It is good practice to keep regular backups of your Forefront TMG Configuration files. Even if you have a Forefront TMG Array with the configuration in multiple locations, this simply gives you fault tolerance, and should not be regarded as a backup.
Backups can be performed manually or automated with a script. This article explains both TMG configuration backup methods.
There are two types of Forefront TMG Arrays: Standalone arrays and Enterprise arrays.
A Standalone Forefront TMG Array consists of two or more TMG Servers. Technically, a standalone array a can have up to 50 members but since most TMG arrays are deployed with Windows Network Load Balancer (WNLB), the deployment most likely caps out at the WNLB limit of 32 nodes.
In a Standalone Array configuration, one of the members in the array is selected as the Array Manager. This server's configuration is the master config and it is replicated to the other members. Each server in turns keeps a local cache of the configuration.
When you have more than one Standalone Array, it makes sense to start using an Enterprise Array managed by an Enterprise Management Server (EMS). An Enterprise Array can contain up to 200 TMG Arrays. This scenario is typically for multi-site deployments.
In an Enterprise deployment, a dedicated server, the Enterprise Management Server (EMS) keeps the master configuration. The EMS keeps both the Enterprise wide and Array level configuration for all of the Arrays. The EMS then replicates the Enterprise and the appropriate Array configurations down to the Arrays and members who in turn all keep a local cache of the configuration.
Arrays and Enterprise Arrays have multiple copies of the configuration making TMG deployments fault tolerant with respect to losing the Array Master or even the EMS server. So why bother backing up?
A backup is there to protect you not only from a failure, but also to cover you in case a faulty configuration is applied. You can manually work your way backwards by checking the Change Tracking log if it is enabled, but this has its own drawbacks.
For legal or audit reasons you may also be required to prove what your firewall configuration was at a specific point in time. For these reasons, there is no alternative other than keeping regular TMG configuration backup copies.
You can manually export the configuration for backup purposes from within the TMG Management Console.
The following steps need to be performed for each Array individually.
The following steps are performed only once for the Enterprise. Standalone Arrays do not have this option.
This should give you a file for the Enterprise Configuration. Normally this is relatively small - a few hundred KB. You should also have a file for each Array. These are normally a few MB.
You can automate these steps with the following scripts.
If you have a single Array deployment use AutoExportArray.vbs. If you have an Enterprise deployment use AutoExportEnterprise.vbs
Simply customize the script with your preferred comments, export password and backup location. Save the script and run these on the appropriate server. The scripts contains any additional instructions.
The AutoExportEnterprise.vbs leaves you with a single XML file for the Enterprise and a separate XML file for each array in the enterprise. These files contain all the configuration and can be used to restore the TMG Array or Enterprise by importing and overwriting the existing configuration.
Simply set the above script(s) to run on a schedule using Windows Task Scheduler and relax in the knowledge that your Forefront TMG Array configuration will be automatically backed up on a regular basis.
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)
Sophos XG - How to Block Searches and URLs with Specific Keywords