TMG 2010
ISA vs TMG vs IAG vs UAG
Sometimes Microsoft branding and renaming of products really confuses people. The whole ISA/TMG/IAG/UAG re-branding debacle really threw me for a loop. At first the renaming seemed pretty simple, but Microsoft is also re-positioning the products and I don’t think MS has done a good job of clarifying the products. So today at TechED I stopped by the security booth and tried to wrap my brain around the changes. Here’s what I learned from the MS ForeFront guys.
The ForeFront Threat Management Gateway (TMG, formerly ISA) is now being positioned as an outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates. One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridiging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site’s SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer will downloads from the internet via HTTPS bypass malware scanning. Pretty cool!
While you can still use TMG as a reverse proxy for publishing internal web sites to the internet, that is not the recommended use. This is a big change from ISA, which is very commonly used as a reverse proxy.
The ForeFront Unified Access Gateway (UAG, formerly IAG) according to Microsoft is now the preferred solution for inbound access to internal corporate resources. This includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess. Like IAG which included ISA under the hood, UAG will also include the TMG engine. Like IAG, in UAG you will not directly configure TMG. TMG is merely there to protect the UAG, not to provide TMG functionality for other applications.
To boil it all down, you will ONLY use TMG if you want a corporate internet proxy to protect users from web based malware. If you want a reverse proxy, such as publishing OWA and MOSS to the internet, you will now use UAG. If you want both scenarios, then you will have both TMG and UAG servers. Yes TMG can technically do both just as ISA can, but this is no longer a Microsoft recommended configuration.
Another noteworthy tidbit I learned is that MS is really pushing for virtualizing TMG and UAG. Among many benefits, this would allow you to scale out very quickly should you have high demand and need to increase the number of servers.
For additional informatin on UAG, see this link. For more information on TMG, see this link.
No comments yet.
About me
This blog is my online toolbox. I will blog things I need to remember and find useful. Instead of making a private link repository I will do it on this public blog and maybe someone will find it helpful. I will also post solutions to problems I solve myself and if it helped, please let me know in a comment.
About me
I am a Senior Solution Architect working at a consulting firm in Norway. My expert area is Microsoft network and platform infrastructure. Beside that I have 12 years experiance as a Senior Technical Specialist on the following areas: Exchange Server, SQL Server, Lync and Microsoft infrastructure (Active Directory, DHCP, DNS, ADFS, Certificates). Some experience in TMG/UAG and other security solutions.
-
Archives
- June 2013 (2)
- December 2012 (4)
- November 2012 (1)
- August 2012 (8)
- July 2012 (1)
- June 2012 (3)
- May 2012 (14)
- April 2012 (8)
- March 2012 (7)
- February 2012 (4)
- January 2012 (9)
- December 2011 (6)
-
Categories
-
RSS
Entries RSS
Comments RSS
GAPTHEGURU 
Leave a comment