I've heard a number of questions this year from people wondering what they should do in the future regarding their edge devices. They have been running ISA firewalls for years and would like to continue to use ISA firewalls, now renamed to the TMG firewall. On the other hand, they're hearing that UAG is the technology of the future and so maybe they should go with that instead.
There is no easy answer here, but I think the safest answer is that if you like what you have with ISA, you should stay with TMG. TMG is the latest version of ISA and provides the same level of support for inbound access as the ISA firewall, but includes a lot of improvements for outbound access control and network security - so much so that you can even get rid of Websense on your network and use TMG firewall arrays and save a tremendous amount of money in the process.
Some people say that if you want the best option for inbound access, then you should consider UAG. That may or may not be true, depending on your particular scenario. UAG's web publishing methodology can be very difficult to understand, even more difficult to configure, and requires that you have a lot of HTML coding knowledge. You have to spend a lot of time picking at configuration files, all of which is reminiscent of Windows 3.1 or an open source Linux solution. Many folks have said they don't get the feeling that UAG is a finished product when it comes to its web publishing and portal feature set.
However, where the UAG does shine is in its enablement of a working and robust DirectAccess solution. The built-in Windows DirectAccess solution isn't something that really works on most of the networks we see out there today. If you actually want a DirectAccess solution that works with the network that you have today and the networks you plan for tomorrow, UAG DirectAccess is the only way to go. While it is possible to configure the TMG firewall to host the DirectAccess server role, that is still the Windows DirectAccess solution with all the limitations that come with it.
So what's the solution? I'll go out on a limb and provide you the following recommendations (keeping in mind that these are my personal opinions and don't represent the views of Microsoft or anyone else):
- If you're happy with the ISA web and server publishing solution you have now, then stay with it and upgrade to TMG.
- If you're not happy with the ISA web and server publishing you have now and see that UAG provides key features that you need, then consider bringing in a UAG server.
- If you want what is probably the best outbound access control device on the market today, then upgrade your ISA to TMG.
- If you want to derive all the benefits that DirectAccess has to offer, then bring a UAG DirectAccess server or UAG DirectAccess array into your network.
Given the above, I think in most cases, this means you'll end up wanting both a TMG and a UAG solution on your network. Now the big question is, where should you put them? I recommend that you put the TMG on the edge of the network as that is what it was designed for, it has been thoroughly penetration tested for this scenario, and it has a decade-long history as one of the most secure firewalls on the market today. On the other hand, the UAG should be behind the TMG firewall, as it does run IIS 7 on the box and doesn't use the time-tested web listeners used by TMG. I don't know whether or how much UAG has been pen-tested as an edge device, as I see a lot of conflicting information out there. That's the reason that, to be safe, I recommend that you put the UAG behind the TMG firewall for the time being.
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)