Microsoft Forefront TMG – Backup and Restore Capabilities


Forefront TMG makes it easy to back up the entire configuration or parts of the configuration for backup purposes in case of emergency or to simply back up a configuration to clone this configuration with another forefront TMG Server. Forefront TMG uses the VSS (Volume Shadow Copy Service) writer to export the configuration to an .xml file and instructs the VSS provider to back up this XML-file. In case of a restore, the VSS provider uses this file to restore the configuration, using the Forefront TMG import functionality.

Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Backup and restore the entire configuration

Start the Forefront TMG management console to backup or restore the entire TMG configuration. A regular backup of the entire TMG configuration should be part of your disaster recovery prevention plan.

Figure 1: Backup the entire TMG configuration

Start the export wizard.

Figure 2: Start the export wizard

If you want to export confidential information like NPS (RADIUS) shared secrets, specify a password with at least 8 characters to encrypt this information. If you also want to backup the TMG administrative role users, you have to activate the checkboy to export user permissions.

Figure 3: Specify export settings

Specify a location for the export file. The location should be on an NTFS formated volume to provide NTFS permissions to secure the file and in case of a Server failure you should save the XML file on another server, which is not the TMG server.

Figure 4: Export file location

Depending on the size of the TMG configuration the export  process could take a while.

Figure 5: Export process

If you are interested to see the content of the export XML file, open the file in an Internet Explorer window or with an XML file viewer.

Figure 6: Content of the XML file

Import a TMG configuration

In case of a disaster, it is possible to import the entire Forefront TMG configuration. First reinstall the underlying operating system in case of an OS failure, and then reinstall Forefront TMG with default settings and after that start the Forefront TMG management console and import the TMG configuration.

Figure 7: Import the TMG configuration

Specify the location of the exported TMG configuration.

Figure 8: Specify the location of the XML file

It is possible to import or to overwrite the current TMG configuration. If you want to restore the entire TMG configuration selected the overwrite (restore) option.

Figure 9: import or overwrite the TMG configuration

Select which information you want to import.

Figure 10: Choose what data to import

Specify the password used to protect the confidential information in the Forefront TMG export file to import (overwrite) the current TMG configuration.

Figure 11: Enter the password of the export file

The imported configuration will overwrite the existing configuration of Forefront TMG, so it could be better to export the current configuration if something goes wrong during the import process.

Figure 12: Confirm the overwrite process

The import process could take a while depending on the amount of information in the exported file and the processing power of the machine.

Figure 13: importing the configuration

After the configuration has been sucessfully imported you must apply the configuration changes, as shown in the following screenshot.

Figure 14: Apply changes

Backup and restore parts of the TMG configuration.

It is possible to export nearly everything of the TMG configuration to an XML. For example it is possible to export the entire Firewall rule set, protocol definitions, networks and many more. The following screenshot shows the export function of the entire Firewall Policy.

Figure 15: Export the Firewall rule set

The next example shows the export dialog box of an URL set created by Forefront TMG in the Forefront TMG toolbox.

Figure 16: Export selected objects

Importing an ISA Server 2006 configuration

It is officially supported to migrate from ISA Server 2006 to Forefront TMG. As a first step, export the ISA Server 2006 configuration and install Forefront TMG on a new Server with Windows Server 2008 R2. After the operating system installation has finished, start the installation of Forefront TMG. If you want to import the ISA Server 2006 configuration close the Getting started wizard from Microsoft Forefront TMG (the Getting started wizard launches after the TMG installation) and import (overwrite) the TMG configuration with the exported ISA Server 2006 configuration file.

Figure 17: import the ISA Server 2006 configuration

Backup and Restore using VSS Writer

You can back up and restore the Forefront TMG configuration using Volume Shadow Copy Service (VSS). In Forefront TMG, the configuration is stored in an instance of Active Directory Lightweight Directory Services (AD LDS). When you use VSS to back up and restore the Forefront TMG configuration, Forefront TMG calls the AD LDS VSS Writer.

The writer name string for this writer is “ISA Writer”.

The writer ID for the registry writer is 25F33A79-3162-4496-8A7D-CAF8E7328205.

To see the VSS writer start a command prompt by executing CMD.EXE and enter the text VSSadmin list Writers. The following screenshot shows the VSSadmin output.

Figure 18: VSSadmin output

Other things to back up

What else should we have in our backup plan? It is always a good idea to back up the entire Forefront TMG Server with a backup program like the built in Windows Sever backup program.

For a normal restore process it should be enough to reinstall Forefront TMG and to import the XML backup file. In case of a complete operating system failure, reinstall the operating system, reinstall Forefront TMG and import the Forefront TMG backup file.

In the case that you will lose any log files, created by Forefront TMG and your security policy doesn’t allow this you must back up the log files and database created by the MSDE database or TMG text log files but this is out of the scope of this article.


SSL certificates are not part of the Forefront TMG backup. If you had issued certificates for OWA publishing or something else in HTTPS bridging scenarios, it is necessary to export the certificates with other tools. SSL certificates are stored in the machines local certificate storage. You can use Certutil.exe, a command-line program to back up and restore SSL certificates or the certificate MMC Snap In to export the certificates from the GUI.


In this article, I gave you an overview of the Microsoft Forefront TMG configuration export and import capabilities. Forefront TMG allows a simple backup and restore of the entire Forefront TMG configuration or only parts of the TMG configuration. I recommend creating TMG backups on a regular schedule.   

Related links

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top