ISA Server 2004 supports a full upgrade path for ISA Server 2000 users. Most ISA Server 2000 network settings, monitoring configuration, and cache configuration will be upgraded to ISA Server 2004.
ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. This section provides information about the key items to consider as part of the upgrade process.
Before upgrading to ISA Server 2004 Enterprise Edition, carefully review the Upgrade process.
Depending on which ISA Server 2004 component you are installing, you perform different steps to upgrade from ISA Server 2000, as described in this section.
The ISA Server 2004 Migration Tool enables a full upgrade path for ISA Server 2000 users to ISA Server 2004. Most ISA Server 2000 configuration information will be upgraded to ISA Server 2004. ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. These changes also impact which elements can be upgraded.
Notes
The upgrade process from an array of ISA Server 2000 computers involves these steps:
If you do not want to dedicate an additional computer to the ISA Server 2004 array, do the following:
The upgrade process from a stand-alone ISA Server 2000 computer is similar to the upgrade process for an ISA Server 2000 array. As with the array upgrade, you will require an additional computer on which to install the ISA Server 2004 Configuration Storage server component.
The upgrade process from ISA Server 2004 Standard Edition involves these steps:
The array must have only one member server when you import the configuration information.
The components of ISA Server 2004 can be installed on separate computers. The upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 differs, depending on which ISA Server 2004 component is installed.
When you install only the ISA Server services, the upgrade process from ISA Server 2000 is straightforward, in that you perform an in-place upgrade.
After you upgrade, carefully review the migrated rule elements. The upgrade process is automated, and although the migration is accurate, the resulting rule elements may not be optimal. Tweak the rule elements as appropriate.
The components of ISA Server 2004 can be installed on separate computers. The upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 differs, depending on which ISA Server 2004 component is installed.
When you upgrade from ISA Server 2000 to a Configuration Storage server component of ISA Server 2004, perform the following steps:
We recommend that when upgrading from ISA Server 2000 to ISA Server 2004 on a different computer, you install all necessary certificates on that computer before importing the ISA Server 2000 configuration file.
After you upgrade, carefully review the migrated rule elements. The upgrade process is automated, and although the migration is accurate, the resulting rule elements may not be optimal. Tweak the rule elements as appropriate.
When you install ISA Server 2004, you can upgrade the Routing and Remote Access configuration. You can upgrade the configuration to ISA Server 2004, regardless of whether ISA Server 2000 is installed on the computer.
Note the following limitations to the Routing and Remote Access configuration upgrade:
The configuration information stored in the .xml file can be imported only to an empty array in ISA Server 2004 Enterprise Edition.
Application filters and Web filters supplied by third-party vendors for ISA Server 2000 are not compatible with ISA Server 2004. Some third-party vendors have created new versions for ISA Server 2004. To upgrade to the new versions, perform the following steps:
For more information about how add-ins are upgraded, see ISA Server 2000 add-in configuration upgrade.
The upgrade process from ISA Server 2000 Message Screener is straightforward, in that you perform an in-place upgrade.
ISA Server 2004 supports a full upgrade path for ISA Server 2000 users. Most ISA Server 2000 network settings, monitoring configuration, and cache configuration will be upgraded to ISA Server 2004.
ISA Server 2004 introduces many new features and changes. These changes affect the server configuration and upgrade scenarios. This section provides information about the key items to consider as part of the upgrade process.
Some administration and monitoring configuration settings are migrated to ISA Server 2004, as detailed in the following sections.
In ISA Server 2000, you can use ISA Server Management to reconfigure a system access control list (SACL) on certain objects. In addition, the SACL for any element could be changed, using the Admin COM object model.
SACLs are not migrated to ISA Server 2004. Instead, the default SACLs are applied.
All ISA Server 2000 alert definitions are migrated directly to ISA Server 2004, with the following exceptions:
No log configuration settings are migrated from ISA Server 2000. ISA Server 2004 log settings are set to the post-installation default settings. After migration, ISA Server 2004 logs are stored as Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) logs or in text format.
Report jobs, reports, and report configuration are not migrated.
When you upgrade an ISA Server 2000 enterprise, most settings are migrated to ISA Server 2004, as detailed in the following sections.
When you upgrade an ISA Server 2000 array, the enterprise policy applied to the ISA Server 2000 array is upgraded, but as an empty policy. That is, the enterprise policy does not contain any rules.
Enterprise policy elements are upgraded to ISA Server 2004 enterprise policy elements, as detailed in ISA Server 2000 policy elements upgrade.
Similarly, ISA Server 2000 array-level policy elements are upgraded to ISA Server 2004 array-level policy elements.
ISA Server 2000 access policy rules are not upgraded to ISA Server 2004. Specifically, the following rules are not upgraded as part of the upgrade process:
Bandwidth rules (and associated policy elements) are not supported in ISA Server 2004. They are not upgraded.
If packet filtering is disabled on ISA Server 2000, all traffic to the Local Host and Perimeter networks is allowed, in accordance with the configured system policy.
ISA Server 2000 publishing rules are not upgraded to ISA Server 2004. Specifically, the following rules are not upgraded as part of the upgrade process:
Most ISA Server 2000 policy elements are upgraded to ISA Server 2004, as detailed in the following sections. Enterprise-level policy elements on ISA Server 2000 are upgraded to ISA Server 2004 enterprise-level policy elements. Similarly, array-level policy elements on ISA Server 2000 are upgraded to ISA Server 2004 array-level policy elements.
In ISA Server 2000, client address sets included IP addresses and IP address ranges. Client address sets were used in site and content rules, and in protocol rules (and not in publishing rules).
In ISA Server 2004, client address sets are replaced by computer sets. For each ISA Server 2000 rule that applies to a client address set that is upgraded, a new computer set is created on ISA Server 2004. The upgraded rule applies to the new computer set, which includes the same IP addresses as the original client address set on ISA Server 2000.
ISA Server 2000 content groups are upgraded directly to ISA Server 2004. If a content group with the same name exists on ISA Server 2004, the content group from ISA Server 2000 is not imported.
ISA Server 2000 destination sets could include computer names, IP addresses, IP address ranges, domain names, and paths on computers. The destination sets are used in site and content rules, and in publishing rules.
ISA Server 2004 does not use destination sets. Instead, other network elements were introduced, which can be used flexibly with access rules and publishing rules.
The following table describes how ISA Server 2000 destination sets are mapped to various ISA Server 2004 network objects.
| ISA Server 2000 policy element | ISA Server 2004 network object |
|---|---|
| Destination set with wildcards | Domain name set |
| Destination set with path | URL set |
| Destination set with single IP address | URL set |
| Destination set with single IP address and with path | URL set |
| Destination set with IP address range | Computer set |
| Destination set with IP address range and path | URL set Note
|
The following table shows examples of how ISA Server 2000 destination sets are upgraded.
| Destination set on ISA Server 2000 | Network object on ISA Server 2004 |
|---|---|
| Destination set with mayah.microsoft.com | Domain name set with mayah.microsoft.com |
| Destination set with eitanh.microsoft.com and with path foo | Domain name set with eitanh.microsoft.com and URL set with http://eitanh.microsoft.com/foo/ |
| Destination set with IP address range 192.168.123.134 (single IP) and path foo | Computer set with range 192.168.123.134 to 192.168.123.134 URL set with http://192.168.123.134/foo/ |
| Destination set with yairh.microsoft.com and path /foo, with IP address 1.2.3.4 and path boo, and with IP address range 1.2.3.4 to 1.2.3.5 and path /home | Computer set with IP address ranges 1.2.3.4 to 1.2.3.4 and IP address ranges 1.2.3.4 to 1.2.3.5. Domain name set with yairh.microsoft.com URL set with http://yairh.microsoft.com/foo, http://1.2.3.4/boo, http://1.2.3.4/home, and http://1.2.3.5/home |
The following table describes the ISA Server 2004 rule settings for the destination sets originally used in rules upgraded from ISA Server 2000.
| ISA Server 2000 | ISA Server 2004 |
|---|---|
| All destinations | To property is set to Anywhere. |
| All Internal destinations | To property is set to Internal Network. Destination network is set to Internal. |
| All External destinations | To property is set to External Network. Destination network is set to External. |
| Selected destination | To property is set to computer sets, domain names, and URL sets, corresponding to the original destination set. |
ISA Server 2000 included two types of protocol definitions:
The migration tool creates corresponding protocol definitions in ISA Server 2004 for all explicitly defined protocol elements. If ISA Server 2004 already has a protocol definition with the same name, the ISA Server 2000 protocol definition is not imported.
Implicitly defined protocol definitions, created by third-party application filters, are not upgraded. A warning message indicates this in the migration log file. Implicitly defined protocol definitions, used with IP packet filters, are upgraded.
Protocol definitions that cannot be identified by the migration tool are not upgraded. Any rules that apply to unidentified protocol definitions are deleted.
ISA Server 2000 schedules upgrade directly to ISA Server 2004. Any ISA Server 2000 rule that does not have a specifically named schedule will reference the schedules created (with the same name) in ISA Server 2004.
A new schedule may be created on ISA Server 2004 when two schedules are used by a site and content rule, and by a protocol rule on ISA Server 2000.
ISA Server 2000 included incoming listeners and outgoing listeners on a specific IP address. In ISA Server 2004, Web listeners can be assigned an entire network, or to a specific IP address.
The incoming listeners on ISA Server 2000 are upgraded to ISA Server 2004 as Web listeners on the External network.
The default outgoing listeners on ISA Server 2000 are upgraded to ISA Server 2004 as Web listeners on the Internal network. If the the default listener is not being used, no listener is upgraded. This is noted in the log file.
The following table details the naming conventions for the new rule elements.
| ISA Server 2000 policy element | ISA Server 2004 rule element |
|---|---|
| Destination set (creates computer set) | Computer set with Destination_Set_Name |
| Destination set (creates URL set) | URL set with Destination_Set_Name |
| Default Web listener | External default Web listener |
| Merged schedule | ScheduleName1_ScheduleName2 |
ISA Server 2000 network and client configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.
ISA Server 2000 supports only two networks: Internal and External. A perimeter network (also known as DMZ, demilitarized zone, and screened subnet) could be implied by creating packet filters to route traffic from the External network to the perimeter network.
ISA Server 2004 supports multiple networks. The following networks are created by default on ISA Server 2004:
The migration tool creates the following network rules on ISA Server 2004:
The local domain table (LDT) is migrated as is to ISA Server 2004. If the ISA Server 2000 LDT includes IP addresses, these are not migrated to ISA Server 2004.
In ISA Server 2004, client settings are per network. ISA Server 2000 client settings are upgraded directly to the client settings on the ISA Server 2004 Internal network.
As in ISA Server 2000, ISA Server 2004 Firewall Client application settings apply to all client requests. Firewall Client application settings are upgraded directly to ISA Server 2004.
Most ISA Server 2000 dial-up, chaining, and routing configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.
In ISA Server 2000, multiple dial-up connections could be created, but only one dial-up connection could be active at a time. In ISA Server 2004, only a single dial-up can be created.
In ISA Server 2000, the dial-up connection was defined per Firewall client and per Web Proxy client. In ISA Server 2004, the dial-up connection is defined per network.
As part of the upgrade process, only the active dial-up connection is upgraded. It is assigned to the External network.
All other dial-up connections are not upgraded. This is noted in the upgrade log file.
ISA Server 2000 chaining configuration is upgraded directly to ISA Server 2004. The only exception is the dial-up connection specified on ISA Server 2000. On ISA Server 2004, the dial-up connection is created on the External network.
Each ISA Server 2000 routing rule is duplicated on ISA Server 2004, as a cache rule and as a routing rule.
The ISA Server 2004 routing rule is created with identical properties to those of the original ISA Server 2000 routing rule. The destinations specified for the ISA Server 2000 routing rule are mapped to specific networks on the To property page of the ISA Server 2004 routing rule properties.
If the ISA Server 2000 routing rule used a dial-up entry, a dial-up entry with the same properties is created on the External network of ISA Server 2004.
A new caching rule is created based on the original ISA Server 2000 routing rule. The destinations specified for the ISA Server 2000 routing rule are mapped to specific networks on the To property page of the ISA Server 2004 routing rule properties.
The following properties are not supported on ISA Server 2004 caching rules and are therefore not upgraded from the original ISA Server 2000 routing rule: bridging and action.
In ISA Server 2000, application filters were applied unconditionally to specific traffic. In ISA Server 2004, some filtering can be applied on a per-rule basis. The following table describes how ISA Server 2000 application filter functionality is upgraded to ISA Server 2004.
Note:
| Application filter or rule | ISA Server 2000 | ISA Server 2004 |
|---|---|---|
| H.323 filter | Allow incoming call | Filter listens on the External network |
| Allow outgoing calls | Filter listens on the Internal network | |
| All other configurations | Same as in ISA Server 2000 | |
| HTTP redirection | All configurations | Not supported |
| RPC filter | All configurations | Replaced with per-rule filtering |
| SMTP filter | SMTP commands | Same as in ISA Server 2000 |
| Attachments, users and domains, and keywords | Upgraded to an SMTP server publishing rule, on a per-rule basis | |
| SOCKS v4 filter | Enabled | Listen for SOCKS requests initiated from the Internal network |
| Streaming media | MMS filter, PNM filter, and RTSP filter: any configuration | Configuration same as ISA Server 2000 MMS stream splitting not supported |
Configuration settings for the following application filters are upgraded directly to ISA Server 2004:
If the message screener is not installed on the computer being upgraded to ISA Server 2004, then any traffic from the message screener computer is blocked unless you specifically configure ISA Server 2004, allowing all traffic to and from the Internal network to and from the Local Host network. Similarly, you can add a rule that allows MS Firewall Control traffic from the message screener computer to the Local Host computer.
Some application filter properties are configured differently in ISA Server 2004 than in ISA Server 2000.
Note that third-party application filters are not upgraded. Similarly, any protocol definitions that are installed with the application filter are not upgraded. Any rules that apply to these protocol definitions are not upgraded.
ISA Server 2000 HTTP redirector filter settings are not migrated to ISA Server 2004. To configure ISA Server 2004, do the following:
User-defined content types used for link translation are migrated to array-level content types. However, in ISA Server 2004 Enterprise Edition, the link translation filter can be applied only to enterprise-level content types. For the link translation filter to function correctly, you should copy the migrated content types to the enterprise level.
Most ISA Server 2000 cache configuration settings are upgraded to ISA Server 2004, as detailed in the following sections.
Most ISA Server 2000 cache properties are upgraded directly, with no change, from ISA Server 2000 to ISA Server 2004. Note the following exceptions:
The cache drive configuration is retained in ISA Server 2004. If the migration is done to a different computer, the ISA Server 2004 computer should have similar hardware and drive configuration to the original ISA Server 2000 computer.
If ISA Server 2000 was installed in cache mode, the migration tool does the following:
ISA Server 2000 scheduled content download jobs are upgraded directly to ISA Server 2004.
ISA Server 2000 Feature Pack 1 introduced several new features, which are included in ISA Server 2004. Most ISA Server 2000 Feature Pack 1 configuration information is migrated directly to ISA Server 2004. Note the following exceptions:
All registry keys installed as part of ISA Server 2000 hotfixes are migrated directly to ISA Server 2004.
The following ISA Server 2000 objects and configuration settings are not migrated to ISA Server 2004:
Note
When you use the Migration Tool to install ISA Server 2004, the Firewall Client Share (with the Firewall Client for ISA Server 2004 software) is installed. We recommend that you install the Firewall Client Share.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.