Prerequisites for Migration
•Licenses: ISA Gateway requires new licenses. Procure the new licenses and keep it handy.
•ISA hardware would not require any additional core/CPU licenses.
•Deployment: Deploy the ISA Gateway before the migration.
•Upgrade/Install: It is recommended to upgrade your existing 9.x PSA Gateway to 9.1R11.5 or later and export configurations and then import those to ISA Gateway.
•Software: ISA devices do not support 9.x software version and PSA devices do not support 21.x/22.x software version.
•Configuration backup: It is preferred to back up the system.cfg and user.cfg binary files, along with XML export of entire configuration immediately prior to migration.
•Configuration documentation: Local settings that are mostly kept in system.cfg should be documented, as some of these may need to be manually re-entered to the ISA device such as cluster configurations.
Connect Secure only: In A/A cluster, attention should be given to the Network > VPN Tunneling > IP address filter and VPN Tunneling Profile IP pool settings. Also, some of the configurable settings such as SNMP, Log settings, and Syslog can be configured in either cluster mode or individual nodes.
- If converting a cluster, ensure to form with same cluster name and port definitions before importing XML, else, import will fail. Examples are external port enabling, cluster name and node names.
- If you are using Active Directory or ACE authentication servers, there may be a need to recreate the AD computer objects and/or for ACE, to regenerate/re-import the SDCONF.REC file to the devices if authentication fails after import.
Configuration Migration Path
The following table describes the tested migration paths.
|
Migrate to |
Migrate From (Supported Versions) |
Qualified |
|---|---|---|
|
Connect Secure |
|
|
|
22.5R1 |
Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.5R2 |
Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R2.1 |
Connect Secure 9.1R17 and nSA supported 9.1R18 |
Q |
|
22.4R2 |
Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R1 |
Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.3R1 |
Connect Secure 9.1R17, 9.1R16, 9.1R16.2, 9.1R15, 9.1R14, and nSA supported 9.1R15 |
Q |
|
22.2R1/22.2R3 |
Connect Secure 9.1 R15, 9.1 R14.1, 9.1 R13.2, and nSA supported 9.1 R14. |
Q |
|
22.1R6 |
Connect Secure 9.1R14 or prior releases. |
Q |
|
22.1R1 |
Connect Secure 9.1 R13.2 or prior releases. |
Q |
|
21.12R1 |
Connect Secure 9.1 R13.2 or prior releases. |
Q |
|
21.9R1 |
Connect Secure 9.1 R12 or prior releases. |
Q |
|
Policy Secure |
|
|
|
22.5R1 |
Policy Secure 9.1R18, 9.1R17, 9.1R16.2 |
Q |
|
22.3R1 |
Policy Secure 9.1 R15, 9.1 R14.1, 9.1 R13.2 |
Q |
|
22.2R1 |
Policy Secure 9.1 R15, 9.1 R14.1, 9.1 R13.2 |
Q |
|
22.1R6 |
Policy Secure 9.1R14 or prior releases. |
Q |
|
22.1R1 |
Policy Secure 9.1 R13.2 or prior releases. |
Q |
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Procedure
The following configurations must be performed manually as part of the migration:
1.Mapping certificates to ports.
2.Setting up licensing client if using Enterprise Licensing server.
3.Checking SNMP settings, checking and setting up of VPN profiles (ICS only).
4.Ensuring configs are fully transferred.
5.Manually adding or correcting discrepancies, if any.