The EE Single Server Conversion Tool (EESingleServerConversion.exe) is an official utility provided by Microsoft within the Forefront TMG 2010 Tools and SDK. It resolves a core technical mismatch when migrating an enterprise-level firewall configuration down to a single standalone firewall gateway. The Core Purpose of the Tool
When migrating from legacy ISA Server ⁄2006 Enterprise Edition to Forefront Threat Management Gateway (TMG) 2010, you cannot directly import an Enterprise-level configuration XML file into a standalone TMG installation.
If you try, TMG throws an explicit error stating that upgrading an ISA Server EE configuration is only supported on a full TMG Enterprise array managed by an Enterprise Management Server (EMS). The conversion tool strips out the enterprise-level policies and nested array tags, converting the XML file into a format compatible with TMG Standard Edition or a TMG Enterprise standalone server. Step-by-Step Migration Process
To use the tool successfully to fix configuration migration blocks, follow this sequence:
Export from ISA: In your source ISA Enterprise console, right-click the root node, choose Export, select “Export confidential information” with a strong password, and save the .xml file.
Install the SDK: Download and install the Forefront TMG 2010 Tools & SDK on your new TMG machine or a management workstation.
Run the Conversion: Open an elevated Command Prompt, navigate to the utility folder, and execute the conversion:
cd “C:\Program Files (x86)\Microsoft Forefront TMG Tools\EESingleServerConversion” EESingleServerConversion.exe /s “C:\path\to\sourceISA.xml” /t “C:\path\to\convertedTMG.xml” Use code with caution.
Import to TMG: In your new TMG management console, select the root server node, click Import (Restore) configuration, and provide the converted XML file. Common Common Migration Issues & Fixes
Even after successfully converting the file layout, several underlying network and dependency mismatches can break the configuration during or immediately after the import. 1. “Invalid XML Tag” or Schema Errors
The Cause: The tool only cleanly bridges configurations that are coming from an environment that used a single array with a single array member. If your source XML contains multiple complex enterprise arrays, the automated conversion will fail or skip policies.
The Fix: You must manually edit the source .xml file or use customized script parsing to strip out the custom
The Cause: The XML file preserves the exact network adapter GUIDs and names from the old physical hardware. The new TMG server will fail to route traffic because it maps to non-existent hardware interfaces.
The Fix: Do not run the Initial Configuration wizard on TMG before importing. After the import finishes, go immediately to Networking -> Networks -> Internal/External -> Addresses, click Add Adapter, and map your actual local hardware interfaces to the respective TMG logical networks. 3. Broken Third-Party Plug-ins and Web Filters
The Cause: ISA Server plug-ins are 32-bit (x86) binaries, whereas Forefront TMG 2010 runs exclusively on a 64-bit architecture (Windows Server 2008 R2). Migrating old configuration data that contains references to third-party ISAPI filters will cause TMG’s firewall service to crash on startup.
The Fix: Cleanly remove or uncheck all custom web filters from the policy list prior to exporting, or manually update to 64-bit equivalent plug-ins (such as updating Forcepoint URL Filtering configurations) directly inside the TMG environment post-import. 4. Reports and Scheduled Tasks Dropped
The Cause: Historical reports, definitions, and custom scheduling engines are fundamentally different between ISA and TMG. The tool does not port report definitions.
The Fix: Document your custom reports prior to the migration and manually rebuild your scheduling logs inside TMG using its native SQL Server Express backend. Looking Forward: Modern Replacements
Please keep in mind that Microsoft deprecated and ended all support for Forefront TMG. It lacks the security definitions required to handle modern internet threats. March | 2010 | Richard Hicks’ Forefront TMG Blog
Leave a Reply