Comparing Microsoft Forefront TMG and UAG Feature by Feature

All articles

With Forefront TMG being long discontinued, is upgrading to Forefront UAG a feasible move? In this article we compared the two products feature by feature in an attempt to clarify the mystery and lay out the differences between the two products in a clear, concise way.

Why Moving to Forefront UAG May Be a Good Idea

The obvious reason for migrating from Forefront Threat Management Gateway (TMG) is the fact that Microsoft has discontinued the product in December 2012. No new versions to come, and no support for new versions of Microsoft’s very own software such as Exchange Server 2013 (although workarounds exist).

 

There are literally thousands TMG users who are still using Forefront TMG to secure their corporate networks. In many cases they are not ready to migrate to a different solution, or simply don’t know if their particular needs and requirements can be served by another product.

 

In this article, we’ll go through the differences and similarities between Forefront TMG and UAG, review the supported and unsupported usage scenarios, product compatibility and platform requirements.

 

But first let’s look at what the two products are.

Forefront TMG

Microsoft Forefront Threat Management Gateway 2010 (TMG) replaced the ISA Server 2006. Forefront TMG is a fully featured secure gateway and enterprise firewall solution with multi-layer protection with stateful packet filtering and inspection.

Routing and Remote Access Capabilities

Forefront TMG can act in any of the following capacities:

  • Router
  • Internet gateway
  • VPN server
  • NAT server
  • Proxy server
  • E-mail gateway

Security Features

The suite includes the following security features:

  • Firewall with multi-layer security
  • Network traffic inspection
  • HTTPS inspection

·         Malware inspection and filtering

  • Application layer protection
  • Security vulnerabilities protection
  • Content inspection against predefined security policy
  • Stateful packet inspection
  • URL filtering
  • E-Mail protection
  • Intrusion Prevention (IPS) and Intrusion Detection (IDS) systems

Network Performance Optimization

Forefront TMG can be tuned to improve network performance, speed up operations and reduce bandwidth requirements.

 

  • Web traffic compression
  • Web caching
  • Forward and reverse proxy
  • Background Intelligent Transfer Service traffic caching including Microsoft Update service caching
  • Network load balancing

 

Standard and Enterprise versions of Forefront TMG are available.

Forefront UAG

Forefront Unified Access Gateway 2010 (UAG) replaced Microsoft IAG (Intelligent Application Gateway), which was released three years earlier in 2007. Forefront UAG enables secure remote access to corporate networks, and provides multiple remote access technologies including reverse proxy, virtual private network (VPN), DirectAccess and Remote Desktop Services.

Routing and Remote Access Capabilities

Forefront UAG Forefront UAG provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management, enabling authentication, authorization, and content inspection for a wide range of applications.

 

Forefront UAG can act in the following capacities:

  • Router
  • DirectAccess gateway
  • Secure remote access gateway
  • Secure Internet gateway
  • Secure VPN server (over SSL)
  • NAT server
  • Proxy and reverse proxy server
  • Secure e-mail gateway

Security Features

The suite includes the following security features:

  • Secure remote gateway
  • Endpoint access policy
  • Secure remote access to OWA, Remote Desktop connections, SSL VPN, Microsoft CRM, SharePoint and many other business applications
  • Supports multiple authentication providers such as Active Directory, Netscape, LDAP, RADIUS, OTP etc.
  • HTTPS inspection
  • Application layer protection
  • Content inspection
  • Stateful packet inspection
  • URL filtering
  • E-Mail protection

 

It’s important to note that Forefront UAG is installed as a gateway, while Forefront TMG is installed as a firewall afterwards and configured to protect the UAG server. On the other side, Forefront UAG enhances the Web publishing abilities of Forefront TMG by adding a bit of intelligence. Unlike TMG, Forefront UAG recognized applications published, monitors health state of hardware being used, and is able to recognize authorized users.

 

A word on Endpoint access policy. This policy allows network administrators to define sets of rules regulating which clients can have access to internal resources. The client will only gain access to protected resources when all rules defined in the appropriate policy are satisfied.

Hardware Requirements

Normally, I would skip this section as hardware requirements of most modern products are fairly similar. However, Forefront UAG (unlike TMG) requires two separate network adapters to operate. The two network adapters are used to provide connectivity between the local area network and the Internet. As such, Forefront UAG will not work with a single network adapter.

 

Forefront TMG and Forefront UAG Feature Comparison

On paper, Forefront TMG and Forefront UAG may look very similar, providing essentially the same features in many scenarios. However, there are major differences between the two products, making the choice of one over another pretty much a given in certain configurations. Some other scenarios allow using either product; however, various implications may rise if the wrong choice is made.

 

In this chapter, I will try to use plain English to explain similarities as well as the main differences between the two products, outline supported, unsupported and borderline configurations for either tool.

 

From this standpoint, Forefront TMG is your secure firewall handling incoming and outgoing requests, readily available to protect your internal network from external threats while providing secure access to internal resources from the outside. Forefront TMG has comprehensive publishing rules allowing to make internal services such as Outlook Web Access, Exchange Active Sync and a bunch of others available to remote users. However, Forefront TMG quickly reaches its limits when it comes to intelligent publishing.

 

On the other hand, Forefront UAG is used as an intelligent application layer gateway handling incoming requests to your network’s internal resources. The product is able to greatly enhance the publishing rules used in Forefront TMG by adding a level of application-aware intelligence. Forefront UAG supports portals, VPN, and has DirectAccess and Endpoint Access Policies to control client devices.

 

Finally, you will also get Forefront TMG installed as part of Forefront UAG installation, in which case TMG will be used as a secure firewall to protect the UAG server.

Forefront TMG and Forefront UAG Usage Scenarios

Each product has its own strong points, making it a better choice in certain scenarios. The following table (based on Microsoft feature comparison chart) outlines the supported and unsupported configurations for each product.


   TMG       UAG   
Application Intelligence and Publishing
End Point Security
SSL Tunneling
Information Leakage Prevention
Robust Authentication Support (KCD, ADFS, OTP)
Product Certification (Common Criteria)
NAP Integration
Terminal Services Integration
Array Management
Enhanced Management and Monitoring (MOM Pack)
Enhanced Mobile Solutions
New and Customizable User Portal
Wizard Driven Configuration
Globalization (RTL Languages)

Forefront TMG Support Boundaries

As I wrote earlier, there are supported and unsupported configurations for both TMG and UAG. Forefront TMG does NOT support any of the following configurations:

  • No support for 32-bit Windows
    Forefront TMG only supports 64-bit versions of Windows such as Windows Server 2008 SP2 or 2008 R2
  • No Windows Server 2003 or Windows 2000 support
  • Windows Server 2008 Windows Server Core” edition not supported
    Forefront TMG is only supported in Standard, Enterprise and Datacenter editions
  • Enterprise Management Server not supported on computers running Forefront TMG
  • No direct migration path from ISA Server 2004/2006
    The
    ISA Server configuration must be exported and then imported back to a freshly installed TMG Server
  • No in-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2
    You cannot upgrade Windows Server 2008 SP2 to Windows 2008 R2 while Forefront TMG is installed
  • In general, Forefront TMG cannot be installed on a domain controller
    Forefront TMG SP1 can be installed on a Read Only Domain Controller (RODC)
  • Firewall Client 2000 is not supported
  • Forefront TMG has a number of limitations when it comes to workgroup deployment
    - LDAP (publishing scenarios) or RADIUS (ingoing and outgoing access) authentication only for user groups
    - No support for client certificates as primary authentication
    - No support for user mapping (except for PAP and SPAP)
    - No support for group policy deployment of certificates for HTTPS inspection
    - No support for Automatic Web proxy detection using Active Directory Auto Discover
  • Other firewall products cannot be installed on a Forefront TMG Server.


Forefront UAG Support Boundaries


Just as Forefront TMG, Forefront UAG also has some supported and some unsupported configurations.

Forefront UAG and Forefront UAG DirectAccess

Just like Forefront  TMG, Forefront  UAG can be used to publish Web servers hosted on one of your internal computers either directly or via a Web portal.

In addition, Forefront UAG extends DirectAccess functionality available in Windows Server 2008 R2 by serving as a DirectAccess Server, with the following implications:

  • You can configure Forefront UAG as both a publishing server and as a DirectAccess server on the same computer.
  • You can configure servers in a Forefront UAG Array to provide remote access to published servers and as a DirectAcccess server at the same time.
  • If you configure Forefront  UAG as a DirectAccess sever, the Network Connector application will become unavailable.

IPv6

Forefront  UAG has limited support for Ipv6 traffic. Basically, in Forefront  UAG, Ipv6 support is implemented just enough to support DirectAccess (which is IPv6-based). As such, Forefront  UAG supports the following types of Ipv6 traffic:

  • Inbound authenticated IPv6 traffic using IPsec.
  • Native IPv6 traffic from and to the Forefront UAG DirectAccess server.
  • Inbound and outbound IPv6 transition technologies (6to4, Teredo, IP-HTTPS and ISATAP).

All other types of IPv6 traffic are not supported by Forefront  UAG.


Running Forefront UAG With Forefront TMG

Now we came to part that causes the most confusion: how do the two products work together, and can Forefront UAG outright replace Forefront TMG?

 

Indeed, the many intelligent features available in the Forefront UAG make some users tempted to switch from TMG to UAG completely. However, when considering such a switch, Forefront TMG users must consider the following:

 

  • Forefront TMG not available as a separate product. It is always installed as part of Forefront UAG installation. You cannot install or uninstall Forefront TMG as a separate product.
  • Forefront UAG uses Forefront TMG, but not the other way around.
  • Forefront TMG adds firewall protection to the Forefront UAG server.
  • Configuration changes made in Forefront UAG are automatically propagated to Forefront TMG, but not the other way around.
  • Finally, publishing a server is a lot easier done with Forefront TMG. Therefore, if you’re about to publish a Web server, email service or RDP server, the choice of Forefront TMG will allow simpler deployment and easier maintenance.

Forefront TMG: Unsupported Configurations

While some configuration changes can be done to Forefront TMG via the TMG Management console (MMC), the following configurations are explicitly not supported:

 

  • You cannot manually install Forefront TMG. It only comes as part of the Forefront UAG package.
  • You cannot manually uninstall Forefront TMG. It will be uninstalled automatically when you remove Forefront UAG.
  • If you already have Forefront TMG installed, you cannot install Forefront UAG on that computer.
  • You cannot configure Forefront TMG as a forward proxy for outbound Internet access.
  • You cannot configure Forefront TMG as a site-to-site VPN server.
  • You cannot configure Forefront TMG as an intrusion protection system (IPS).
  • You cannot publish Forefront TMG via Forefront UAG.

Forefront TMG: Supported Configurations

Certain configuration settings can be made via the Forefront TMG Management console (MMC). This includes the following:

  • You can create VPN remote access rules for users, groups, and networks. Note, however, that any additional access rules must be placed lower than any firewall policies automatically created by Forefront UAG.
  • You can configure monitoring, logging and reporting settings separately for Forefront TMG.
  • You can modify Forefront TMG system policies to allow two-way traffic exchange between Forefront TMG and internal servers.
  • You can publish Exchange email servers via SMTP/SMTPS, IMAP/IMAPS and POP3/POP3S protocols.
  • You can Publish Office Communications Server (OCS)
    However, you can NOT publish OCS Web access. For publishing OCS Web access, use Forefront UAG.

Forefront TMG Discontinued: Using Forefront UAG Without TMG

As you may already know, Microsoft discontinued Forefront TMG quite some time ago. Therefore, many new and existing users will have to use Forefront UAG with no added protection available from the currently discontinued Forefront TMG. As such, you may consider the following scenarios for using Forefront UAG in your network:

 

  • Set up Forefront UAG in a DMZ scenario behind a front-edge firewall in place.
  • Configure Forefront UAG to run concurrently with an existing firewall.

 

As to which firewall to choose for your Forefront UAG installation, you may have multiple options available on the market. Also note that you may need to configure the correct port mapping settings in your firewall to enable correct operation of Forefront UAG. 

Tags: TMG, UAG