Backup for ISA Server

© 2006-2008 Winfrasoft Corporation. All rights reserved. This publication is for informational purposes only. Winfrasoft makes no warranties, express or implied, in this summary. Winfrasoft and Backup for ISA Server are trademarks of Winfrasoft Corporation. All other trademarks are property of their respective owners.

Installation and Configuration

Guide

Installation and configuration guide

Complete Backup solution for ISA Server

Published: July 2008

Applies to: Winfrasoft Backup for ISA Server (Build 1.0.2530.0)

Web site: http://www.winfrasoft.com

Email: [email protected]

Information in this document, including URL and other Internet Web site

references, is subject to change without notice. Unless otherwise noted, the

example companies, organisations, products, domain names, e-mail addresses,

logos, people, places and events depicted herein are fictitious, and no

association with any real company, organisation, product, domain name, e-

mail address, logo, person, place or event is intended or should be inferred.

Complying with all applicable copyright laws is the responsibility of the user.

Winfrasoft may have patents, patent applications, trademarks, copyrights, or

other intellectual property rights covering subject matter in this document.

Except as expressly provided in any written licence agreement from

Winfrasoft, the furnishing of this document does not give you any licence to

these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, ISA Server, Windows and Windows Server are

either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

The names of actual companies and products mentioned herein may be the

trademarks of their respective owners.

Copyright © 2006-2008 Winfrasoft Corporation. All rights reserved.

Table of Contents 3

Table of Contents TABLE OF CONTENTS .............................................................................................................. 3

INTRODUCTION ......................................................................................................................... 4

CONSIDERATIONS ......................................................................................................................... 4 Server System Requirements ................................................................................................... 4 Language Requirements .......................................................................................................... 4

TECHNOLOGY .............................................................................................................................. 5 BACKUP FOR ISA SERVER EDITIONS ............................................................................................ 5 LICENSING ................................................................................................................................... 5

Running a trial ........................................................................................................................ 6 Licence Manager ..................................................................................................................... 6

PRODUCT ACTIVATION ................................................................................................................ 7

DEPLOYMENT SCENARIOS .................................................................................................... 8

OVERVIEW ................................................................................................................................... 8 CONFIGURATION CHANGES MADE TO ISA SERVER ...................................................................... 8 INSTALLING BACKUP FOR ISA SERVER ...................................................................................... 10 REMOVING BACKUP FOR ISA SERVER ....................................................................................... 19

CONFIGURING BACKUP FOR ISA SERVER ...................................................................... 22

STARTING THE CONFIGURATION WIZARD FOR ISA SERVER ...................................................... 22 THE WINFRASOFT ISA SELECTION FILE (.WIS) ......................................................................... 24

.WIS File Structure ................................................................................................................ 24

.WIS File Field Definitions .................................................................................................... 24 Protecting a .WIS file password ............................................................................................ 24

COMMAND LINE & SCRIPTING OPTIONS ........................................................................ 25

RUNNING BACKUP FOR ISA SERVER ................................................................................ 26

PERFORMING A BACKUP ............................................................................................................ 26 CREATING A BACKUP SCHEDULE ............................................................................................... 32 PRE-REQUISITES FOR RESTORATION ........................................................................................... 39 PERFORMING A RESTORE ........................................................................................................... 39

TROUBLESHOOTING .............................................................................................................. 45

COMMON RESTORE ISSUES ........................................................................................................ 45 RESTORE EVENT VIEWER MESSAGES......................................................................................... 46

SSL Certificate errors ............................................................................................................ 46 3rd-party Web Filter errors .................................................................................................. 47 Web Proxy Cache errors ....................................................................................................... 48 IP Configuration errors ........................................................................................................ 49

ADDITIONAL INFORMATION .............................................................................................. 51

SUPPORT GUIDES ........................................................................................................................ 51

4 Winfrasoft Backup for ISA Server

Introduction Winfrasoft Backup for ISA Server is the world’s first compliance and disaster recovery

solution for Microsoft ISA Server.

Backup for ISA Server has been designed as a security product from the ground up to

seamlessly integrate with Microsoft ISA Server installations. To date, there is no known

method for an administrator to fully backup and restore an ISA Server, including

configuration and log data with no down time.

Backup for ISA Server is an application designed for both Standard and Enterprise Editions

of ISA Server 2004/2006 systems to:-

Backup and restore ISA Server Enterprise Edition configuration settings.

Backup and restore ISA Server Enterprise and Standard edition’s array

configuration settings.

Backup and restore Firewall log information of a stand-alone server or all servers in

an enterprise array.

Backup and restore Web Proxy log information of a stand-alone server or all servers

in an enterprise array.

Websense configuration information (optional depending on the purchased licence)

IP configuration and IP routing data

Schedule backups to run daily, weekly or monthly.

Considerations

Server System Requirements The minimum system requirements for Backup for ISA Server are:

Windows 2003 Server (32 bit)

Microsoft ISA Server

o 2004 Standard / Enterprise Edition

o 2006 Standard / Enterprise Edition

Microsoft .NET 2.0 Framework

Language Requirements Backup for ISA Server is compatible with multi-lingual versions of Windows Server 2003,

however, it is only available in UK English.

Although multi-lingual versions of Windows Server 2003 can be used, Backup for ISA

Server is ONLY compatible with the English version of ISA Server. Non-English versions of

ISA Server are NOT supported.

All configuration files are in Unicode format to support non-standard multi-lingual

characters.

Introduction 5

Technology Winfrasoft has embraced the latest security industry standard technologies from Microsoft

and other vendors to produce a highly secure and feature rich solution.

Technologies included with Winfrasoft Backup for ISA Server include:

Managed code: Built on Microsoft .NET Framework 2.0

Authenticode signed binaries

Public / Private Key cryptography: Protects the integrity of backup archive.

256bit AES Encryption (FIPS 197 compliant) on backup archive files.

PPMd compression for backup archive files achieving over 95% compaction on

average.

Soft-Token technology makes each customer installation unique and provides an

additional layer of archive protection.

Seamlessly integrates with Window’s Task Scheduler.

Fully scriptable for use with other management or scheduling tools.

Backup for ISA Server Editions Winfrasoft Backup for ISA Server is available in 2 editions:

Backup for ISA Server Enterprise Edition

Backup for ISA Server Standard Edition

Each edition is specifically designed to cater for the appropriate version of Microsoft ISA

Server deployed within an organisation.

Backup for ISA Server Standard Edition is designed for use with Microsoft ISA Server

Standard Edition only.

Backup for ISA Server Enterprise Edition provides full backup and restore functionality for

all nodes of a Microsoft ISA Server Enterprise Edition array. The log data from all array

members are included in a single backup archive and can be restored individually. Backup

for ISA Server Enterprise Edition can also be used with ISA Server Standard Edition.

For those organisations that have Websense Enterprise or Websense Web Security Suite

deployed on an ISA Server, Backup for ISA Server can also be used to backup and restore

the Websense configuration data in the same backup archive.

Licensing Winfrasoft Backup for ISA Server is licensed on a per server basis for a subscription period

of typically one, two or three years.

A licence file must be imported onto each server that the software is installed on, otherwise

the application will not function. During the installation process you will be asked to browse

for your licence file or request a trial licence over the Internet.


All deployments require product activation to be performed, including evaluation

installations. Trial licences allow the full functionality of the product to be used with a

limited time period, typically 14 days from issue.

Running a trial A trial licence will allow you to make full use of the product during the validity period. You

can check the About... screen to see how many days remaining are available.

When Backup for ISA Server is first installed, Licence Manager will assist you in either

installing a full licence or applying for a trial licence. Backup for ISA Server is not able to

run without a valid licence file.

If your trial licence expires you can contact Winfrasoft and requests a new licence file or

purchase the software. When you receive a new licence you can use the Licence Manager

form the Start Menu to install the new licence file.

Licence Manager The Winfrasoft Licence Manager is a tool that allows users to request and install trial

licences. It is also able to import purchased licences which replace trial licences.

Licence Manager is first run during the installation process. It can be run again from the

Start, All Programs, Winfrasoft Backup for ISA Server, Licence Manager menu item.

Warning

Organisational information within Backup for ISA Server Licences is a key

component in the backup security process and, as such, the same licence

should be applied to all installs of Backup for ISA Server within the

organisation.

Keep your licence file safe to prevent unauthorised distribution and

activation of Backup for ISA Server licences.

Note

For detailed information on the licence types please read the licence

agreement document available on the installation CD, during installation, or

in the programs folder on the server.

Note

Licence Manager requires HTTPS access to the Winfrasoft Activation servers.

Before starting this operation, please ensure that the appropriate firewall

rules have been configured. This can be configured by running Configuration

Wizard for ISA Server and accepting the settings on the Access to Winfrasoft

page.

Introduction 7

Product Activation Winfrasoft Backup for ISA Server requires product activation for all licence types. Product

activation has been included in Backup for ISA Server to help you keep track of your licence

usage.

Product activation is a fast and secure process that is only done once per ISA Server or

Array. The activation process is automatically run when the application is first run on a

server. If activation fails for whatever reason the administrator will still be able to use

Backup for ISA Server for a further 7 days without having activated the product. After the 7

day grace period has expired you will no longer be able to perform a backup, although a

restore operation is permitted.

Product activation is performed over a secure HTTPS SSL connection to protect the

information transmitted during the activation process. The Winfrasoft activation server shall

return a unique activation code to the calling server which is stored locally. This activation

code is in turn checked each time the application starts up ensuring that it has a valid

activation code each time it is run. The re-checking of the activation code does not require a

connection back to Winfrasoft and is an entirely local operation. If the activation code is

found to be invalid the server will attempt to re-activate with Winfrasoft, and if successful,

store the new activation code on the local server.

Each server detected within an ISA Server Enterprise array will be automatically activated

by the server on which Backup for ISA Server is installed. All the activation codes are then

stored on this server. Each array member will consume a licence from the purchased

allotment. Should you install Backup for ISA Server on another array member in the same

array it will also activate all the servers in the array. In this case the Winfrasoft activation

server will reissue the same activation codes and thus will not use up extra licences.

Note

As each node in an ISA Enterprise array requires activation, please ensure

that the purchased licence quantity is sufficient to cater for all nodes in the

array.


Deployment Scenarios

Overview This deployment section assumes that the ISA Server is already configured and operational.

Winfrasoft Backup for ISA Server has been designed to provide disaster recovery

capabilities for Standard and Enterprise Edition deployments of Microsoft ISA Server.

Backup for ISA Server also provides backup and restore functionality for Websense

Enterprise and Web Security Suite installations on ISA Server. It is recommended that all

deployment scenarios are tested in a lab prior to a live deployment.

Configuration Changes made to ISA Server Backup for ISA Server requires certain access permissions in order to function correctly.

This section describes the modifications made to ISA Server during the installation process.

Naturally, all configurations changes comply with the least-privilege access methodology

and are removed during the uninstall process.

Should any of the Backup for ISA Server rules be removed, they can be re-applied by

rerunning the Configuration Wizard for ISA Server.

Details

Object Computer Set

Name [Backup for ISA Server] File Servers

Description Contains the server information of the fileserver

used centralised backup storage area.

Object Firewall Policy

Name [Backup for ISA Server] File Server Access

Description Allow ‘localhost’ access to remote File Servers.

Definition Allow Microsoft CIFS(TCP and UDP) access from

‘localhost’ to ISA computer set ‘[Backup for ISA

Server] File Servers’

Dependencies Computer Set ‘[Backup for ISA Server] File Servers’

Note

Backup for ISA Server functionality is dependent on the installed licence file.

Websense enabled licences are required to backup and restore Websense

Enterprise and Web Security Suite configuration information.

Deployment Scenarios 9

Object URL Set

Name Winfrasoft Activation Service

Description HTTPs URL address for access to Winfrasoft’s

activation server

Definition https://activation.winfrasoft.com

Object URL Set

Name Winfrasoft Update Service

Description HTTP URL addresses for access to Winfrasoft’s update

server

Definition http://update.winfrasoft.com/download/*

http://update.winfrasoft.com/xml/*

Object System Policy

Name Allowed Sites

Description Ensures this configuration group is Enabled; Adds

URL Set ‘Winfrasoft Activation Service’; Adds URL

Set ‘Winfrasoft Updates Service’

Definition Included

Dependencies URL Set ‘Winfrasoft Activation Service’

URL Set ‘Winfrasoft Updates Service’

Object Firewall Policy (Enterprise Edition Only)

Name [Backup for ISA Server] Intra Array Access

Description Allow the Array member running Winfrasoft Backup for

ISA Server to access resources on other Array

members.

Definition Allow Microsoft SQL(TCP and UDP) access from ‘Array

Servers’ to ‘Array Servers’

Object Firewall Policy

Name [Backup for ISA Server] File Server Access (Websense

Only)

Description Allow the Array member running Winfrasoft Backup for

ISA Server to access fileserver resource access on

other Array members.

Definition Allow Microsoft CIFS(TCP and UDP) access from access

from ‘Array Servers’ to ‘Array Servers’

https://activation.winfrasoft.com/

http://update.winfrasoft.com/download/*

http://update.winfrasoft.com/xml/*


Installing Backup for ISA Server Winfrasoft Backup for ISA Server must be installed on:

Each ISA Server Standard Edition server or

At least ONE server in each ISA Server Array.

(1) To start the Backup for ISA Server installation from CD, insert the CD into the drive.

Run the setup file located in the install folder:

install\Winfrasoft Backup for ISA Server Setup.exe

To start the Backup for ISA Server installation from a web download, extract the files

from the downloaded ZIP and run the setup file as follows:


This starts the setup wizard:

(2) Click Next to continue.

Note

You do NOT need to install Backup for ISA Server on more than one server

per Enterprise Edition array. For backup redundancy, you may want to install

Backup for ISA Server on more than one server per array and alternate the

backup schedules.

Note

Ensure that the user profile that you have logged onto the ISA Server with

has administrative right and that the ISA Server firewall services are started.


(3) After reading the licence agreement click I accept the terms of the licence agreement if

you agree to the terms. Click Next to continue.

(4) Browse to the folder where you wish to install the Backup for ISA Server software or

use the default (recommended). Ensure that the destination drive has sufficient disk

space for the applications installation.

Click Next to continue.



The application files are copied.


The Config Wizard for ISA Server will start. This wizard helps you to configure your

ISA Server for use with Backup for ISA Server.


(7) If required, tick the Allow access to File Shares on server box. Enter the actual host

name and the IP address of the file server that will store backup archives.

Click Next to continue.

Note

If you intend to store backup archives on a remote server, ISA Server will

require a firewall rule to allow access to the file server. If you do not have the

required firewall access to the remote file server, then backup archives can

only be stored locally. If there is an existing ISA Server rule that allows the

localhost access to remote file servers then this step does not have to be

performed.


(8) Select the required options and click Next to continue.

(9) Select the required options and click Next to continue.

Note

Backup for ISA Server may require access to the Winfrasoft Activation and

Winfrasoft Update services for activation, trial licence generation and

updates. All information transmitted for licensing and activation purposes is

128bit SSL encrypted.

Note

When installed on ISA Server Enterprise Edition, Backup for ISA Server will

require access to the SQL database data on other array members in order to

back it up. The MSDE instances on the array members will be required to

support TCP/IP connections.

Access to file shares will also be required to allow for the backup of the

Websense configuration (if installed).


(10) Click Finish to close the Config Wizard for ISA Server.

(11) The changes are made to the MSDE and ISA configuration. Click OK to close.

The Licence Manager will load to allow you to configuring your licence.


(12) If you already have a purchased licence file select Import a purchased licence file and

enter the full path to the licence file, or click Browse… to locate it. If you do not have

a licence file skip to step 15.

(13) Click Apply to import the selected licence


(14) Click Close when done.

(15) If you already have a purchased licence file skip to step 18. If you do not have a

licence file select Request a Trial Licence over the Internet (secured with SSL) and

enter your details.

Important

Please enter valid details when applying for a trial licence as this information

will be included in your licence file and will be written in each backup log.

This information will also be used to generate a full licence if purchased.


(16) Click Apply to request and install a trial licence.

(17) Click Close when done.

The main setup wizard returns.

(18) Deselect the Run Winfrasoft Backup for ISA Server now if you do not want to start the

application now.

Click Finish to complete the setup.


Removing Backup for ISA Server To remove Backup for ISA Server from your ISA Server insert the CD into the drive and the

maintenance installation process will automatically start.

To remove Backup for ISA Server from your ISA Server insert the CD into the drive. Start the

maintenance installation process by running the setup file located in the install folder:


Alternatively, the Uninstall process can be initiated using Windows Add or Remove Programs

in Control Panel. In the list of applications installed on the ISA Server, highlight Winfrasoft

Backup for ISA Server and then click Remove.

(1) The installation wizard will start in maintenance mode:

(2) Select Uninstall and click Next.



The removal process will remove all ISA rules and objects created by the

Configuration Wizard.

(4) Click OK to continue.

If a licence file was found you will be asked if you would like to remove it from the

system. If you plan to reinstall Backup for ISA Server you may wish to leave the

licence file on the server, otherwise it can be removed.

(5) Click either Yes or No.


(6) Click Finish to complete the setup.

Note

The uninstall process will not remove any created Backup for ISA Server

backup files.


Configuring Backup for ISA Server Winfrasoft Backup for ISA Server may require some configuration to allow it to work with

specific settings within your network environment. The ISA Server Configuration Wizard is

designed to assist in creating the required firewall rules and objects in ISA Server to allow

the backup operations to function correctly.

Starting the Configuration Wizard for ISA

Server Click the ISA Configuration Wizard link, from the first page of the Backup for ISA Server

wizard.

Or Select Config Wizard from the Start, All Programs, Winfrasoft Backup for ISA Server

menu.

This starts the Configuration Wizard for ISA Server.

Note

The Configuration Wizard for ISA Server should have already been run during

the installation process but can be re-run as needed.

Configuring Backup for ISA Server 23

Complete the wizard to change the configuration of ISA Server for use with Backup for ISA

Server. For further details about the options in this wizard see the Installing Backup for ISA

Server section.


The Winfrasoft ISA Selection File (.WIS) A Winfrasoft ISA Selection file (.WIS) is a file which contains settings to be used with

scheduled or scripted backup operations. This file is automatically created when the Backup for

ISA Server Backup Wizard is used to create a schedule. The default file created by the Backup

for ISA Server wizard is called WIBackup.WIS and is stored in the application install folder.

A .WIS file can be created manually provided the file matches the required .WIS format. A

.WIS file is XML based and has some minimum tag requirements See .WIS Backup Selection

File Structure

.WIS File Structure <WinfrasoftISASelectionFile>

<BackupFolder>C:\ISABackup\ISABackup\bin\Debug</BackupFolder>

<BackupPassword>password</BackupPassword>

<LogTrailingDays>10</LogTrailingDays>

<IncludeISAArrayConfig>True</IncludeISAArrayConfig>

<IncludeISAEnterpriseConfig>True</IncludeISAEnterpriseConfig>

<IncludeISAFirewallLogs>True</IncludeISAFirewallLogs>

<IncludeISAWebProxyLogs>True</IncludeISAWebProxyLogs>

<IncludeWebsenseConfig>False</IncludeWebsenseConfig>

</WinfrasoftISASelectionFile>

.WIS File Field Definitions

Field Value Considerations

BackupFolder Path where backup archive will be

created.

Ensure path exists and that there is

sufficient disk space available for archive.

BackupPassword Password used to encrypt and decrypt

backup archive.

Ensure password used is 8 characters or

more.

Ensure that the WIS file is protected using

the EncryptPassword switch to encrypt

the plain text password.

Protecting a .WIS file password A .WIS file contains the password which will be used for encrypting the backup archive

files. The password in the .WIS files are encrypted by default when created by the Backup

for ISA Server wizard.

A manually created .WIS file must initially be created with a clear text password as per the

file structure example above. Once created, run Backup for ISA Server with a

/EncryptPassword switch to encrypt the password. The password is encrypted using

information contained in the licence file thus the same licence file must be used to perform

the backup.

{ISABackup install path}\ISABackup.exe /EncryptPassword MySelectionFile.WIS

Command line & scripting options 25

Command line & scripting options Backup for ISA Server can be scripted for use in custom scripts or for inclusion within 3

rd-

party scheduling applications. To execute Backup for ISA Server in the command line, start

a command prompt session and enter:

{ISABackup install path}\ISABackup.exe /{Switch}

The following operations are available via command prompt:

Option Function Required inputs

/? Displays supported command prompt

switch options as above

-

/Backup Starts an automated backup process Supply a Backup Selection File (.WIS)

/ISAConfigWizard Runs the ISA Config Wizard to configure

the required ISA Server protocols and

rules.

-

/RemoveScheduledTask Removes the Backup for ISA Server task

listed in the Windows Task Scheduler.

-

/EncryptPassword Encrypts the password in a manually

created Backup Selection File.

See the Protecting a .WIS file password

section.

Supply a Backup Selection File (.WIS)

/DebugLog Enables debug logging output.

Only utilise this option when instructed to

by a Winfrasoft support technician.

-


Running Backup for ISA Server Winfrasoft Backup for ISA Server can backup a single ISA Server, or an entire ISA Server

Enterprise Edition Array from a single location.

Winfrasoft Backup for ISA Server is designed so that the restoration process can be

performed on both the original ISA Server or on separate server. A backup archive from an

ISA Server Enterprise server that contains multiple array members can be restored onto a

single ISA Server Enterprise server for log analysis purposes.

Performing a Backup To backup an ISA Server/ Array, run the Backup for ISA Server Wizard from the Start, All

Programs, Winfrasoft Backup for ISA Server, Backup for ISA Server menu.

You can also run the Backup for ISA Server Wizard by clicking the icon on the Quick

Launch toolbar.

(1) The Backup for ISA Server Welcome screen is displayed.

(2) Click Next to continue

Running Backup for ISA Server 27

(3) Select the Backup ISA Server Configuration and Logs and click Next to continue.

(4) Select which items to include in the backup archive based on the following table and

click Next to continue.

Items to Backup

The ISA Array / Server

Configuration

Selecting this option ensures that ISA Server or Array configuration is included in the

backup archive.

ISA Server or Array configuration includes firewall rules, protocol definitions, network

set definitions, user set definitions, cache configurations and VPN settings etc.

The ISA Enterprise

Configuration

Selecting this option ensures that ISA Enterprise configuration is included in the

backup archive. This option is only available with ISA Server Enterprise Edition.

Enterprise configuration includes enterprise-wide defined configured firewall rules,

protocol definitions, network set definitions, user definitions, cache configurations and

VPN Static address pools.

The ISA Server Web Proxy

Logs

Selecting this option includes logs data generated by the ISA Server Web Proxy if

logging is enabled and configured to use MSDE.

In an ISA Server Enterprise Edition deployment, Backup for ISA Server will connect to all

servers in the Array and retrieve Web Proxy logs from each individual server.


The ISA Server Firewall

Logs

Selecting this option includes logs data generated by the ISA Server Firewall if logging

is enabled and configured to use MSDE.


servers in the Array and retrieve Firewall logs from each individual server.

Websense Configuration Selecting this option includes the Websense configuration information.

Note

This option is only available with Backup for ISA server with Websense on an ISA

Server with Websense deployment.

(5) Select One Time and click Next to continue.

(6) Select Now and click Next to continue.


This page will only be displayed if you selected to backup either the ISA Server Web Proxy

logs, or the ISA Server Firewall logs.

The Last x days option will backup all log files for the last x number of days. This will

include all the log transactions generated on the current day up to the time of backup.

Choosing a Date Range allows an administrator to backup log data that falls within the

specified date range.

(7) Select a log period to backup and click Next to continue.

A network share can be specified provided the ISA Server has a firewall policy enabled

allowing access to the file server resource and that the currently logged on user has write

access to the share.

A backup password is used to protect the contents of the backup archive. The

password must be at least 8 characters long but does not have to be complex.

Note

Ensure that the target output directory for backups has significant free disk

available to it as backups may be rather large.

Always store passwords in a secure location. The password entered here will

be used within the restoration process.


(8) Select a backup folder where your backup archives will be written to and enter a

password. Click Next to continue.

(9) Click Finish to begin the backup process.

Please take note of any error and warning messages displayed.

Note

Any Error or Warning information will be written to the Windows Application

Event log.


(10) Click Close to complete the backup process.


Creating a Backup Schedule To create a backup schedule for an ISA Server/ Array, run the Backup for ISA Server

Wizard from the Start, All Programs, Winfrasoft Backup for ISA Server, Backup for ISA

Server menu.


Launch toolbar.


(2) Click Next to continue

(3) Select the Backup ISA Server Configuration and Logs and click Next to continue.


(4) Select which items to include in the backup archive based on the following table and


Items to Backup

The ISA Array / Server

Configuration

Selecting this option ensures that ISA Server or Array configuration is included in the

backup archive.

ISA Server or Array configuration includes firewall rules, protocol definitions, network

set definitions, user set definitions, cache configurations and VPN settings etc.

The ISA Enterprise

Configuration

Selecting this option ensures that ISA Enterprise configuration is included in the

backup archive. This option is only available with ISA Server Enterprise Edition.

Enterprise configuration includes enterprise-wide defined configured firewall rules,

protocol definitions, network set definitions, user definitions, cache configurations and

VPN Static address pools.

The ISA Server Web Proxy

Logs

Selecting this option includes logs data generated by the ISA Server Web Proxy if

logging is enabled and configured to use MSDE.


servers in the Array and retrieve Web Proxy logs from each individual server.

The ISA Server Firewall

Logs

Selecting this option includes logs data generated by the ISA Server Firewall if logging

is enabled and configured to use MSDE.


servers in the Array and retrieve Firewall logs from each individual server.

Websense Configuration Selecting this option includes the Websense configuration information.

Note

This option is only available with Backup for ISA server with Websense on an ISA

Server with Websense deployment.


(5) Select a backup schedule based on the following table and click Next to continue. The

Daily option will be used in this example.

Backup Schedule

One Time This option allows you to perform a backup at a once off predetermined date and time.

Daily This option allows you to perform a backup at a predetermined time of day either daily

or every x number of days.

Weekly This option allows you to perform a backup at a predetermined time on a weekly

schedule. You can configure which days of the week backups will run.

Monthly This option allows you to perform a backup at a predetermined time on a monthly

schedule. You can configure which day of the month and in which months of the year

backups will occur.

Note

When performing a backup with Backup for ISA Server no services are

restarted and the backup process runs with a below normal thread priority.

Although backups can safely be run during normal operational hours, it is

recommended that backups are performed during off-peak times.


Daily Schedule options.

Weekly Schedule options.

Monthly Schedule options.


(6) Specify a Start time and Start date for when the daily backup run will occur and click

Next to continue.

This page will only be displayed if you selected to backup either the ISA Server Web Proxy

logs, or the ISA Server Firewall logs.

The Last x days option will backup all log files for the last x number of days. This will

include all the log transactions generated on the current day up to the time of backup.

Choosing a Date Range allows an administrator to backup log data that falls within the

specified date range.

(7) Select a log period to backup and click Next to continue.

A network share can be specified provided the ISA Server has a firewall policy

enabled allowing access to the file server resource and that the currently logged on user

has write access to the share.

Note

The first backup will occur when the above conditions are met i.e. if today is

Tuesday and you set the schedule to perform backups on Mondays only, the

first backup will only occur on Monday of the following week.


A backup password is used to protect the contents of the backup archive. The

password must be at least 8 characters long but does not have to be complex.

(8) Select a backup folder where your backup archives will be written to and enter a

password. Click Next to continue.

If you are scheduling a backup for an ISA Server Standard Edition server or an ISA

Enterprise Edition server with ONE array member and a LOCAL CSS then it is

recommended to use the default NT AUTHORITY\SYSTEM (aka Local System)

account. This does not require a specific service account to be created.

If you are scheduling a backup for an ISA Server Enterprise Edition server with

MORE THAN ONE array member or a remote CSS server then a specific service

account must be used. The service account requires administrator rights on the ISA

Note

Ensure that the target output directory for backups has significant free disk

available to it as backups may be rather large.

Always store passwords in a secure location. The password entered here will

be used within the restoration process.


Servers and within the ISA Server Enterprise configuration. The service account does

NOT require domain admin rights and should only be a domain user level account.

(9) Specify the service account and password (if required) and click Next to continue.

(10) Click Finish to begin the backup schedule configuration.

(11) Click Close to complete the backup schedule process.

Note

A Local System account does not have access to resources on other servers.

As such, backing up data on another server such as Enterprise data stored

in a CSS or log data from another array member requires a specific service

account.

For security reasons it is recommended NOT to use an account which is a

member of the Domain Administrators group.


Pre-requisites for restoration Backup for ISA Server requires the server to be pre installed with Windows 2003 and ISA

Server 2004/2006 as well as all appropriate Windows and ISA Server Service Packs. This

should be rebuilt to an equivalent level of the server which the backup was performed on

whenever possible.

As Backup for ISA Server does not backup SSL certificates and 3rd

-party web filter binaries,

all instances of these objects must be manually installed on the target server prior to

performing a restore. Additional information on this topic can be found under Common

Restoration Issue.

The restoration process within Backup for ISA Server does not dynamically change the

target server IP configuration. The original IP configuration data and routing table will be

restored as text files during the restore process. This information must be reconfigured with

the OS manually.

Performing a Restore To restore an ISA Server/ Array, run the Backup for ISA Server Wizard from the Start, All

Programs, Winfrasoft Backup for ISA Server, Backup for ISA Server menu.


Launch toolbar.

Backup for ISA Server archive files have a file extension of .WIB. This file type is registered

with Windows during the installation process thus you can simply double click a .WIB file to

begin the restore process. In this case skip to step 5.


Note

If you are restoring a backup onto the same server in a non-disaster recovery

scenario then the pre-requisites will most likely already be in place.



(3) Select Restore ISA Server Configuration and Logs and click Next to continue.

(4) Browse for the .WIB file to restore and click Next to continue.


The log file of the selected backup archive is displayed. The information includes details of

the configuration and log file data backed up as well as any error or warnings generated

during the backup process.

(5) Verify the information and Click Next to continue.

Non-greyed items indicate that they are available within the backup archive to be restored.

If an option is greyed out (e.g. Websense Configuration) either the backup archive does not

include that required data; or the current system is not capable of restoring the deselected

options.

Note

Information displayed on this page allows you to determine whether or not

the data that you wish to restore is contained within the selected backup

archive thus preventing a full restore from an incorrectly selected archive.


(6) Select the options that you wish to restore, enter the original backup password and


This page will only be displayed if you selected to restore either the ISA Server Web Proxy

logs, or the ISA Server Firewall logs and the backup archive does contain this data.

The All log data option will restore all logs contained within the backup archive. Choosing a

Date Range allows an administrator to restore log data that falls within the specified date

range. The minimum start and maximum end dates are fixed within the date range of the data

stored in the backup archive.

(7) Select a log period to restore and click Next to continue.

If the restore process will overwrite existing log data then a warning is displayed.

(8) Click Yes to proceed or No to change the restore options.

Warning

After entering an incorrect password 3 times the application will close. If the

correct password is not known then a restore can not be performed.

The same licence file must be installed on the restore server as was used to

perform the backup as unique licence information is used during the

encryption process to help protect the data.


A list of the array information that is included in the backup archive is displayed. You can

select which server’s data you wish to restore onto the restore server. To restore the entire

array log data to the restore server tick the ISA Array and all array members will be selected.

If you want to recover logs from one specific server only select that server.

(9) Select which server’s log data should be restored and click Next to continue.

(10) Click Finish to begin the restore process.


Please take note of any error and warning messages displayed.

(11) Click Close to complete the restore process.

Note

Any Error or Warning information will be written to the Windows Application

Event log.

Note

Backup for ISA Server will not restore

SSL Certificates

3rd party web filter binaries

When restoring Web Proxy and Firewall logs, Backup for ISA Server will

modify the ISA Server Delete files older than (days) setting in the MSDE

Database options to 0. This will allow Backup for ISA Server to restore log

data from any date range preventing ISA Server automatically removing it.

Troubleshooting 45

Troubleshooting

Common Restore Issues Restoration Issue Affect Resolution

SSL Certificates not

installed on target ISA

Server

Restoration of the backup archive will

appear to work, however, the ISA Server

firewall service may NOT start.

Microsoft Firewall errors will be generated

in the Windows Event Log.

See SSL Certificate errors

All certificates configured on the backed

up ISA Server must be manually installed

on the target server prior to performing a

restore.

3rd-party Web filter plug-in

is not installed on target

ISA Server

3rd-party web filters will not be

operational.

Backup for ISA Server warning message

will be generated in the event viewer.

A warning will be displayed in ISA alerts.

See 3rd-party Web Filter errors

Ensure that all 3rd-party web filters are

installed on the restore server prior to

performing a restore.

Web Proxy Cache drive on

target server has

insufficient disk space

The cache database will not be recreated

on the restored server.

Backup for ISA Server warning message

will be generated in the event viewer.

See Web Proxy Cache errors

Ensure that the restoration server has

sufficient disk-space available to allow for

the cache database to be recreated on

the same drive as the ISA Server on which

the backup was performed.

Alternatively a new cache database can

be created after the restore.

Target server IP address

information incorrect

ISA Server will attempt to bind publishing

rules and listeners to the local network

adapter and may fail. Firewall policies will

not be functional and the ISA Server may

not be able to process IP traffic correctly.

Microsoft Firewall error messages will be

generated in Event Viewer.

See IP Configuration errors

Modify the target server network adapter

IP address information to match the

information found within the restored IP

Config and IP Routing files.


Restore Event Viewer Messages

SSL Certificate errors Event ID: 14060

Event ID: 14001

Troubleshooting 47

3rd-party Web Filter errors Event ID: 2026

Event ID: 2003


Web Proxy Cache errors Event ID: 14176

Event ID: 14172

Troubleshooting 49

IP Configuration errors Event ID: 21125

Event ID: 21265


Event ID: 21216

Additional Information 51

Additional Information

Support guides

You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA

2006 if you enable SSL on a Web listener:

http://support.microsoft.com/kb/940463

Microsoft ISA Server 2006 – Operations:

(http://www.microsoft.com/technet/isa/2006/operations/default.mspx)

For the latest information, see the Winfrasoft web site - http://www.winfrasoft.com.

Do you have comments about this document? Send feedback to [email protected]

http://support.microsoft.com/kb/940463

http://www.microsoft.com/technet/isa/2006/operations/default.mspx

http://www.winfrasoft.com/

mailto:[email protected]

Documents

Backup for ISA Server