LLigetfa -> Been gone too long... need help to import (3.Jun.2008 2:20:16 PM)
Hey guys, I've been away too long... life and work getting in the way...
I'm hoping for some help to export a whole bunch of rules and elements from one ISA 2K4SE server to another 2K4SE. Both are production machines but not sure if they are the same SP level. To make a long story short, I got a new boss and the ISA server at his old place put mine to shame. Now he want me to make mine like his.
All the tutorials I've found are about migrating from one version of ISA to another or about importing lists with scripts. Could someone point towards some pertinent reading?
Thanks,
Les
Jason Jones -> RE: Been gone too long... need help to import (3.Jun.2008 6:25:00 PM)
Welcome back, one of the old skool chaps [;)]
You should be able to do this with the native inport/export utilities in the GUI if they are the same version and edition. Otherwise check out the scripts at www.isatools.org
Cheers
JJ
LLigetfa -> RE: Been gone too long... need help to import (5.Jun.2008 11:31:52 AM)
old skool... ja, that's me. thanks for the welcome
The boss exported all his rule elements to separate xml files and I compared some of his to mine. There are all these CLSID lines that appear to be unique. I read somewhere that if I created an empty rule element of same name, purpose, etc, and then copy paste only the strings section from his to mine, that it would be the safe way to go.
Do I need to go through all that? The thing is that his ISA server is on the other side of the continent in a different subnet and in a different OU so I don't want elements specific to his. Also, his is only a single NIC implementation whereas mine has two NICs configured as a firewall. I'm hesitent to simply import his export unmodified.
I looked around on isascripts.org but didn't find anything specific to migrating rule elements.
Jason Jones -> RE: Been gone too long... need help to import (5.Jun.2008 12:38:24 PM)
If his setup is so different, why are you trying to use it? What is it about his config that you acutally need if the setup are different?
When you do the imports, you have an option to include or exclude server specific information, this may be the missing link for you...
LLigetfa -> RE: Been gone too long... need help to import (5.Jun.2008 8:09:33 PM)
quote:
ORIGINAL: Jason Jones
If his setup is so different, why are you trying to use it?
Um... cuz he's my boss and he told me to.
My ISA is a simple setup with no blacklists. His has a dozen rule elements with thousands of blacklisted URLs, domains, IPs, etc.
Jason Jones -> RE: Been gone too long... need help to import (6.Jun.2008 6:05:43 AM)
So....why not just import his firewall rules as opposed to the whole config? All of the necessary objects (blacklists etc) will come across with the rules imports.
Am I missing something here? [&:]
LLigetfa -> RE: Been gone too long... need help to import (6.Jun.2008 9:41:11 AM)
I never said anything about importing his entire config. I wouldn't even consider importing his entire rule base. It's just the rule elements he told me to import. Just don't know if I should do a straight import or copy/paste the strings sections. I can hand-job the rules after I get the elements all sorted. I don't understand how those CLSID sections in the xml files work.
My ISA server is in production and I cannot afford to have it go down. It isn't used as a real firewall on the edge but rather as a dual NIC proxy behind a Cisco router that is ill configured and out of my jurisdiction. If I reboot my ISA server it screws up their BGP tables on the Cisco and they have to reset it dropping all the non-ISA sessions in the process. It's a 24/7/363 operation.
Jason Jones -> RE: Been gone too long... need help to import (6.Jun.2008 10:19:40 AM)
I import rules from one customer to another customer and from one array to other arrays in the same Enterprise quite a lot and rarely (if ever) hit issues. I also often prep rules in my VPC and then import when I have setup the core config when onsite. Maybe you could do the same and test the rules before applying them into production?
I would be pretty confident using the native import feature as this is much less likely to go wrong than messing about with XML files.
Sorry, I wasn't really sure what you were asking and your "I got a new boss and the ISA server at his old place put mine to shame. Now he want me to make mine like his." statement sounded like you were talking about the entire system.
Hope you get it sorted...
Cheers
JJ
elmajdal -> RE: Been gone too long... need help to import (6.Jun.2008 11:43:23 AM)
Hi LLi,
Hows the M0n0Wall Firewall with you, still working on it ? [:)]
You can export rules from an ISA server and import them into another one safely , just make sure that you are importing files that are exported from the Same Verison , that is Standard to standard edition, or Enterprise to Enterprise.
Personally i always prefer to export rules ( each by itself) and then send these rule(s) to friend so that they can import these rule(s) into their ISA Server.
If you want to export from SE to EE, then you will need to read these articles :
LLigetfa -> RE: Been gone too long... need help to import (6.Jun.2008 8:00:45 PM)
Eh Tarek, so you're a mod now. Ja, still using m0n0wall on my wireless hotspot.
Thanks for the assurances that I can do a straight import of the rule elements. I'm not going to import the rules though. Will hand-job those.
I'm not seeing much talk here about Forefront. Is it a dirty word or are you going to spin off a new website for it?
elmajdal -> RE: Been gone too long... need help to import (7.Jun.2008 2:10:21 AM)
Hey LL,
Yah , a mod and an MVP [;)][:D]
Your Welcome.
Do you mean Threat Management Gateway ? Yesterday was the launch for the forums : http://forums.isaserver.org/forumid_8034/tt.htm and its still in Beta one, so there is few thing to talk about [8D]