The threat landscape has changed substantially since Microsoft first released ISA Server 2006 nearly six years ago. ISA is an excellent edge firewall, proxy and VPN server, but it lacks the advanced web protection capabilities necessary to defend our users from attack on today’s Internet. With the release of Forefront Threat Management Gateway (TMG) 2010, Microsoft provides us with an integrated edge security solution that can provide the level of protection our security engineers require from a modern secure web gateway. With the end of mainstream support fast approaching for ISA Server 2006 SP1, many organizations are now finally starting to consider upgrading their existing ISA infrastructure. Better late than never, I say! In this article I’ll provide a review of the new features included in TMG and make a compelling argument to start planning your migration to TMG soon.
TMG is Native 64-Bit
TMG is now a native 64-bit application that runs on the latest 64-bit operating system from Microsoft – Windows Server 2008 R2. Installation on Windows Server 2008 SP2 is also supported. With 64-bit support, TMG can now address much more memory than ISA server is capable of. Removing the 4GB memory limited imposed by 32-bit operating systems means that TMG can be scaled up more effectively, and can handle much more traffic than its predecessors.
TMG Runs on Windows Server 2008 SP2 and R2
In addition to having access to more memory, Windows Server 2008/R2 include a new networking stack that can increase stability and provide significant performance improvements in some environments. The Windows Next Generation networking stack includes features such as Receive Window Auto Tuning, Receive-Side Scaling (RSS), Compound TCP, and Explicit Congestion Notification (ECN). Veteran ISA server administrators know that some of these features, included in the Scalable Networking Pack (SNP) and later included in Service Pack 1 (SP1) for Windows Server 2003, conflicted with ISA and had to be disabled. No longer is this an issue with TMG and Windows Server 2008/R2! In addition there are enhancements to dead gateway detection and improvements in black hole router detection. The most important change in the new networking stack is the Windows Filtering Platform (WFP), which allows TMG to integrate with the networking stack much more closely than in previous versions. Also, the new NDIS specification now allows the TMG firewall driver to filter traffic at layer two and provides support for tagged VLANs and NIC teaming! You can read more about the myriad changes and improvements made to the Windows 2008/R2 networking stack here. Windows Server 2008/R2 are more highly instrumented as well, making performance monitoring and troubleshooting much easier.
Advanced Web Protection
Like its predecessors, TMG is a multi-layered perimeter defense system that alsoprovides secure remote access. The majority of new features in TMG are centered on the forward (outbound) proxy scenario, however. To improve the level of protection provided for clients accessing resources on the Internet, TMG now includes the following advanced web protection capabilities:
- URL filtering – With integrated URL filtering, TMG can prevent access to web sites that are known to be malicious or are not allowed by corporate acceptable use policies.
- Web antimalware – With integrated virus and malicious software scanning, TMG can provide protection from file-based attacks. Users are now protected when downloading files.
- Network Inspection System (NIS) – NIS is a compelling new intrusion detection and prevention feature that provides protection from protocol-based attacks. With signatures developed by the Microsoft Malware Protection Center (MMPC) and released concurrently with security updates on the second Tuesday of each month (patch Tuesday), NIS is designed to prevent vulnerabilities in Microsoft software from being exploited remotely.
- HTTPS Inspection – HTTPS has long been referred to as the “universal firewall bypass protocol”. HTTPS provides end-to-end encryption which renders even the most advanced application layer firewalls nearly useless. TMG has the ability to terminate and decrypt SSL communication, allowing for full application layer traffic inspection to take place.
Advanced E-Mail Protection
To provide advanced e-mail protection, TMG can integrate intimately with your existing Exchange 2007/2010 environment. TMG supports in the installation of the Exchange edge transport role directly on the TMG firewall, as well as Forefront Protection for Exchange to provide anti-spam, anti-phishing, and anti-malware protection. The advantages of this deployment scenario are consolidation of edge systems and simplified e-mail policy management using the native TMG management console. Using a clustered array of TMG firewalls also provides load balancing and fault tolerance for the secure mail relay.
TMG now includes support for Secure Socket Tunneling Protocol (SSTP). SSTP uses SSL to provide secure, encrypted communication between clients running Windows Vista SP1 or Windows 7 and the TMG firewall. SSTP is very firewall friendly, using the ubiquitous TCP port 443 which greatly simplifies the remote access VPN experience and provides much more broad access to corporate resources. Additionally, TMG also includes support for Network Access Protection (NAP) integration. This allows TMG administrators to leverage their existing NAP infrastructure to enforce endpoint configuration policies for remote access clients.
Logging and Reporting Enhancements
The logging infrastructure in TMG is greatly improved over previous versions of ISA server. TMG now installs SQL Server 2008 Express by default, which is significantly better than MSDE provided with ISA. For added resiliency, TMG now has the ability to queue logged data to disk. With log queuing, TMG can continue logging and servicing requests even when the database is offline for any reason. Experienced ISA administrators managing very busy environments are painfully aware of what happens when ISA can’t log to the database – the firewall service would shut down and all traffic would be blocked. Those days are over! Reporting has been improved as well, with TMG now using SQL Server Reporting Services (SRSS) to generate reports. The overall look and feel of the reports is much better too.
New Deployment Options
TMG is now much easier to implement thanks to support for a new deployment scenario – the standalone array. You can now configure an array of Enterprise edition TMG firewalls without having to install and configure an Enterprise Management Server (EMS – formerly called the Configuration Storage Server, or CSS). Additionally, both Standard and Enterprise editions of TMG now use Active Directory Lightweight Directory Services (AD LDS) for local configuration storage. By contrast, ISA server used Active Directory Application Mode (ADAM) for Enterprise edition and the Windows registry for Standard edition. This change makes it possible for a TMG firewall to be joined to an array after TMG is installed. It is also now possible to disjoin an array without having to uninstall TMG.
Additional Networking Improvements
In addition to the enhancements to the underlying operating system’s networking stack outlined earlier, TMG now includes support for two different ISPs in a load balanced or failover scenario. Changes to NAT in TMG now allow the administrator to configure more granular NAT policies, including establishing one-to-one NAT rules. Most recently, TMG Service Pack 2 (SP2) provides the ability to leverage Kerberos authentication for web proxy clients configured to use the Network Load Balancing (NLB) virtual IP address (VIP).
But Wait, There’s More!
As with any major product upgrade, there are many smaller improvements that might go unnoticed. TMG is no exception. Many of these new features and capabilities will make the ISA firewall administrator’s life much easier. They include:
- SIP filter – Protecting Voice over IP (VoIP) traffic is much easier with the addition of the Session Initiation Protocol (SIP) filter in TMG.
- TFTP filter – A new TFTP greatly simplifies the process of providing secure access to TFTP servers.
- Improved error pages – With the latest service pack, the look and feel of the error pages is much improved. They are more easily customizable as well.
- SCOM integration – TMG includes support for integration with System Center Operations Manager (SCOM) 2007 and later.
Migrating from ISA to TMG
Migrating from ISA Server to TMG is not trivial, and requires careful planning and preparation. There are supported upgrade paths from ISA Server 2004 SP3 and ISA Server 2006 SP1. A complete discussion about migration is outside the scope of this article. However, you can read more about ISA to TMG migration here.
So, what are you waiting for? As you can see, Forefront Threat Management Gateway (TMG) 2010 has a lot to offer. It provides significantly more protection than itspredecessors, and with 64-bit support and improvements to the underlying operating system the stability, performance, and scalability of TMG far surpasses that of any previous version of ISA server. TMG includes many advanced web protection capabilities not found in ISA server, including URL filtering, virus and malicious software scanning, advanced intrusion detection and prevention, and HTTPS inspection capabilities. Although the improvements made in TMG are primarily focused on outbound protection, TMG includes support for integrating with Exchange to provide advanced e-mail protection. Additionally, TMG still provides secure remote access with support for publishing Exchange 2010 and SharePoint 2010. Remote access and site-to-site VPN are still supported, and with the addition of support for the SSTP protocol, client-based VPN access is as robust as ever. There have been improvements in logging and reporting and new deployment options. Enhancements to NAT and support for multiple ISPs are both welcome improvements that will address important needs for many current ISA administrators. Migrating configurations from ISA to TMG is fully supported, so you won’t have to reinvent the wheel when it comes time to upgrade. Forefront TMG has been out for more than two years, has two full service packs, and is Common Criteria level EA4+ certified. With mainstream support for ISA Server 2006 SP1 ending in early January 2012, there’s no need to wait any longer. Begin planning your upgrade to TMG today!