Understanding Policy and Configuration Backup and Restore Options in Forefront Threat Management Gateway (TMG) 2010
An important aspect of maintaining the Forefront Threat Management Gateway (TMG) 2010 firewall is backing up the firewall policy and system configuration. This is essential in the event of a system failure, or when a policy or configuration change needs to be rolled back. Exporting and importing policy and configuration is also helpful for migrating hardware or mirroring production environments in a test lab. There are several ways to accomplish this, using either the TMG management console or programmatically by leveraging VBScript and COM. The latter option is especially helpful for automating the process of backing up policy and configuration. For TMG Enterprise deployments there are also multiple choices to be made when exporting and importing policy and configuration. We’ll explore those in detail in this article.
When choosing to back up the policy and configuration of a TMG firewall, it is important to understand the difference between backing up only the firewall policy and backing up the policy and configuration. When backing up the policy and configuration, in addition to the configured firewall policy you also get networking configuration (networks, network rules, network sets, etc.), VPN configuration (address assignments, authentication methods, etc.) authentication servers (RADIUS and LDAP), intrusion detection settings, logging and reporting settings, connectivity verifiers, and more. Optionally you can choose to export confidential information such as user passwords, RADIUS shared secrets, and user permission settings. Be advised that certificates used for SSL web listeners ARE NOT exported using this process. If your firewall policy contains SSL web listeners, you must import those certificates in to the computer account certificate store on the machine you are importing the configuration (for enterprise arrays this must be done on each array member).
Export Policy and Configuration
You can back up (export) the entire firewall policy and configuration by opening the management console, right-clicking the root node and choosing Export (Back Up).
Exported information is saved in an XML file, and exports that include confidential information are encrypted for privacy. If you choose to Export confidential information (for example user passwords and RADIUS shared secrets) you’ll be prompted to enter a password. Optionally you can also choose to export user permission settings. This is helpful if you changed the default administrative delegation settings in TMG (which is highly recommended!). If you choose not to export confidential information or user permission settings, the existing settings will be retained when you import this file on another system.
Specify the location to save the XML export file to and choose Next to continue.
Confirm the settings and then click Finish to complete the process.
Import Policy and Configuration
Restoring (importing) a backed up policy and configuration is simple and straightforward. Once again right-click the root node and choose Import (Restore).
Specify the full path to the export file you wish to import and then choose Next.
Next you’ll choose either to Import the policy and configuration or to Overwrite (restore) it. Use caution when making your choice here. If you select the option to import, the policy and configuration will essentially be merged with your existing policy and configuration. However, choosing the option to overwrite and restore will replace your existing policy and configuration with the one contained in the backup file. This means that any configuration settings, rules, objects, etc. on the target system will be removed if they do not exist in the import file.
Next you can optionally choose to import server-specific information and user permission settings.
Supply the password used to create the export and choose Next.
Confirm the settings and then click Finish to complete the process.
Once the import is complete, save and apply the configuration and optionally choose the option to restart services as necessary.
If your firewall policy contains SSL web listeners and you neglected to import the certificates in to the computer account on the machine you are importing configuration, your web publishing rules will fail. If you look at the properties for your SSL web listener and choose the Certificates tab you’ll notice that no certificate is bound to the listener.
To resolve this issue, install the appropriate certificates as required and then click Select Certificate to bind the certificate to the web listener. In my experience this issue may occur even if the certificates are in place so it’s a good idea to review this setting before applying the changes. In addition, when importing configuration to a server that is using different IP addresses or network ranges, be sure to verify that the listener and certificate are bound to the IP addresses you desire before applying the configuration.
Export Firewall Policy Only
Exporting and importing policy and configuration is helpful in many situations, but often it will be necessary to back up and restore only the firewall policy configuration. To accomplish this, highlight the Firewall Policy node in the navigation tree and choose Export Firewall Policy.
Import Firewall Policy Only
Importing a firewall policy is also simple and straightforward. Highlight the Firewall Policy node and then right-click and choose Import Firewall Policy.
A Word of Caution
You might be thinking to yourself “is it possible to import only the firewall policy from a configuration/policy export?” Since the configuration backup also includes firewall policy, this sounds intuitive. Sadly, it doesn’t work. If you attempt to import firewall policy from a full configuration and policy export file you will be greeted with the following error message:
So, always remember that if you export the policy and configuration, it must be imported that way as well. Obviously if you’ve only exported the firewall policy you’ll need to follow this advice too.
Enterprise Export and Import
Performing a backup and restore of firewall policy or policy and configuration for TMG Enterprise Edition in a standalone array can be accomplished using the same procedures outlined above. For Enterprise Management Server (EMS) managed arrays the process for backing up policy and/or configuration for individual arrays are also the same. For EMS-managed arrays you also have the option of backing up individual enterprise policies, all enterprise policies, or the entire enterprise including all arrays, along with their configuration and policies.
Export Enterprise Policies
To back up an individual array policy, expand Enterprise Policies in the navigation tree, then right-click the policy you wish to back up and choose Export (Back Up).
Alternatively you can back up all enterprise policies at the same time by right-clicking the Enterprise Policies node and choosing Export.
Export Enterprise Policy and Configuration
To back up the entire enterprise, including enterprise policies and all array configuration and policies, right-click the root node in the TMG management console navigation tree and choose Export (Back Up).
Export Array System Policy
For a variety of reasons it might be desirable to export and import only the array system policy. A good example of this might be where a security administrator wants to deploy a standard system policy across all enterprise arrays, where each array perhaps has its own unique access policy. To export the system policy, right-click the Firewall Policy node in the navigation tree, and and choose All Tasks | System Policy | Export System Policy Rules.
Exporting Policy and Configuration from ISA to TMG
Using the export and import process it is possible to export policy and configuration from an ISA server to a Forefront TMG firewall. For more details on this process, click here.
Export and Configuration Change
By default, when making changes to policy or configuration in TMG you have the option to export the policy and configuration prior to applying those changes.
If you need to restore from this export it should be imported at the root of the array.
When exporting and importing policy and configuration, always make sure that exported and importing servers are at the same service pack and update level. Importing a configuration to a TMG firewall at a different service pack or update level than the export was taken from can be problematic.
Backing up policy and configuration is an essential component of maintaining your Forefront TMG firewalls. Having a recent back up will save you a tremendous amount of time and effort if your system should fail. If you’ve implemented a change recently that has produced unexpected results, restoring from a known good backup can be helpful. In addition, exporting policy and configuration is an effective way to document your system. You can leverage the ISAinfo utility from ISAtools.org to view the policy and configuration offline with a nice, graphical interface. Don’t wait until it is too late to back up your TMG firewall. Implement a plan today to save regular policy and configuration exports and you’ll be glad you did, trust me!