Reset Search
 

 

Article

KB44949 - How To Successfully Migrate PCS Configurations from PSA Gateway to ISA Gateway.

« Go Back

Information

 
Last Modified Date1/6/2022 6:53 PM
Synopsis

Prerequisites for Migration

  • Licenses: The ISA Gateway requires new licenses; procure the new licenses and keep it handy.
  • Deployment: Deploy the ISA Gateway before the migration.
  • Upgrade/Install: It is recommended to upgrade your existing 9.x PSA Gateway to 9.1R11.5 or later, export configurations, and then import those to the 21.x Gateway.
  • Software: ISA devices do not support 9.x software version and PSA devices do not support 21.x software version.
  • Configuration backup: It is best practice to back up the system.cfg and user.cfg binary files, along with XML export of the entire configuration immediately prior to migration.
  • Configuration documentation: Local settings that are mostly kept in system.cfg should be documented, as some of these may need to be manually re-entered to the ISA device such as cluster configurations.

With A/A cluster(s), attention should be given to the Network > VPN Tunneling > IP address filter and VPN Tunneling Profile IP pool settings.
Configurable settings such as SNMP, Log settings, and Syslog can be configured in either cluster mode or individual nodes.

  • If converting a cluster, ensure to form with same cluster name and port definitions before importing XML, else, the import will fail. Examples are external port enabling, cluster name and node names.
  • If you are using Active Directory or ACE authentication servers, there may be a need to recreate the AD computer objects and/or for ACE, to regenerate/re-import the SDCONF.REC file to the devices if authentication fails after import.
Problem or Goal

Procedure

The recommended way to transfer the configuration and settings is through the export of "binary configurations" or "XML configurations" from PSA Gateway to ISA Gateway.

 

    Cause

    The following configurations must be performed manually as part of the migration:

    1. Mapping certificates to ports.
    2. Setting up licensing client if using Enterprise Licensing server.
    3. Checking SNMP settings, checking and setting up of VPN profiles.
    4. Ensuring configs are fully transferred.
    5. Manually adding or correcting discrepancies, if any.
      Solution

      Migration from PSA to ISA

      On the existing PSA platform. Log in to the standalone device or the primary node of the cluster (where the cluster was first formed) and export its binary configs (system.cfg and user.cfg), and the XML Network settings configurations.

      • To export the binary configurations from the PSA Gateway:
      1. From the PSA Gateway Admin UI, select Maintenance > Import/Export > Configuration.
      2. Under Export, enter a password if you’d like to password-protect the configuration file.
      3. Click Save Config As to save the file. The default filename is system.cfg.
      4. Select Maintenance > Import/Export > User Accounts.
      5. Under Export, enter a password if you’d like to password-protect the configuration file.
      6. Click Save Config As to save the file. The default filename is users.cfg.
      • To export the XML Network configuration:
      1. Select Maintenance > Import/Export > XML Import/Export.
      2. Under Export, expand System Settings and select Network > All.
      3. Click Export and save the XML file.

      Make notes of all the local settings for both nodes (if not yet done during preparation stage): IP information, clustering, virtual ports, VLANs, hosts, routes, DNS settings, SNMP (if configured), Syslog.

      Importing existing PSA configurations to ISA

      • To import the configurations to ISA Gateway:
      1. From the ISA Gateway Admin UI, select Maintenance > Import/Export > Configuration.
      2. Select Import Everything except network settings, cluster settings, and licenses to import all configurations except network, cluster and license settings.
      3. Browse to the configuration file, system.cfg. Enter the password if specified.
      4. Click Import Config ***When importing the PSA configurations to ISA all the system configurations will be imported. (Configurations related to deprecated features such as SDP, Sensors and Pulse One will be removed).
      5. Select Maintenance > Import/Export > User Accounts and browse to the users.cfg file.
      6. Click Import Config ***When importing the PSA configurations to ISA all the user configurations user configs like realms, sign-in policies, host checker, policies, roles, devices, users will be imported. (Configurations related to deprecated features such as Citrix web interface/JICA, Citrix StoreFront, Microsoft OWA 2000, 2003,2007 will be removed).
      7. For XML import, select Maintenance > Import/Export > XML Import/Export and import the config file. After importing XML, system and user.cfg files, check and/or modify/add remaining local settings and other settings such as:
      • Network > Overview settings (set in cluster or individual nodes)
      • Network > Routes (for internal, external and other ports)
      • Network > Hosts (set in cluster or individual nodes)
      • Network > Internal Port/ External Port>Virtual Ports (if clustered, set this up in cluster “Entire Cluster”)
      • Network > VLANs (if clustered, set this up in cluster “Entire Cluster”)
      • Network > VPN Tunneling (set in cluster or individual nodes)
      • Log/Monitoring > SNMP (set in cluster or individual nodes)
      • Configuration > Certificates > Device Certificates (and its ports bindings)
      • Resource Policies > VPN Tunneling > Connection Profiles (if configured)
      • Configuration > Licensing - License client-server settings (if used as license client in Enterprise Licensing Server environment), proper licenses installed
      8. Check cluster status (if clustered) and test operation by logging in to the cluster VIPs (or the standalone PSA device IP).

      ***Configurations related to the unsupported features will be removed from the imported configuration as part of the migration.
      ***Policies referring to unsupported features will also be deleted after the migration.
      ***The admin can view them under the event logs in the 21.x ICS Gateway.



      For more information, please check the PSA to ISA migration guide 

       

      Related Links
      https://docs.pulsesecure.net/WebHelp/PCS/21.9/migr-guide/landingpage.htm#Introduc
      Attachment 1 
      Created ByDmitriy Melk-Karamov

      Feedback

       

      Was this article helpful?


         

      Feedback

      Please tell us how we can make this article more useful.

      Characters Remaining: 255