encounter this with ISA 2006.
So, we take our ISA 2004 firewall policy (in XML) and copy it to the new server. That done, we go back to similar processes used in the previous article on moving objects and examine the XML in the file, which looks something like this, in the ISA 2004 Firewall Policy Export:
Figure 4 (Click to view enlarged image)
I have highlighted the important information, as you will see in the following screenshot, that’s the part that matters. The following shot is of the same export from a blank ISA 2006 Standard Firewall Policy:
Figure 5 (Click to view enlarged image)
As you can clearly see, there are a few differences, specifically the following values (ISA 2006 Enterprise values are shown for extra information):
|
XML Tag |
2004 Standard Value (depending on patch) |
2006 Standard Value (depending on patch) |
2006 Enterprise Value (depending on patch) |
|
Build |
4.0.2167.887 |
5.0.5720.100 |
5.0.5720.100 |
|
Edition |
80(or 81) |
16 |
32 |
|
IsaXmlVersion |
1.10 |
5.30 |
5.30 |
|
OptionalData |
4 |
12 |
12 |
Some clever people might have noticed that in addition to this table there is one missing tag which needs to be typed in manually. Below the Components Tag there is a new tag in ISA 2006 called DNSName. So, you need also type a new line in your old export below the Components Tag and above the Name tag like this:
<fpc4:Components dt:dt=”int”>-1</fpc4:Comonents>
<fpc4:DNSName dt:dt=”string”/>
<fpc4:Name dt:dt=”string”/>
Simply put, if these values are changed (and one added), the import will flow smoothly into an ISA 2006 Firewall Policy Configuration.
The values are not set in stone, some of them may change depending on your patch, service pack and ADAM service pack and patch levels, but a bit of common sense and you can figure it out.
The best way to ensure you are getting the right information is to do the following:
- Export your policy from your source server, save the XML.
- Export your policy from the destination server, save the XML.
- Compare the XML headers for the XML tags specified above.
At this point, I would like to mention that I have found no information about this on Microsoft’s website, and I am sure that there are reasons why this is not already public knowledge, but the fact of the matter is that it works very well. Much better than re-typing an entire rule base.
Another point to mention is that I am sure, as most ISA Administrators will know, if you import a rule base in which certificates are used, they always need to be in the local computer’s store before you import the rule base, otherwise you will encounter more failures when importing your rule base.
I have tested the following exports/imports:
-
Firewall Policy
-
And all other objects under Toolbox in the Firewall Policy View
-
-
Virtual Private Networks
-
Networks (under configuration)
This was all that was required in my configuration, and in a rule base of over 40 rules and more that 700 objects, it was a better idea than typing it all in! FYI, if you export the Firewall Policy, you do not need to export all the separate objects under Toolbox, they are included with the export.
This works for me, and I will continue to use this process when/if it is required. I have tested the entire 2006 rule base on my new machine and currently there are no issues.
In total, I have personally tested these:
- ISA 2004 Std -> ISA 2006 Std
- ISA2004 Std -> ISA 2006 Enterprise
- ISA2006 Std -> ISA 2006 Enterprise
I would be very interested if anyone has discovered any issues with the import/export method I have shown here. To the best of my knowledge there have been no reported issues so far. Please get in touch with me if you find any issues or improvements on this, I would be very interested in some feedback.
