With Forefront TMG being long discontinued, is upgrading to Forefront UAG a feasible move? In this article we compared the two products feature by feature in an attempt to clarify the mystery and lay out the differences between the two products in a clear, concise way.
The obvious reason for migrating from Forefront Threat Management Gateway (TMG) is the fact that Microsoft has discontinued the product in December 2012. No new versions to come, and no support for new versions of Microsoft’s very own software such as Exchange Server 2013 (although workarounds exist).
There are literally thousands TMG users who are still using Forefront TMG to secure their corporate networks. In many cases they are not ready to migrate to a different solution, or simply don’t know if their particular needs and requirements can be served by another product.
In this article, we’ll go through the differences and similarities between Forefront TMG and UAG, review the supported and unsupported usage scenarios, product compatibility and platform requirements.
But first let’s look at what the two products are.
Microsoft Forefront Threat Management Gateway 2010 (TMG) replaced the ISA Server 2006. Forefront TMG is a fully featured secure gateway and enterprise firewall solution with multi-layer protection with stateful packet filtering and inspection.
Forefront TMG can act in any of the following capacities:
The suite includes the following security features:
· Malware inspection and filtering
Forefront TMG can be tuned to improve network performance, speed up operations and reduce bandwidth requirements.
Standard and Enterprise versions of Forefront TMG are available.
Forefront Unified Access Gateway 2010 (UAG) replaced Microsoft IAG (Intelligent Application Gateway), which was released three years earlier in 2007. Forefront UAG enables secure remote access to corporate networks, and provides multiple remote access technologies including reverse proxy, virtual private network (VPN), DirectAccess and Remote Desktop Services.
Forefront UAG Forefront UAG provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management, enabling authentication, authorization, and content inspection for a wide range of applications.
Forefront UAG can act in the following capacities:
The suite includes the following security features:
It’s important to note that Forefront UAG is installed as a gateway, while Forefront TMG is installed as a firewall afterwards and configured to protect the UAG server. On the other side, Forefront UAG enhances the Web publishing abilities of Forefront TMG by adding a bit of intelligence. Unlike TMG, Forefront UAG recognized applications published, monitors health state of hardware being used, and is able to recognize authorized users.
A word on Endpoint access policy. This policy allows network administrators to define sets of rules regulating which clients can have access to internal resources. The client will only gain access to protected resources when all rules defined in the appropriate policy are satisfied.
Normally, I would skip this section as hardware requirements of most modern products are fairly similar. However, Forefront UAG (unlike TMG) requires two separate network adapters to operate. The two network adapters are used to provide connectivity between the local area network and the Internet. As such, Forefront UAG will not work with a single network adapter.
On paper, Forefront TMG and Forefront UAG may look very similar, providing essentially the same features in many scenarios. However, there are major differences between the two products, making the choice of one over another pretty much a given in certain configurations. Some other scenarios allow using either product; however, various implications may rise if the wrong choice is made.
In this chapter, I will try to use plain English to explain similarities as well as the main differences between the two products, outline supported, unsupported and borderline configurations for either tool.
From this standpoint, Forefront TMG is your secure firewall handling incoming and outgoing requests, readily available to protect your internal network from external threats while providing secure access to internal resources from the outside. Forefront TMG has comprehensive publishing rules allowing to make internal services such as Outlook Web Access, Exchange Active Sync and a bunch of others available to remote users. However, Forefront TMG quickly reaches its limits when it comes to intelligent publishing.
On the other hand, Forefront UAG is used as an intelligent application layer gateway handling incoming requests to your network’s internal resources. The product is able to greatly enhance the publishing rules used in Forefront TMG by adding a level of application-aware intelligence. Forefront UAG supports portals, VPN, and has DirectAccess and Endpoint Access Policies to control client devices.
Finally, you will also get Forefront TMG installed as part of Forefront UAG installation, in which case TMG will be used as a secure firewall to protect the UAG server.
Each product has its own strong points, making it a better choice in certain scenarios. The following table (based on Microsoft feature comparison chart) outlines the supported and unsupported configurations for each product.
|Application Intelligence and Publishing|
|End Point Security|
|Information Leakage Prevention|
|Robust Authentication Support (KCD, ADFS, OTP)|
|Product Certification (Common Criteria)|
|Terminal Services Integration|
|Enhanced Management and Monitoring (MOM Pack)|
|Enhanced Mobile Solutions|
|New and Customizable User Portal|
|Wizard Driven Configuration|
|Globalization (RTL Languages)|
As I wrote earlier, there are supported and unsupported configurations for both TMG and UAG. Forefront TMG does NOT support any of the following configurations:
Forefront UAG Support Boundaries
Just as Forefront TMG, Forefront UAG also has some supported and some unsupported configurations.
Just like Forefront TMG, Forefront UAG can be used to publish Web servers hosted on one of your internal computers either directly or via a Web portal.
In addition, Forefront UAG extends DirectAccess functionality available in Windows Server 2008 R2 by serving as a DirectAccess Server, with the following implications:
Forefront UAG has limited support for Ipv6 traffic. Basically, in Forefront UAG, Ipv6 support is implemented just enough to support DirectAccess (which is IPv6-based). As such, Forefront UAG supports the following types of Ipv6 traffic:
All other types of IPv6 traffic are not supported by Forefront UAG.
Now we came to part that causes the most confusion: how do the two products work together, and can Forefront UAG outright replace Forefront TMG?
Indeed, the many intelligent features available in the Forefront UAG make some users tempted to switch from TMG to UAG completely. However, when considering such a switch, Forefront TMG users must consider the following:
While some configuration changes can be done to Forefront TMG via the TMG Management console (MMC), the following configurations are explicitly not supported:
Certain configuration settings can be made via the Forefront TMG Management console (MMC). This includes the following:
As you may already know, Microsoft discontinued Forefront TMG quite some time ago. Therefore, many new and existing users will have to use Forefront UAG with no added protection available from the currently discontinued Forefront TMG. As such, you may consider the following scenarios for using Forefront UAG in your network:
As to which firewall to choose for your Forefront UAG installation, you may have multiple options available on the market. Also note that you may need to configure the correct port mapping settings in your firewall to enable correct operation of Forefront UAG.