For migration from ISA server 2006 to TMG 2010 one very usefull document is http://technet.microsoft.com/en-us/library/dd440994.aspx
Still we have to make sure we are doing couple of things right e.g. when we install TMG 2010 following the wizards we might end up creating a web access policy rule. This is because wizards let admin to create a web access rule to allow web access through TMG just after the TMG installation.
After creating that rule if we then try to do server level import of the ISA configuration which we exported earlier from our ISA server 2006. This import would fail.
So if we have planned to migrate from ISA server 2006 to TMG 2010. Then we should not create the web access rule just after the installaton using the intitial configuration wizard. We need to make sure that TMG is without any rules and is plain vanilla, before Importing the ISA server configuration on it.
A quick one, whenever you are configuring you cache drive and dont know how to define the cache drive size. Please use following formula
10MB + 0.5*Number of users=size of of cache drive
let us say Number of users is 500 then cache drive should be
10 MB + 0.5 * 500=260MB
This is on ISA /TMG product blog(http://blogs.technet.com/b/isablog/archive/2010/05/24/error-502-proxy-error-the-request-is-not-supported-50-while-trying-to-access-websites-from-web-proxy-clients-behind-isa-server-2006.aspx)
TMG capacity planning tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=01b2f7a5-8165-4ead-9693-994504f66449&displaylang=en
Consider a scenario you have configured a site to site vpn tunnel either between two ISA servers or ISA server and a third party VPN device. After you have configured the tunnel you are trying to connect to the remote end machines and it does not connect. From ISA server if you try to ping the remote end machines you get ping response as negotiating security.
In such scenario we can take Oakley logs and in Oakley logs if we see following
-- Policy mismatch on offer method 1 policy method 1
--Attribute Phase II Diffie-Hellman group descriptor -- Expected: 2 -- Received: 0
-- Expected: 2
-- Received: 0
-- Data Protection Mode (Quick Mode)
-- Source IP Address X.X.X.X Source IP Address Mask X.X.X.X Destination IP Address X.X.X.X Destination IP Address Mask X.X.X.X Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr X.X.X.X IKE Peer Addr X.X.X.X IKE Source Port 500 IKE Destination Port 500 Peer Private Addr
--Phase II Diffie-Hellman group descriptor
-- 2
-- 0
-- constructing ISAKMP Header
-- constructing HASH (null)
-- constructing NOTIFY 14
-- constructing HASH (Notify/Delete)
-- isadb_set_status sa:0014CB70 centry:000DFAC0 status 3606
-- ProcessFailure: sa:0014CB70 centry:000DFAC0 status:3606
-- Notify already constructed. Ignoring. Sa 0014CB70
During the SA(Security Association) negotiation phase Local and remote end points apart from negotiating other things also negotiate the PFS which is Perfect Forward secrecy. If it is enabled on a end point Then its value would be 2(non-zero) if its not then it would 0. In the above scenario since on remote end it was disabled so it send value as 0 and on ISA it was enabled(default) it expects value as 2. Since these two values do not match. SA negotiation fails and Tunnel does not work.
In such scenarios either we can enable PFS at both ends or disable it at both ends . Here we disabled PFS on the ISA server as shown below
In the properties window as shown below go to connections tab then go to IPsec settings.
We will get following window, here we will choose Phase 2 tab and then uncheck the Perfect Forward secrecy check box to disable it.
After disabling that Negotiation will pass as this value matches and tunnel comes up fine and we get our site-to-site tunnel connection between two sites.
ISA Data Packagerfor ISA can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
TMG data packager for TMG can be downloaded from here
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17730
After downloading ISA/TMG BPA install it and then follow the instructions below.
Instructions for running ISA data packager(we are using web proxy and publishing mode for example)
1. Go to start->programs->Microsoft ISA server->ISA tools->ISA data packager-(launch it).
2. We will get the main page of the ISA data packager –here choose the ->collect data using one of the following repro scenarios and then chose web proxy and web publishing option as shown Below.
3. Then click on next and we will get following page here click on modify options as shown marked below.
4. Then we will get following page , please check ISAinfo, change the network traces buffer size to 400 as shown below and then click on advanced as shown
5. Then we will get following page, here change ISAtracing buffer size to 400 MB and then click on back to go back to previous page.
6. We will get the following page , click on start data collection as shown marked.
7. We will get following page, here ISA data packager would take couple of minutes to initiate itself then we will get message press spacebar to start capturing data.
8. We will hit space bar and then do repro of the issue and the hit the space bar again to stop capturing data after we have reproduced the issue.
9. Then ISA data packager would collect and package the data in a ISApackage.cab file and by default it would put on the Desktop of the ISA server.
10. This repro data is ready to be analysed.
This tool is used to allow admin to collect data while reproducing the issue to find out why the issue is happening. In repro mode we have different templates please refer to my ISA data packager . We choose different templates depending upon the scenario/issue we are facing in following example web proxy and web publishing template is being used as we had a web publishing issue , however it can also be used in forward proxy scenario.
similarly Vpn template can be used for vpn issues.
If you refer to my ISA data packager post you will notice that you can modify options and check and uncheck various options depending upon what type of data you want to collect and how much buffer size you want to keep e.g. network monitor and in advanced options buffer for ISAtracing logs(default is 400).