Migrating from Proxy Server 2.0 to ISA Server

Why Upgrade to ISA Server

A few reasons for migrating from Proxy Server 2.0 to ISA Server are listed here:

You need a H.323 Filter Gatekeeper.
You need a multi-layered firewall.
You need a firewall client.
You need to perform SSL traffic inspection.
You want to perform email-content screening.
Stateful inspection has become important.
You need secure publishing.
You want to use smart application filters.
You require advanced authentication.
You want SecureNAT.
You need to use system hardening templates.
You want integrated Intrusion Detection.
You want to use integrated VPNs

ISA Server provides enhanced and improved performance on the following Proxy Server 2.0 features:

Services operate independently of IIS services.
RAM caching.
An optimized cache
Enhanced hierarchical/distributed caching.
Enhanced SMP support.

ISA Server Enterprise edition provides the following features:

Centralized, integrated management.
Windows 2000 or Windows Server 2003 Active Directory integration.
Policy-based access control.
Create array policies that restrict or control Enterprise policy.

Understanding the Migration Process

There are some important factors to consider for migrating to ISA Server. There are listed below:

When migrating from Proxy Server to ISA Server, the computer being upgraded must be running Proxy Server 2 on Windows 2000 Service Pack 1 or above.
When migrating from Proxy Server to ISA Server where Proxy Server is running on Windows NT 4, you first have to upgrade the server to Windows 2000. Stop all Proxy Server services and upgrade to Windows 2000.
If you want to upgrade to Windows Server 2003, ISA Server must be running Service Pack 1 or above.
When your internal clients currently use the IPX/SPX protocol, then you need to install the TCP/IP protocol and configure your internal clients to use TCP/IP. This is necessary because of ISA Server not supporting the IPX/SPX protocol.
When you are migrating a Proxy Server array, then you have to first remove all array members from the Proxy Server array. When you run ISA Server Setup, you have to create an ISA Server array and then move each of the removed Proxy Server array members to the ISA Server array.
If you are migrating a Proxy Server array to a stand-alone ISA Server, almost all of your Proxy Server settings are migrated. This includes configured Proxy Server rules, existing network settings, cache configuration information and monitoring configuration will be moved to ISA Server during the migration.
If migrating a Proxy Server array to an ISA Server array, your enterprise policies will determine how Proxy Server settings are migrated.

The common steps of the migration process are:

The computer must be disconnected from the Internet.
You have to backup your Proxy 2.0 Server configuration settings.
Perform any hardware upgrades needed for the migration to ISA Server.
If you are migrating a Proxy Server array, then you have to remove the servers from the Proxy Server array. This has to be done before you perform the actual migration.
Stop Proxy Server services, and then disable all Proxy Server services.
If you currently have Proxy 2.0 running on Windows NT 4.0, you have to upgrade to at least Proxy 2.0 Windows 2000 Service Pack 1, or later.
After all the above tasks have been completed, you can initiate the ISA Server Setup program and install the new server as a standalone server or as an array member.
To migrate a Proxy Server array, you have to create the new ISA Server array during ISA Server setup. After thi, you have to join all ensuing proxy server installations to your new ISA Server array.
To migrate to an existing array, select the array during ISA Server setup.
It is recommended that you check the contents of the ISA Server upgrade log after you have performed the migration.

Your current Proxy Server 2.0 rules and configuration information is migrated to the ISA Server computer as follows:

Proxy Server 2 domain filters to ISA Server site and content rules.
Proxy Server 2 Winsock permission settings to ISA Server Protocol rules.
Proxy Server 2 static packet filters to either ISA Server allow IP packet filters or block IP packet filters.
Proxy Server 2 publishing properties to ISA Server Web publishing rules.
Proxy Server 2 Web Proxy routing rules to ISA Server routing rules.

When migrating to ISA Server, you can configure ISA Server as follows:

To use enterprise policy only.
To use array policy only.
To use both enterprise policy and array policy.

The enterprise policy settings determine how Proxy Server rules are migrated to ISA Server. A few enterprise policy settings are listed below, together with how migration to ISA Server occurs:

Use Array Policy Only (Enterprise Administrator permissions); existing Proxy Server 2.0 rules are migrated to ISA Server.
Use Enterprise Policy Only (Enterprise Administrator permissions); existing Proxy Server rules are migrated to ISA Server. Enterprise policy settings for the new array use array policy only.
Use Enterprise Policy Only (no Enterprise Administrator permissions); no existing Proxy Server rules are migrated to ISA Server. Enterprise policy settings for the new array use enterprise policy only.
Use Enterprise And Array Policy (Enterprise Administrator permissions); existing Proxy Server rules are migrated to ISA Server. Enterprise policy settings for the new array utilize array policy only.
Use Enterprise And Array Policy (no Enterprise Administrator permissions); those Proxy Server rules which can be migrated to Deny rules are migrated to ISA Server. Enterprise policy settings for the new array utilize enterprise policy and array policy.

How to backup Proxy Server configuration

Open Internet Service Manager.
On the View menu item, click Servers View.
Double-click the computer name, and then double-click Web Proxy (Running).
The Web Proxy Service Properties opens.
Click the Service tab.
In the Configuration area, click Server Backup.
When the Backup dialog box opens, verify the information shown on where the backup file will be saved
Click OK to create a back up of the Proxy Server configuration.

If you need to restore your Proxy Server configuration, use the process below:

Open Internet Service Manager.
Double-click the computer name, and then double-click Web Proxy service.
The Web Proxy Service Properties opens.
Click the Service tab.
In the Configuration area, click Server Restore.
When the Restore Configuration dialog box opens, click the Browse button to select the Proxy Server configuration file.
Select the Proxy Server configuration file that you want to use for the restore.
Click Open.
Select the Full Restore option.
When the Restore Configuration dialog box opens, click OK to start the restore of the Proxy Server configuration.

How to check the Proxy Server array status

Open Internet Service Manager.
Double-click the Web Proxy service to display its Properties dialog box.
The Web Proxy Service Properties dialog box opens.
In the Shared services area of the Service tab, click the rray button.
The Array dialog box opens.
Verify that the name of the array members is listed in this dialog box.
Click OK.

How to stop and disable Proxy Server services

You can use the net stop service name command to stop and disable Proxy Server services. The Proxy Server services that you need to stop are:

Microsoft Winsock Proxy Service – Wspsrv
Microsoft Proxy Server Administration – Mspadmin
Proxy Alert Notification Service – Mailalrt
World Wide Web Publishing Service – W3svc

How to remove a proxy server from a Proxy Server array

Open Internet Service Manager.
Double-click the Web Proxy service to display its Properties dialog box.
The Web Proxy Service Properties dialog box opens.
In the Shared services area of the Service tab, click the Array button.
The Array dialog box opens.
Select the name of proxy server that you want to remove from the proxy array, and then click Remove from array.
A message is displayed, stating that both Proxy Server computers are stand-alone servers. Click Yes.
Click OK on the Microsoft Proxy Server dialog is displayed, indicating that the local server has been removed from the array.

Examining the ISA Server Setup Logs

When you run the ISA Server Setup Program, the following logs are created in the ISA Server installation directory:

isas.log: This log holds the following information:
- ISA Server Setup
- The Proxy 2.0 definitions that were checked.
isasupgrade.log: This log holds detailed information on the steps taken during the ISA Server Setup, and also records whether the step was successful or whether it failed. Information contained in the isasupgrade.log are:
- Warnings on components or items which were not migrated.
- Information on the migrated cache drives. During migration, only the location and size of the cache is migrated. Content is not.
- Client configuration
- Protocols and port information.
- Migrated packet filters.
- Proxy domain filters which were upgraded to rules.
- Log configuration
- Cache configuration.

Performing Post Migration Tasks

There are a number of tasks that you need to perform after you migrate Proxy Server 2.0 to ISA Server, before you can activate ISA Server:

You should verify that network configurations on the ISA Server are correct. Verify network connectivity as well.
You have to reconfigure downstream browsers. This is due to Proxy Server and ISA Server using different ports for HTTP requests. Proxy Server listens for HTTP requests on Port 80, while ISA Server listens on Port 8080.
You need to configure basic authentication for Web requests. This is due to Windows Integrated authentication being installed and enabled by default with ISA Server. With Proxy Server, Integrated authentication and anonymous authentication were enabled.
For ISA Server arrays, Kerberos is used for authentication. Proxy Server intra-array authentication is no longer used between array members.
Web Proxy Service permissions are not included in the migration.
Because ISA Server uses SOCKS application filters, SOCKS rules configured with Proxy Server 2 are not included in the migration process. You have to possibly configure or modify your SOCKS application filters.