Shabunin Anton, MCSE 2003, MCITP EA, MCT
26 Jul 2012 v 1.0
Outline of steps needed to retrieve and restore TMG configuration if no backup is available
' If it fails with error tmgexp_from_reg.vbs(41, 7) (null): The Server referenced by Reports Configuration Reports does not exist.
' The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'ARRAY'.
' Find current config tree in rem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Storage
' (e.g. ActiveEffective - \EffecTree2) rem Go to rem HKEY_LOCAL_MACHINE\IsaStg_Eff2\Arrays\{array guid}\Reports\ReportingServicesProperties\Server
' and zero msFPCName there
' tmgexp_from_reg.vbs:
Sub ExportFromRegistry()
' Use this password
pass="mypassword"
'Declare the objects needed
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
localDate = FormatDateTime(date(), 1)
' Create the root object.
Set root = CreateObject("FPC.Root")
' VendorMode = true is optional, needed only if save to local storage is needed
root.VendorMode = true
'Connect root to local storage
root.ConnectToLocalStorage
' Get a reference to the array object.
Set isaArray = root.GetContainingArray()
WScript.Echo "Exporting the configuration of the " & _
isaArray.Name & " array object to " & _
WScript.Arguments(0) & " " & localdate & ".xml" & " ..."
isaArray.ExportToFile WScript.Arguments(0) & " " & localdate & ".xml",15,pass
' 15 = 1 + 2 + 4 + 8
' fpcExportImportPasswords (0x00000001)
' The optional data includes encrypted secret data, such as passwords or shared secrets that are used to create digital signatures for authenticating to RADIUS servers.
' fpcExportImportUserPermissions (0x00000002)
' The optional data includes the security roles assigned to delegated administrators. The delegated administrators are identified by the security identifiers (SIDs) of their user accounts, which are included in this optional data. These SIDs, which are relevant to the workgroup or domain of the exporting computer, are not necessarily relevant to that of the importing computer.
' fpcExportImportServerSpecific (0x00000004)
' The optional data includes server-specific information, which consists of cache drive settings and SSL certificates.
' fpcExportImportEnterpriseSpecific (0x00000008)
' The optional data includes information that is specific to ISA Server Enterprise Edition (available only in ISA Server Enterprise Edition).
WScript.Echo "Exporting was completed successfully."
WScript.Quit
End Sub
ExportFromRegistry
The following changes are required for registry-exported XML file to successfully import:
Registry-exported XML file contains |
How to fix so that it imports |
1. no Enterprise element |
Export XML configuration of any valid enterprise array and copy Enterprise element from it |
2. Enterprise networks are in Root/Arrays/Array/NetConfig/EnterpriseNetworks |
EnterpriseNetworks should be moved to Root/Enterprise/NetConfig or else import will fail
|
3. no enterprise policy assigned to array |
add Root/Arrays/Array/PolicyAssignment (before ConfigurationStorageServerConnection element) or else import will fail. UUID in <fpc4:Name... should match the one in Enterprise/Policies. UUID of default Enterprise policy is {aa53ce81-985c-4362-81cd-51a3e517742c}
<fpc4:PolicyAssignment StorageName="PolicyAssignment" StorageType="1"> <fpc4:Ref StorageName="EnterprisePolicyUsed" StorageType="1"> <fpc4:Name dt:dt="string">{Your enterprise policy UUID here}</fpc4:Name> <fpc4:RefClass dt:dt="string">msFPCPolicy</fpc4:RefClass> <fpc4:Scope dt:dt="int">1</fpc4:Scope> </fpc4:Ref> </fpc4:PolicyAssignment> |
4. Security roles at Arrays/Array/AdminSecurity/DelegatedAdmins are different from those in LDS |
replace AdminSecurity element with default <fpc4:AdminSecurity StorageName="AdminSecurity" StorageType="1"> <fpc4:SecurityRoles StorageName="SecurityRoles" StorageType="1"> <fpc4:SecurityRole StorageName="{e55f4cc7-84c9-48de-809d-8b0e4b34e4dd}" StorageType="1"> <fpc4:Description dt:dt="string">Has full control over the array-level configuration for this array, including permissions to assign array roles. Has read-only access to the enterprise policy applied to this array.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Administrator</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> <fpc4:SecurityRole StorageName="{b59a032e-1018-4e3a-aaac-9c8a128cd0df}" StorageType="1"> <fpc4:Description dt:dt="string">Has full access to array monitoring and read-only access to the array configuration. Has read-only access to the enterprise policy applied to this array.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Auditor</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> <fpc4:SecurityRole StorageName="{9c0bfea2-f463-438f-85d2-fcd9e81a9c94}" StorageType="1"> <fpc4:Description dt:dt="string">Has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity.</fpc4:Description> <fpc4:Name dt:dt="string">Forefront TMG Array Monitoring Auditor</fpc4:Name> <fpc4:Predefined dt:dt="boolean">1</fpc4:Predefined> </fpc4:SecurityRole> </fpc4:SecurityRoles> <fpc4:DelegatedAdmins StorageName="DelegatedAdmins" StorageType="1"/> </fpc4:AdminSecurity> |
5. Full Arrays/Array/RuleElements/UrlCategorySets and UrlCategories |
(optionally) replace full UrlCategorySets element with <fpc4:UrlCategorySets StorageName="UrlCategorySets" StorageType="1"/> and delete UrlCategories element |
If new EMS has different name and ip-address, first:
' tmgimp.vbs - Parameters
' 1 – xml file to import
' 2 – array name to import to
Sub ImportExport()
' Define a constant to indicate optional
' data to be exported or imported.
Const OptionalData = 15
'Declare the objects needed
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
' Create the root object.
Set root = CreateObject("FPC.Root")
' Get a reference to the array object.
Set isaArray = root.Arrays.Item(WScript.Arguments(1))
WScript.Echo "Importing the configuration from " & _
WScript.Arguments(0) & " to the " & _
isaArray.Name & " array object ..."
' declare and define the optional data for the export method
Dim iOptionalData: iOptionalData = OptionalData
' declare and define the TMG export data password
Dim szPassword: szPassword = "mypassword"
' declare and define the TMG import policy overwrite flag
Dim bOverwrite: bOverwrite = True
' declare and define the TMG import services reset flag
Dim bReset: bReset = False
' declare and define the TMG import policy reload flag
Dim bReload: bReload = True
' declare and define the TMG import file path
Dim szInFilePath: szInFilePath = WScript.Arguments(0)
' enable script error handling
On Error Resume Next
' try to import the configuration update from a file
' parameters - FILEPATH, optdata, password, overwrite, services reset, policy reload
isaArray.ImportFromFile szInFilePath, iOptionalData, szPassword, bOverwrite, bReset, bReload
' isaArray.ImportFromFile WScript.Arguments(0),noOptionalData,,,True
If 0 <> Err.Number Then
WScript.Echo "Failed to import the current array configuration from " & _
szInFilePath & "; " & Err.Number & "; " & Err.Description
' Exit Function
End If
End Sub
ImportExport
If imported enterprise rules have references to non-existent enterprise objects, when clicking on them console will error out. Configuration backup will also not work.
General steps to fix this (detailed description is at http://blogs.technet.com/b/yuridiogenes/archive/2009/09/18/error-0xc0040357-while-trying-to-backup-isa-server-configuration.aspx):
Before recreating enterprise rules new enterprise policy should be created and assigned to array since Default Policy will not allow to create custom rules.
How to recreate enterprise rules:
· Move needed rule elements from array level to enterprise level using array rule copy wizard (Right-click array, select “Copy Array Rule Elements…”;
· Create enterprise rule (find it by name in XML file and see which components it uses).
You may try moving existing array rule to enterprise level:
Although configuration file was imported, array servers will not use EMS configuration. This is because new array UUID is different from the one stored in array nodes' registry. When XML file was imported array UUID was not overwritten.
If you change array UUID in LDS and match it with the UUID in node's registry, the node will recognize new array.
Be very careful to do it in production, since configuration from EMS will overwrite current registry configuration at array nodes.
After some time array configuration from EMS will sync to array nodes.
ATTENTION! Before changing array UUID make sure that EMS configuration has all mission-critical rules, that these rules are valid and they do not have references to non-existent objects, and that configuration backs up successfuly!