Forefront TMG makes it easy to back up the entire configuration or parts of the configuration for backup purposes in case of emergency or to simply back up a configuration to clone this configuration with another forefront TMG Server. Forefront TMG uses the VSS (Volume Shadow Copy Service) writer to export the configuration to an .xml file and instructs the VSS provider to back up this XML-file. In case of a restore, the VSS provider uses this file to restore the configuration, using the Forefront TMG import functionality.
Backup and restore the entire configuration
Start the Forefront TMG management console to backup or restore the entire TMG configuration. A regular backup of the entire TMG configuration should be part of your disaster recovery prevention plan.
Figure 1: Backup the entire TMG configuration
Start the export wizard.
Figure 2: Start the export wizard
If you want to export confidential information like NPS (RADIUS) shared secrets, specify a password with at least 8 characters to encrypt this information. If you also want to backup the TMG administrative role users, you have to activate the checkboy to export user permissions.
Figure 3: Specify export settings
Specify a location for the export file. The location should be on an NTFS formated volume to provide NTFS permissions to secure the file and in case of a Server failure you should save the XML file on another server, which is not the TMG server.
Figure 4: Export file location
Depending on the size of the TMG configuration the export process could take a while.
Figure 5: Export process
If you are interested to see the content of the export XML file, open the file in an Internet Explorer window or with an XML file viewer.
Figure 6: Content of the XML file
Import a TMG configuration
In case of a disaster, it is possible to import the entire Forefront TMG configuration. First reinstall the underlying operating system in case of an OS failure, and then reinstall Forefront TMG with default settings and after that start the Forefront TMG management console and import the TMG configuration.
Figure 7: Import the TMG configuration
Specify the location of the exported TMG configuration.
Figure 8: Specify the location of the XML file
It is possible to import or to overwrite the current TMG configuration. If you want to restore the entire TMG configuration selected the overwrite (restore) option.
Figure 9: import or overwrite the TMG configuration
Select which information you want to import.
Figure 10: Choose what data to import
Specify the password used to protect the confidential information in the Forefront TMG export file to import (overwrite) the current TMG configuration.
Figure 11: Enter the password of the export file
The imported configuration will overwrite the existing configuration of Forefront TMG, so it could be better to export the current configuration if something goes wrong during the import process.
Figure 12: Confirm the overwrite process
The import process could take a while depending on the amount of information in the exported file and the processing power of the machine.
Figure 13: importing the configuration
After the configuration has been sucessfully imported you must apply the configuration changes, as shown in the following screenshot.
Figure 14: Apply changes
Backup and restore parts of the TMG configuration.
It is possible to export nearly everything of the TMG configuration to an XML. For example it is possible to export the entire Firewall rule set, protocol definitions, networks and many more. The following screenshot shows the export function of the entire Firewall Policy.
Figure 15: Export the Firewall rule set
The next example shows the export dialog box of an URL set created by Forefront TMG in the Forefront TMG toolbox.
Figure 16: Export selected objects
Importing an ISA Server 2006 configuration
It is officially supported to migrate from ISA Server 2006 to Forefront TMG. As a first step, export the ISA Server 2006 configuration and install Forefront TMG on a new Server with Windows Server 2008 R2. After the operating system installation has finished, start the installation of Forefront TMG. If you want to import the ISA Server 2006 configuration close the Getting started wizard from Microsoft Forefront TMG (the Getting started wizard launches after the TMG installation) and import (overwrite) the TMG configuration with the exported ISA Server 2006 configuration file.
Figure 17: import the ISA Server 2006 configuration
Backup and Restore using VSS Writer
You can back up and restore the Forefront TMG configuration using Volume Shadow Copy Service (VSS). In Forefront TMG, the configuration is stored in an instance of Active Directory Lightweight Directory Services (AD LDS). When you use VSS to back up and restore the Forefront TMG configuration, Forefront TMG calls the AD LDS VSS Writer.
The writer name string for this writer is “ISA Writer”.
The writer ID for the registry writer is 25F33A79-3162-4496-8A7D-CAF8E7328205.
To see the VSS writer start a command prompt by executing CMD.EXE and enter the text VSSadmin list Writers. The following screenshot shows the VSSadmin output.
Figure 18: VSSadmin output
Other things to back up
What else should we have in our backup plan? It is always a good idea to back up the entire Forefront TMG Server with a backup program like the built in Windows Sever backup program.
For a normal restore process it should be enough to reinstall Forefront TMG and to import the XML backup file. In case of a complete operating system failure, reinstall the operating system, reinstall Forefront TMG and import the Forefront TMG backup file.
In the case that you will lose any log files, created by Forefront TMG and your security policy doesn’t allow this you must back up the log files and database created by the MSDE database or TMG text log files but this is out of the scope of this article.
SSL certificates are not part of the Forefront TMG backup. If you had issued certificates for OWA publishing or something else in HTTPS bridging scenarios, it is necessary to export the certificates with other tools. SSL certificates are stored in the machines local certificate storage. You can use Certutil.exe, a command-line program to back up and restore SSL certificates or the certificate MMC Snap In to export the certificates from the GUI.
In this article, I gave you an overview of the Microsoft Forefront TMG configuration export and import capabilities. Forefront TMG allows a simple backup and restore of the entire Forefront TMG configuration or only parts of the TMG configuration. I recommend creating TMG backups on a regular schedule.