Migrating from Proxy Server 2.0
Publicado em: 3 de maio de 2001
Microsoft Internet Security and Acceleration (ISA) Server supports a full migration path for Microsoft Proxy Server 2.0 users. Most Proxy Server rules, network settings, monitoring configuration, and cache configuration will be migrated to ISA Server. Furthermore, ISA Server will continue to support Winsock proxy client software, together with its own Firewall client software, in a heterogeneous client base.
ISA Server introduces many new features and changes over Proxy Server 2.0. These changes affect the server configuration and upgrade scenarios. Below are key items that an administrator should consider as part of the upgrade process to ISA Server.
Reasons for Migration
ISA Server is the successor to Proxy Server 2.0, although it is much more than a "proxy." When compared with Proxy Server 2.0, new or significantly improved features in ISA Server, include the following:
Before you can migrate an array of Proxy Server 2.0 computers, it is recommended that you remove all the members. Each member will retain an identical set of rules, which was replicated to all the servers in the array. Also, all the servers will retain identical network configuration (such as dial-on-demand settings) and monitoring configuration (such as alerts).
When you migrate Microsoft Proxy Server 2.0 to ISA Server, Standard Edition, ISA Server cannot be installed as an array member. If you want to install ISA Server as an array member, you must install ISA Server, Enterprise Edition.
There are a number of additional issues you should consider while preparing to migrate from Proxy Server 2.0 to ISA Server.
In addition, ISA Server can only be installed on computers running Windows 2000 Server or later. Therefore, if your current version of Microsoft Proxy Server 2.0 runs on Windows NT 4.0, follow these steps:
Since the core services required for firewall operation are inactive during setup, it is recommended that the computer being upgraded be disconnected from the Internet for the rest of the installation procedure.
Migrating Proxy Server 2.0 configuration
Most Proxy Server rules, network settings, monitoring configuration, and cache configuration will be migrated to ISA Server.
Mixed chains of Proxy Server 2.0 and ISA Server computers are supported.
When a computer running Proxy Server 2.0 is downstream of the ISA Server computer, only Web proxy chaining is supported. Proxy Server 2.0 does not support upstream Winsock Proxy chaining.
When an ISA Server computer is the downstream server, both Web Proxy and Firewall chaining are supported. (In Proxy Server 2.0, "Firewall chaining" was called "Winsock Proxy chaining.")
Web Proxy Client Requests
Proxy Server 2.0 listened for client HTTP requests on port 80, but when ISA Server is installed, it listens on port 8080 for the Web Proxy service. Therefore, all downstream chain members (or browsers) connecting to the ISA Server computer must connect to port 8080. You can also configure ISA Server to listen on port 80.
Proxy Server 2.0 required that you configure publishing servers as Winsock Proxy clients. ISA Server allows you to publish internal servers, without requiring any special configuration or software installation on the publishing server. Instead, the ISA Server computer treats the publishing servers as SecureNAT clients. Web publishing rules and server publishing rules that are configured on the ISA Server computer make the servers securely accessible to specific external clients. No additional configuration is required on the publishing server.
Proxy Server 2.0 cache content will not be migrated, because ISA Server's cache storage engine is vastly different and more sophisticated. It will be deleted as part of ISA Server setup, and the new storage engine will be instituted, based on existing cache and drive settings. Note: Depending on the cache size and the number of objects in the cache, the deletion process may take some time.
ISA Server includes a SOCKS application filter, which allows client SOCKS applications to communicate with the network, using the applicable policy to determine if the client request is allowed. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is not supported.
ISA Server supports the following authentication methods: basic, digest, integrated Windows, and client certificate. By default, when you install ISA Server, the integrated Windows authentication method is configured for Web requests. In Proxy Server 2.0, basic and integrated authentication are enabled by default.
Internet Explorer 5 supports integrated Windows authentication, however, other Web browsers may support only the basic authentication method. In this case, no requests will be allowed, since the user cannot be authenticated. ISA Server rejects Web requests which were previously allowed by Proxy Server. You can configure basic authentication for all Web requests.
Rules and policies
The table below lists how Proxy Server 2.0 rules and other configuration information are migrated on the ISA Server computer:
Policy elements are created, as necessary, for the new rules. Additional configuration information is also migrated: local address table, automatic dial settings, alerts, log settings, and client configurations.