There is no direct upgrade. ISA Server is a 32-bit application and needs anequivalent operating system - 32-bit
FTMG is 64-bit only and can run on 2008 SP2 or 2008 R2.
Whilst you can export/import the ISA config, personally I find it better to start from scratch. Not only does this give the ability to clean up the rules that traditionally have got messed up over the time, it means you go through all the options and consider them again.
FTMG does a lot that ISA 2004/2006 could not do.
FTMG uses the Microsoft MRS service so now caters (based on a per-user subscription) for categorised URL allow/deny scenarios out of the box. It also provides (free) NIS protection out of the box which is a big step forward.
FTMG's support for hosting a copy of the exchange edge connection is another plus for the system giving good mail protection as well.
HTTPS inspection has been added which is slightly contentious. Enabling https inspection allows FTMG to break the connection thereby allowing inspection of traffic that the user assumes is encrypted and protected - including things like home banking etc. Sounds great but has significant legal ramifications as well. In addition, many sites will fail to operate if they are subject to the https inspection. Microsoft's own sites such as the windows update site will not operate when https inspection is enabled. To get round this, most MS sites are already added to the 'exemption' group.
Reporting is still light on FTMG and remains an area that needs to be addressed.
FTMG is streets ahead of ISA but is still not the cheapest on the market.
FTMG, like ISA, is not a 'just run the setup.exe from the CD'. It assumes you have read the manuals or been trained accordingly.
Keith
MS Forefront MVP
