Forefront TMG Configuration Backup Scripts For Standalone and Enterprise Arrays

It is good practice to keep regular backups of your Forefront TMG Configuration files. Even if you have a Forefront TMG Array with the configuration in multiple locations, this simply gives you fault tolerance, and should not be regarded as a backup.

Backups can be performed manually or automated with a script. This article explains both TMG configuration backup methods.

Forefront TMG Deployment Options

There are two types of Forefront TMG Arrays: Standalone arrays and Enterprise arrays.

Standalone Array

A Standalone Forefront TMG Array consists of two or more TMG Servers. Technically, a standalone array a can have up to 50 members but since most TMG arrays are deployed with Windows Network Load Balancer (WNLB), the deployment most likely caps out at the WNLB limit of 32 nodes.

In a Standalone Array configuration, one of the members in the array is selected as the Array Manager. This server's configuration is the master config and it is replicated to the other members. Each server in turns keeps a local cache of the configuration.

Enterprise Arrays

When you have more than one Standalone Array, it makes sense to start using an Enterprise Array managed by an Enterprise Management Server (EMS). An Enterprise Array can contain up to 200 TMG Arrays. This scenario is typically for multi-site deployments.

In an Enterprise deployment, a dedicated server, the Enterprise Management Server (EMS) keeps the master configuration. The EMS keeps both the Enterprise wide and Array level configuration for all of the Arrays. The EMS then replicates the Enterprise and the appropriate Array configurations down to the Arrays and members who in turn all keep a local cache of the configuration.

Why are configuration backups a good idea?

Arrays and Enterprise Arrays have multiple copies of the configuration making TMG deployments fault tolerant with respect to losing the Array Master or even the EMS server. So why bother backing up?

A backup is there to protect you not only from a failure, but also to cover you in case a faulty configuration is applied. You can manually work your way backwards by checking the Change Tracking log if it is enabled, but this has its own drawbacks.

For legal or audit reasons you may also be required to prove what your firewall configuration was at a specific point in time. For these reasons, there is no alternative other than keeping regular TMG configuration backup copies.

Manual Backup

You can manually export the configuration for backup purposes from within the TMG Management Console.

Manual TMG Configuration Backup for Standalone Arrays

The following steps need to be performed for each Array individually.

1. Open the TMG Management Console on the TMG Server designated as your Array Manager
2. Expand Arrays
3. Right click the Array, and select Export (Back up)...
4. On the start page of the Export wizard click Next
5. Check Export Confidential information and specify a password
6. Check Export User Permission Settings and click Next
7. Specify a file location and click Next
8. Click Finish to start the export

Manual TMG Configuration Backup for Enterprise Arrays

The following steps are performed only once for the Enterprise. Standalone Arrays do not have this option.

• Open the TMG Management Console on your EMS Server
• Right click Enterprise and select Export...
• On the start page of the Export wizard click Next
• Check Export User Permission Settings and click Next
• Specify a file location and click Next
• Click Finish to start the export

This should give you a file for the Enterprise Configuration. Normally this is relatively small - a few hundred KB.  You should also have a file for each Array. These are normally a few MB.

Automated Backups with Scripts

You can automate these steps with the following scripts.

If you have a single Array deployment use AutoExportArray.vbs. If you have an Enterprise deployment use AutoExportEnterprise.vbs

Simply customize the script with your preferred comments, export password and backup location. Save the script and run these on the appropriate server. The scripts contains any additional instructions.

• TMG Configuration Backup Script for Standalone Arrays (AutoExportArray.vbs)
• TMG Configuration Backup Script for Enterprise Arrays (AutoExportEnterprise.vbs)

The AutoExportEnterprise.vbs leaves you with a single XML file for the Enterprise and a separate XML file for each array in the enterprise. These files contain all the configuration and can be used to restore the TMG Array or Enterprise by importing and overwriting the existing configuration.

Simply set the above script(s) to run on a schedule using Windows Task Scheduler and relax in the knowledge that your Forefront TMG Array configuration will be automatically backed up on a regular basis.