Product: Winfrasoft’s Backup for ISA Server
Product Homepage: Click here
Winfrasoft’s Backup for ISA Server – Filling an Important Gap
No product delivered has all the features that you would like to see, and ISA Server is no different. Over the years Microsoft has released feature and service packs to include extra things asked for by customers. However, one obvious feature still not included with the ISA firewall is a good backup solution. Since there is no complete solution available, many ISA firewall admins resort to a mix of scripting solutions, or just ignore the problem altogether and do nothing and hope that nothing bad will happen (unfortunately, I can guarantee you that something bad will happen someday).
We have scripts here on ISAserver.org that show how to backup up ISA configurations and log data, but their utility is pretty limited. You may discover some of these limitations when you need to recover a downed firewall – which is not the best time to find there was a problem with the script based backup solution.
By default, Web Proxy and Firewall log data is written to MSDE databases, with the options to write to either text files or off-box SQL instances. Exporting log data to text files is not an option for more reasons than I care to list, not least the lack of ability to query log data in the ISA firewall console. Exporting log data directly to an external SQL instances is done at your peril. Basically, if the connection between your ISA firewall and the SQL server is lost, then the ISA firewall fails safe and everything stops and the firewall goes into lockdown mode. Not a nice position to be in so this option is rarely seen in a production environment.
I have been waiting for a better backup and disaster recovery solution for ISA firewall deployments for a long time and finally such a product exists. Irrespective of the function your ISA firewall performs, be it as a stateful packet and application layer inspection firewall, web proxy server and caching server or to host 3rd party applications such as Websense, Winfrasoft has developed a production ready, integrated backup and recovery solution. This product easily takes care of the backup and recovery of enterprise and array configurations as well as web proxy and firewall log data. As expected, you can customise what you want to backup and schedule the backup over daily, weekly and monthly cycles.
Where this solution really shows its value is in an ISA Server Enterprise array. Winfrasoft’s Backup for ISA Server product scours the array and pulls all the log data from the array nodes and stores them into a single backup archive. The restore option then allows the administrator to restore the entire array or a single server as required. The key thing is that restored data can then be queried directly from within ISA Server MMC logging monitor. You can restore all the enterprise log data to a single ISA Server, offline, for use as a redundant hot-box or, more importantly, to keep the grubby paws of those nasty little auditors off your production servers. This sort of functionality is standard to most infrastructure server deployments but, until now, has not been available to ISA Servers.
What I like the most about Backup for ISA Server, is that the entire solution is wizard driven and a total no-brainer to work with. Both backups and restores can be done via a “next, next, finish” approach with limited user input required. The setup creates the firewall and system policy rules required for you so, again, to get this up and running is really a pain free experience. Oh and yes, the guys who made this actually understand ISA firewall rules so least-privilege access rules apply and the changes are secure. And for those using Microsoft SMS or another management system, Backup for ISA Server can also be initiated from command line scripts giving you greater flexibility.
Let’s take a look at the installation and backup and restore experience using Backup for ISA Server.
Installing Backup for ISA Server
Like most ISA firewall admins I know, I like to get right into the installation and hope that everything works right. If I run into any major problems, I will then take a look at the manual, but if I do not have to read the manual, then so much the better.
Start out by going to the Winfrasoft site at http://www.winfrasoft.com/BackupForISA and register and then download the Backup for ISA Server software. Then start the installation wizard. The first page you’ll see is the Welcome to the Installation Wizard for Winfrasoft Backup for ISA Server page. Click Next.
On the License Agreement page, put a checkmark in the I accept the terms of the license agreement checkbox and click Next.
On the Destination Folder page, accept the default location and click Next.
On the Completing the Installation Wizard for Winfrasoft Backup of ISA Server page, click Next to begin installation of the application files.
The installation wizard shows you the files being installed as the progress bar moves from left to right.
Yay! Looks like this part of the installation worked. That is a good sign. Click Next on the Welcome to the Config Wizard for ISA Server 2006 Standard Edition page. Note in this example I’m using a single, standalone ISA 2006 SE firewall. Winfrasoft Backup for ISA Server will work with ISA 2006 EE and will back up entire array configurations too.
On the File Server Access page you can configure Winfrasoft Backup for ISA Server to back up the firewall configuration to a file server. This is a good idea, since often the reason for restoring the ISA firewall configuration is because the server on which the firewall was running died and you need to restore to new hardware.
In this example I have a file server with the name WINS2008DC and the IP address of that server is 10.0.0.2, so I’ll enter that information on this page after putting a checkmark in the Allow access to File Shares on server checkbox.
This will configure an Access Rule named [Backup for ISA Server] File Server Access that allows CIFS TCP and UDP to a computer set name [Backup for ISA Server] File Servers which contains the IP address of the file server.
On the Access to Winfrasoft page, you are given the options to configure the ISA firewall to allow the Backup for ISA Server software update itself. In addition, you can enable the changes in the firewall configuration to allow the Backup for ISA Server software to activate itself over the Internet. Put checkmarks in the Enable HTTP Web Proxy on port 8080 for the Local Host network, Allow access to Winfrasoft Product Activation (Recommended) and Allow access to Winfrasoft Update (Recommended) checkboxes.
Backup for ISA Server will add two new URL Sets: Winfrasoft Activation Service and Winfrasoft Update Service. These two URL Sets will be added to the System Policy Rule – Allow HTTP/HTTPS requests from ISA Server to specified sites.
On the Infra Array access page, you can configure Backup for ISA Server to Enable Intra Array SQL access to log data and Enable Intra Array SMB access to Websense configuration. Since I’m using an ISA 2006 SE firewall in this example, these options are available. Notice that we can back up the Websense configuration when Websense is installed on the firewall array. Pretty nice, eh?
Click Finish on the The Config Wizard for ISA Server 2006 Standard Edition has Finished page. This will enable the settings on the ISA firewall that you’ve set on the previous pages.
You will see the familiar ISA Saving Configuration Changes dialog box as these settings are applied.
Now it is time to deal with you license. If you already have a license, select the Import a purchased license file option. If you do not have one, select the Request a Trial License over the Internet (secure with SSL) option. I have a license, so I will select the former. If you do not have one, then you will need to fill in the information in the Request a trial license frame of this dialog box.
Click Apply and bam! It says Status: License successfully installed. That can’t be bad! 🙂
On the Completing the Installation Wizard for Winfrasoft Backup for ISA Server page, put a checkmark in the Run Winfrasoft Backup for ISA Server now checkbox and click Finish.
What the? A Winfrasoft Backup for ISA Server dialog box appeared that said there was a problem with product activation. However, I can still use it for 7 days until I figure out what’s wrong. I subsequently found out that there was a problem with the activation server. Winfrasoft fixed the problem and I was able to activate with no problem.
Configuring a Backup
Setup was not so bad. Hey, at least I did not have to fall into PowerShell! Now let’s see if the ease of use story continues as we configure a backup.
The Welcome to the Winfrasoft Backup for ISA Server Wizard page will come up automatically. Click Next.
On the Back or Restore page, you have the option to select whether you want to do a backup or a restore. In this case, we need to do a backup first before doing the restore. Select the Backup ISA Server Configuration and Logs option and click Next.
On the Item to backup page, put checkmarks in the The ISA Array/Server Configuration (Rules, Protocols, Networks etc), The ISA Server Web Proxy Logs and ISA Server Firewall Logs checkboxes.
Note that there are also options to backup The ISA Enterprise Configuration (Rules, Protocols, Networks etc.) and Websense Configuration. Since I’m doing this demonstration on a SE version of the ISA firewall and don’t have Websense installed, these options don’t show available at this time.
On the Backup schedule page, you have several options, including:
- One Time
In this example I will select the Daily option and see how that works. Click Next.
This brings up the Schedule detail page. Here you can enter the Start time, Start date and whether to run the backup Every Day of every X number of days. In this example, I’ll set a time a few minutes in the future and select today as the start date. I’ll also configure it to perform the backup Every Day.
On the Log backup period page, you can set up the how many of the log files you want to include in the backup. I usually keep the last 30 days of log files, I figure it is a good idea to keep them all backed up. And it will make it easier to recover the log files in the case that I have to restore. You will be impressed by the level of compression you will get in your log files. I have 95MB of log files and they compressed into a little more than 300K. I am not telling you that you will always see that kind of compression, but you will not need to worry about your log files hogging up all your backup drive space. Winfrasoft states that you can expect about 95% compression, leaving your logs at about 5% of their original size.
You can choose the number of days of log files you want to back up, or you can select a date range. I’m going to choose the last 30 days and click Next.
On the Backup file Password and location page, you enter the backup location and a password that is used to encrypt and protect your backup file. In this example, I have created a share on a Windows Server 2008 machine to store my firewall’s backup files named FirewallBackup and given the domain admin permission to write and read to and from that directory.
On the Service Account name and password page, you need to enter a service account name of a user who has the ability to write to the location of the backup log files. In this example, the ISA firewall is not a domain member, but the ISA firewall Backup Software needs to write to a directory on the domain member machine. In order to support this, I gave the local admin account on the ISA firewall the same password as the domain admin account. I did this for demonstration purposes only. What you should do is create a service account in the domain, and then mirror that account on the ISA firewall, so that Backup for ISA Server can write to that directory. This is only required if the ISA firewall isn’t a domain member. In practice, you should almost always make the firewall a domain member in order to get a higher level of security.
Click Next on the Service Account name and password page.
Click Finish on the Winfrasoft Backup for ISA Server Wizard is complete page.
The Backup Schedule Saved page shows that the information was saved and that a Scheduled Task was created by the wizard.
In the next two figures you can see the scheduled task, and some of the details of the scheduled task. Notice that I had to change the time since I didn’t finish the wizard before the time I had set in the wizard.
Going to the backup folder, you can see backup files. There are two of them there because one of them was one I ran to run NOW to see if it actually worked. 🙂
Performing a Restore
Now the proof of any backup solution is in the restoration. I cannot tell you how many times I have seen ISA firewall admins try using a variety of other backup solutions just to find out that while the backups seemed to work, the restoration did not.
In order to test the restore I cratered the ISA firewall and reinstalled Windows and updated Windows with all of the available updates based on Microsoft Update. Then I installed ISA 2006 and installed all updates available for ISA 2006 available through Microsoft Update. Then I installed Backup for ISA Server.
As you remember, during the installation of Backup for ISA Server, the Welcome to the Winfrasoft Backup for ISA Server Wizard page will appear. Click Next.
On the Backup or Restore page, select the Restore ISA Server Configuration and Logs option and click Next.
On the Restore from file page, click the Browse button and find the backup file you want to use for the restore. Since I mapped a network drive on the ISA firewall to the share on the file server that is storing the backup files, I can just connect to the mapped drive and find the file, as seen in the figure below. After you locate the backup file you want to use for the restore, select it and then click Next.
The Backup file information page provides some basic information about the backup file you’re using for the restoration. Review this information and click Next.
On the Items to restore and password page, put checkmarks in The ISA Array/Server Configuration (Rules, Protocols, Networks, etc), The ISA Server Web Proxy Logs and The ISA Server Firewall Logs checkboxes. Then enter the password you assigned to the log file in the Restore Password text box.
On the Log Restore period page, you are given the option for what logs files you would like to restore. In this example where the box was cratered, we would want to restore all of the log data. However, if you are in a situation where the box wasn’t cratered and you still have access to some log files, you might want to be more selective regarding which log files you want to restore. You are given that option by selecting a Date Range for logs you want to restore. In this example we will select All log data, and then click Next.
Note that a dialog box appears indicating that there are some log files already on the box. The reason we see this in a new ISA firewall installation that has not had a chance to run yet is that when you install the ISA firewall software, some log files are created for today, and since we backed up the server today, there will be log files with matching dates. Since the new ISA logs files are empty at this time, there’s no problem with overwriting the new log files with the older ones of the same data.
If you have a firewall array, you have the option to restore all the log files kept on each member of the array to this server. There’s no reason to copy the log files to each individual array member. You can read the entries for all the log files by installing them on one of the array members. However, in this example, we have a ISA 2006 SE machine, so there are no array members. So we just put a checkmark in the top level checkbox as seen in the figure below, and that will automatically select the ISA firewall we’re restoring to.
On the Winfrasoft Backup for ISA Server Wizard is complete page, click the Finish button.
On the Restore completed with Warning dialog box, we see information related to the restoration process. I only found one problem here, and that is that the month/day information is reversed (OK, this is only a problem for Americans. 🙂
The concept of backing up firewall configurations is not new and the need for a disaster recovery strategy is well documented. A multitude of tools exist to backup your mail or database servers but nothing for your ISA Server. Until now that is. A solid backup and recovery strategy is a must for any ISA firewall install and Backup for ISA Server will help you get this. Given the ease of use and simple automation provided by this application, as well as the important gap that this product provides, I award this product a 5/5.
For more information on Winfrasoft’s Backup for ISA Server Web filter, please visit the Winfrasoft Web site at http://www.winfrasoft.com/BackupForISA
ISAserver.org Rating: 5/5
Get more information about Winfrasoft’s Backup for ISA Server