While there are myriad contenders, one that is often overlooked is TMG! Say what?!? While TMG has been officially deprecated, it is still supported until April of and can still serve as an excellent network security solution, with a few caveats. Although there will not be another new version of TMG in the future, and there will be no more feature enhancements made to TMG only security updates and bug fixes , there are a number of deployment scenarios for which Forefront TMG is still a viable option.
In fact, TMG has some important features and functionality that have yet to be duplicated by another vendor. So, when considering a replacement for your Forefront TMG firewall, think again. You may just be surprised to find out that TMG is still the best alternative for your deployment scenario. Although Forefront TMG will be supported for many years to come, and the majority of features will continue to work in to perpetuity, there are a few areas in which some TMG functionality will be degraded prior to the end of support date.
Network Firewall At its core, Forefront TMG is a bit routing network firewall that provides stateful packet filtering and layer traffic inspection. It provides the ability to define routing or NAT relationships between networks, and does it in a secure manner using a default deny firewall policy. The network firewall features of Forefront TMG will continue to work without issue indefinitely. In this role, TMG proxies requests from internal network clients to the public Internet and serves as a single, trusted host to access the Internet.
Implementing a forward proxy server has many benefits. It provides an aggregation point for all outbound access, which allows for centralized policy enforcement, consolidated logging and reporting, as well as providing a platform for additional content inspection such as Data Leakage Prevention DLP solutions. In addition, the TMG firewall can provide content caching which not only speeds up common Internet requests, it can reduce the bandwidth used on Internet links.
This is a powerful and compelling feature of the basic forward proxy server role that allows TMG to proxy both web-based and non-web based applications. Another important feature that TMG provides in the basic forward proxy server scenario is that of authentication. While there are a number of proxy server alternatives on the market today, and most can perform some type of client authentication, the TMG is unique in that it can do so transparently and by using native domain authentication methods by virtue of the host being joined to the domain.
This allows TMG administrators to leverage Kerberos authentication, when configured correctly, for outbound web proxy requests. This enables much more accurate and secure authentication, in addition to providing significantly improved scalability. To my knowledge, there are no proxy solutions on the market today that can leverage Kerberos for authentication web proxy requests.
I also know of no other vendor that provides a transparent Winsock proxy client. Here, using the Forefront TMG firewall as a basic authenticating web proxy server and content cache, along with using the Forefront TMG firewall client to provide transparent proxy services for non-web based protocol traffic, the TMG firewall is still an excellent solution in this deployment scenario.
Reverse Web Proxy Server A reverse web proxy server, used for providing secure remote access to internal web-based applications, is another role that the Forefront TMG firewall can continue to provide well in to the future.
For example, when publishing web applications such as Exchange and SharePoint, TMG can use strong authentication with client certificates and perform protocol transition to obtain Kerberos tickets on behalf of users.
To my knowledge, this is a capability that is still unique to Forefront TMG Additional features of the reverse web proxy role, including content caching, HTTP compression, application layer traffic inspection, strong user and group-based authentication, and application farm load balancing are not affected by the deprecation of the product and will continue to operate effectively for quite some time.
TMG also includes support for modern remote access protocols such as SSTP, which provide easy to deploy and ubiquitously available remote network access for field-based clients. The reality is, however, that although there are some deployment scenarios in which the TMG firewall will perform capably for many years to come, there are some drawbacks to doing so.
The most pressing issue is the fact that Forefront TMG cannot be installed on the latest release of the Windows Server operating system. Although Windows Server R2 is still supported, and will be for many years, it is not as secure as Windows Server R2.
When properly prepared using industry standard and product specific best practices such as service hardening and attack surface reduction , SSL hardening , and following administrative best practices , it is as secure as anything solution available today. There have been a number of security enhancements in later releases of Windows that TMG will not benefit from, however. In addition, the lack of support for IPv6 by TMG will be a serious limiting factor in the not-so-distant future.
Another potential area of concern is the lack of native support for publishing future versions of Microsoft applications like Exchange and SharePoint. New releases such as Exchange and SharePoint can be published of course, but it does require some manual configuration and may also present supportability issues in the future. Also, Microsoft will no longer produce anti-malware and Network Inspection System NIS signature updates past this date although they will continue to function, albeit with outdate signature files.
For this deployment scenario, there are a number of excellent on-premises and cloud-based third-party solutions that can be leveraged to address this shortcoming, however. What about Licensing? Summary It was a sad day when Microsoft announced that they were abandoning the future development of the Forefront TMG firewall.
It is widely deployed, and in my opinion was one of the best solutions for protecting Microsoft networks and workloads. It provided unique features and capabilities that, even today, are not provided by competing solutions.
All is not lost, however! Depending on your deployment scenario and specific requirements, Forefront TMG can still be a valuable solution.
For advanced web protection features, third-party solutions are available to bridge some of those gaps. Keep calm, and deploy TMG! Post Views:
This year, the company launched a new product-JF Plant-that provides real-time metrics on a tablet right at the start or end of a food production line, resulting in best practices in the recording of data around production energy usage. Scranton, Pa. -based Kane Is Able utilizes a concept called collaborative distribution to reduce the costs in the supply chain while minimizing the impact on the environment.