Planning for migration
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Forefront TMG supports the following migration options:
Migrating from Internet Security and Acceleration (ISA) Server 2004 to Forefront TMG.
Migrating from ISA Server 2006 to Forefront TMG.
Migrating from Forefront TMG Release Candidate (RC) to Forefront TMG Release to Manufacturing (RTM).
Upgrading from Forefront TMG Standard Edition to Enterprise Edition.
For more information and instructions on the migration options, see Migrating and upgrading to Forefront TMG.
Migration limitations
Before you migrate, you should be aware of the following:
Migration from ISA Server 2004 is supported only for ISA Server 2004 Service Pack 3.
Migration from ISA Server 2006 is supported only for ISA Server 2006 Service Pack 1.
If you have enabled the Local Host network to listen for Web proxy client requests, this setting is not migrated.
Customized log field selections are not migrated. When ISA Server configuration settings are imported, customized log field selections are overwritten with default log field settings.
Report configuration settings are not migrated.
If you have specified a custom value for the number of times that an event must occur before an alert is triggered, this custom value is not migrated.
Third party add-ons are disabled after upgrade. If you were running a third-party add-on for ISA Server, before reenabling it, contact the vendor to check on the availability of an updated version for Forefront TMG.
After migrating the configuration from ISA Server, the static address pool for VPN is not migrated into the Forefront TMG configuration. This is by design and affects VPN S2S (RRAS only) and VPN Roaming clients.
After migrating the VPN S2S configuration from ISA Server into Forefront TMG, the S2S network fails to connect because no tunnel owner is configured.
To resolve this issue, run the following script on Forefront TMG after the import:
<script>dim rootSet root = CreateObject("FPC.Root")Set Arr=root.GetContainingArrayset S2SNet = Arr.NetworkConfiguration.Networks.Item(NetworkName)S2SNet.VpnConfiguration.SetAssignedServer(root.GetContainingServer.Name)S2SNet.save</script>In ISA 2006 (both phase I and phase II), the IPsec configuration for IPsec S2S had the following default values:
Encryption algorithm: 3DES
Integrity algorithm: SHA1
In Forefront TMG, these values were changed to new default values that provide better security:
Encryption algorithm: AES256
Integrity algorithm: SHA256
When importing an ISA Server configuration which uses the default values, these values are replaced by the Forefront TMG current default values (this behavior is by design).
The replacement of the default values will break the current IPsec configuration (unless the configuration is also changed on the other side of the tunnel to use the current values). The current values can be changed in the UI under 'IPsec Settings' in the Connection tab of the S2S network properties property sheet.