Export and import
ISA Server 2004 includes an export and import feature that enables you to save and restore most array configuration information. The configuration parameters can be exported and stored locally in an .xml file. You can save your configuration to any directory and file name.
We recommend that you save the backup files to an NTFS disk partition for maximum security. Only administrators of the ISA Server computer should have read permissions to the directory.
Exporting the configuration
You can export the entire ISA Server configuration, or just parts of it, depending on your specific needs. You can export the following objects:
- Entire ISA Server configuration
- All the connectivity verifiers, or one selected connectivity verifier
- All the networks, or one selected network
- All the network sets, or one selected network set
- All the network rules, or one selected network rule
- All the Web chaining rules, or one selected Web chaining rule
- Cache configuration
- All the content download jobs, or one or more selected content download jobs
- Entire firewall policy, or one selected rule
The system policy rules are not exported when you export the firewall policy. To export the system policy, select the Export System Policy task.
When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can select to export user permission settings and confidential information, such as user passwords. Confidential information included in the exported file is encrypted.
When importing the file, a password may be required to open and decrypt this information. This is the password that was specified when the file was created during the export process.
When you select a specific object to export, the following is exported:
- Specified object, including all property values
- All descendant objects that are contained within the hierarchy, starting at the specified object
- All referenced objects, even when outside the object hierarchy of the selected object
For instructions, see Export a configuration and Export a partial configuration.
Reasons for exporting the configuration
The export feature is useful in several scenarios:- Cloning a server.
- You can export a configuration from one ISA Server computer to another computer, thereby easily duplicating a server setup. For example, after configuring an ISA Server computer at one branch, you can export the configuration to an .xml file. Then, you can import it to another computer at another branch.
- Saving a partial configuration.
- You can export a single rule, an entire policy, or an entire configuration. This is helpful, for example, when you want to copy all the firewall policy rules, but not the monitoring configuration, to another ISA Server computer.
- Sending a configuration for troubleshooting.
- You can export your configuration information to a file, and send it to support professionals for analysis and troubleshooting.
Importing the configuration
During the import process, the configuration saved in the exported .xml file is copied to the designated location. This file includes server-specific configuration information, such as cache drives, SSL certificates, and the VPN static address pool. When confidential details, such as user passwords, have been exported with the file, a password is required to open and decrypt the secure information. This password is set when the file is exported.
When you export an entire configuration, certificate settings are also exported. However, if you import the configuration to an ISA Server computer with different certificates, the Microsoft Firewall service will fail to start and an event message will be logged.
You can use the importing functionality to clone configurations from one computer to another. For example, you might create a policy on an ISA Server computer in your corporate headquarters. Subsequently, you can export the configuration, and then import the configuration information to the ISA Server computers in various branch offices.
This functionality is useful even after you modify a configuration, and then clone the configuration file again to the same computer. When you import the information again, any previous configuration created by the earlier file is erased, and only the new configuration information is retained.
For example, suppose you had two access rules configured on your corporate ISA Server computer. You export that policy to the branch offices. But, subsequently, you change the configuration at headquarters; only one rule is in effect. When you import that configuration to your branch offices, the original two rules are erased, and only the new corporate configuration is applied.
Caution
- When a file originally exported from a specific computer is imported to the same computer, previously defined rule elements, policy rules, publishing rules, alert configuration, cache configuration, and ISA Server properties are overwritten, if the object also exists in the file being imported. This applies to the level at which the import is invoked and below.
The configuration file must be imported at the appropriate node. For example, after you export a rule, you must import the configuration file at the Firewall Policy node or by selecting another rule.
For configuration instructions, see Import a configuration.
