MIgration
- With my company currently having ISA 2006 enterpise edition firewalls deployed I have a couple questions about migration.
1. The technet TMG page says there is no migration from ISA 2006 enterprise to TMG. Is that only for this beta release?
2. Is the CSS gone from TMG i see no mention of it in the technet pages?
3. Will a ISA 2006 and TMG be able to function together in and array?
4. Assuming the CSS still exists and piggy backing off num 4, will a TMG based CSS be able to hold configuration info for and ISA 2006 server?
All the ISA servers we have are 64bit machine although they run on 32bit os. So if I could export the config data from my CSS wipe the server and install WS2008 with the TMG version of CSS and import the config data that would allow for us to re-image each array member as needed. Will this be possible?
Thanks
Answers
There is currently no support for automatic upgrade from ISA 2006 enterprise into TMG. We are looking to add it in the future, but it will probably not be before the next major release of .
The current beta release only support a single node array. This is the reason that you don't see a CSS or that you can't upgrade from ISA2006EE. In the future we will provide array functionality, but we do not plan to support mixed arrays (ISA2006 and TMG arrays).
Regarding question #4 - do you believe having a TMG based CSS hold ISA2006 configuration is important? I would love to hear feedback regarding this scenario's importance.
Regarding the "configuration upgrade" scenario you are describing - it is very likely that this scenario will be supported. I'm afraid you'd have to wait until we are closer to shipping the Forefront TMG full release to get a more reliable answer though. As any product in development, plans change and I would not like to promise anything that may change.
Hope this information helps.
Regards,
Ori Yosefi [MSFT]
Program Manager, Forefront Threat Management Gateway- Edited byOri Yosefi - MSFT Friday, April 18, 2008 9:12 PMupdated signature
All Replies
There is currently no support for automatic upgrade from ISA 2006 enterprise into TMG. We are looking to add it in the future, but it will probably not be before the next major release of .
The current beta release only support a single node array. This is the reason that you don't see a CSS or that you can't upgrade from ISA2006EE. In the future we will provide array functionality, but we do not plan to support mixed arrays (ISA2006 and TMG arrays).
Regarding question #4 - do you believe having a TMG based CSS hold ISA2006 configuration is important? I would love to hear feedback regarding this scenario's importance.
Regarding the "configuration upgrade" scenario you are describing - it is very likely that this scenario will be supported. I'm afraid you'd have to wait until we are closer to shipping the Forefront TMG full release to get a more reliable answer though. As any product in development, plans change and I would not like to promise anything that may change.
Hope this information helps.
Regards,
Ori Yosefi [MSFT]
Program Manager, Forefront Threat Management Gateway- Edited byOri Yosefi - MSFT Friday, April 18, 2008 9:12 PMupdated signature
- Thanks for the reply
In my company's case we have 2 Arrarys one in the main office and one in a Datacenter. We also have a CSS in the Main office and one in the datacenter. So we could point both arrays to the main CSS and upgrade the replica then do the opposite and upgrade the Main CSS. THis would allow some choice in buying new hardware or upgrading our current ISA arrays. For people who only have one CSS I guess you would just have to schedule some down time to upgrade the CSS or just temporarily install it on a a spare server. I know Microsoft didn't support this with 2004-2006 but it support ISA arrary on a TMG CSS would be a huge bonus in getting TMG and Stirling deployed quicker and easier.
Don't mean to be a pain but I do have a couple other questions if youre able to answer. How are the TMG Antivirus/Malware updates handled. Are they included in TMG or will you have to also subscibe to Forefront CLient Security to get this feature.
Does current beta or will TMG support the long requested One-TO-ONE NAT?
Any additional support for VOIP QOS or just better integration with OCS 2007?
WIth TMG being based on windows 2008 with TMG finnaly support IPV6.
Thanks- Edited bySt.Clair Tuesday, April 22, 2008 4:20 AMAdditional Question
- Thanks for explaining your upgrade scenario. I'll make sure we take it into consideration.
Regarding your specific questions:
TMG Anti-maleware updates - would probably be a subscription service. I don't know how the licensing scheme would work though. It is still a bit early.
One to One NAT - We are looking into adding more advanced NAT support (e.g. support publishing more than 1 SMTP server). Can you please explain what you would like to accomplish with 1X1 NAT?
VoIP - We are looking into providing better SIP support. I'm not sure of the level of OCS integration at this point. I also don't expect to see a lot of investment around improved VoIP QoS.
IPv6 - unfortunately we still don't have a clear timeline when this will be publically available. We are working on it internally, but shipping a cutomer ready feature is a different thing altogether.
Thanks again for the information and for your interest in the TMG.
Hope this helps,
Ori
Program Manager, Forefront Threat Management Gateway (ISA Server) - On the one to one nat. With the current version of isa if your outside ip address range is 10.0.0.1 to 10.0.0.5 and you primary IP address is 10.0.0.1, you can publish an smtp server on any address but outgoing mail will use the 10.0.0.1 address. I'm hoping with one to one nat we will have the option to use say 10.0.0.5 for both incomming and outgoing traffic. This is particuarly a problem with SMTP because if the recieving server uses sendeID mail will be rejected. I know we could jsut at the primary IP to the MX and sender ID records but now all smtp will be flowing from the same address which users use and Its hard to track bandwidth etc. This is the primary reason why we have to use a cisco firewall infront of our ISA arrays. If Forefront TMG supports this we could go all TMG for new sites.
I am glad to hear you guys are atleast working on IPv6. Hope you are able to get something our for realease. One unrealeted question will stirling have one unifiend client running on each machine or will there still be a firewall client,Client Security Client,MOM client,etc.?
Thanks - Glad to hear this is what you need from 1X1 NAT. This is the main scenario that we are trying to resolve with our NAT enhancements. There are some other scenarios (e.g. automatically NATing each internal host to a different NAT address) which we will probably not address in this release.
Regarding unifying our client components - I doubt if we will be able to unify all our client components into a single binary in the first release. We are looking at unifying the user experiance (e.g. unified deployment).
Thanks,
Ori
Program Manager, Forefront Threat Management Gateway (ISA Server) I just saw this thread and I have another NAT situation where basic 1X1 would be very helpful. We work with several clients that host public and/or hotspot networks. Third party internet information providers they use (accounting, payroll, business associations etc..) are asking us to split off the public network to a different outgoing address so that they can add an access list to their firewalls only allowing access from a specific pubic NATed address. That way they can ensure that the public access network cannot access their network. When we explain the way ISA uses NAT they always mention that their clients with SonicWall or PIX have no problems. It would be very useful to be able to have specific internal hosts or an entire subnet able to use a separate external gateway address. Or even have a separate gateway address on the internal ISA NIC that can be used by internal clients that well be NATed to a different public address.
Just my two cents,
Thanks
