Archive for the ForeFront TMG 2010 Category

Restore TMG 2010 Exported config from one server to another

Posted in ForeFront TMG 2010, Microsoft on 2011/03/04 by CRCerr0r

Imagine this situation:

  • You have a TMG 2010 box (I have tested this with the Enterprise Edition with SP1, Rollup 1 for SP1 and Rollup 2 for SP1)
  • The TMG box is dead or for whatever other reason you have to bring up a brand new TMG server to replace the old one
  • You don’t want to recreate all objects and rules.

This is what you can do:

You need to do a rule export (or if your box is dead, hopefully you did one before) that includes all sensitive information and user permissions. To do this:

  1. Right-click on ‘Forefront TMG (SERVER_NAME)’ and choose Export (Backup)
  2. Click Next
  3. Check BOTH boxes to Export confidential information and user permission settings, put a password in
  4. Give it a path to save to and complete the wizard


After you have the config file (it will be pretty large) copy it to the new server. The new server needs to be identical to the old one, down to the naming of the NICs. If you are putting the new server side-by-side with the old one, and both will be online for a bit, the new server must have different IPs, for obvious reasons. On mine, the old one’s IPs ended with .1 on every subnet (except the External one) so I made the new one end with .2 on every subnet.

The next thing you need to do is install TMG. Make sure it is isntalled the same way, including paths (if you installed the old one on D:\Program Files\… the new one must be the same) and patched with the same patches (TMG ones, not so much OS).

Open the XML export file from the old server in Notepad. Do a ‘find and replace’ for every OLD_SERVER_NAME and OLD_SERVER_IP values and replace them with their NEW_SERVER_NAME, NEW_SERVER_IP counterparts.

Import the config file into the new server choosing the ‘Overwrite’ option in the wizard. Restart the ‘Microsoft Forefront TMG Storage’ service (that will restart all TMG services)

If you had Site-to-Site VPN you may have to re-create it on the new server. If you get an error in the event log “The user SYSTEM dialed a connection named xxxxx which has failed. The error code returned on failure is 789.” check the IPs on each endpoint of the Site-ti-Site VPN. If you get an error “The user SYSTEM dialed a connection named xxxxx which has failed. The error code returned on failure is 812.” check the Dial-In properties of the account used for the Site-ti-Site VPN and make sure it is set to Allow.