ISA Firewall Config Transfer

["Bruce Smith" <bruce_the_loon () worldonline co za>]

Hi all

This is a request for comments and opinions, not for assistance as such.

According to MS and most of the resources out there, it is supposed to be
impossible to back up a Microsoft ISA server's running config and transfer
it to another ISA. Naturally this is a pain in the butt when it comes to
upgrading to new servers.

Our team has found what might be a way around this. When ISA is installed
and configured, most of the settings are kept in the registry in key
HKLM/Software/Microsoft/FPC and this key tree can be exported from the
registry on the running ISA without a problem. Importing it onto another ISA
causes trouble because there are two keys, CurrentArrayGUID and
CurrentServerGUID that are unique to the instance of ISA. By finding these
two values on the new ISA instance and doing a find/replace on the exported
reg file, as well as a find/replace on the name of the server, we should end
up with a reg key import file that will work on the new instance.

While we haven't managed to test a full reg key import, we have successfully
imported our policy elements and access rules from an existing ISA into a
new instance with only one problem, the destination sets. With a litte more
work, we should be able to solve this as well.

Our plan is to eventually build a tool that will take all the required keys
across as necessary and be able to replicate an ISA instance to a new
machine without requiring a system state restore.

Please feel free to make any comments/statements/suggestions on the
information presented.

Bruce Smith
Internet Services Administrator

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards