Roles TMG Plays
How many times have you talked to someone about the TMG firewall and had them tell you that “TMG is a web proxy” or “TMG is a web security gateway” or “TMG is some kind of software firewall” or “TMG is like Websense” or something similar to this? While it’s interesting to hear these things from people who have never worked with nor seen TMG, what’s most amazing is that there are the people who claim they’re highly experienced with ISA and TMG and still make these sorts of statements.
In fact, I often get mail from readers who have been using ISA/TMG for years, but have only been using it in one limited role and have no real understanding of its full capabilities. Just as, according to scientists, most of us use only a fraction of our brains’ functionality, many TMG admins are using only a fraction of TMG’s functionality.
This isn’t new to TMG. Many people believe that one of the problems that affected ISA’s reputation and sales was the fact that it did too many things. Some potential users were confused or overwhelmed, and went with products that had more clearly defined and more limited purposes. Another problem that plagued the ISA firewall and subsequently the TMG firewall was their ancestry, which includes Proxy Server 2.0. It’s probably this, more than anything else, that has led to the misperception that ISA and TMG are “just” glorified proxy servers.
If you ask yourself the question, “What is the TMG firewall?” you would probably say it’s obvious by the fact that “firewall” is included in the name that it’s a firewall. But that’s far from the whole story. What else does the TMG firewall do? What roles can the TMG firewall perform on your network? That’s what we’re going to look at in this article.
I like to think of the TMG firewall as the Swiss army knife of networking devices. The many roles that the TMG firewall can play on your network include:
- Network firewall
- Forward web proxy
- Reverse web proxy
- Web caching server
- Web security gateway
- Winsock proxy
- Remote access VPN server
- Site to site VPN gateway
Let’s take a short look at each of these roles and the value that your Threat Management Gateway can provide when performing them.
First and foremost, the TMG firewall is a firewall. It was designed to be a firewall from the ground up, and it has been battle tested for over a decade and has proven itself to be one of the most secure firewalls on the market today. In its role as network firewall, its primary job is to control all traffic moving to and through the firewall. It does this by applying traffic control policies set by firewall rules that are configured in the TMG firewall console.
In addition to performing policy based traffic control, the TMG firewall also acts as a stateful packet inspection filter, Intrusion Detection System/Intrusion Prevention System, provider of Denial of Service protection, and logger and reporter of all the traffic moving to and through the firewall.
The TMG firewall brought us some significant improvements over the ISA firewall, due to the introduction of the Network Inspection System or NIS. The Network Inspection System is an IDS/IPS system that is targeted primarily to protect against exploits written for Microsoft products. The goal of the Network Inspection System is to block exploits while you’re testing security updates on the clients and servers on your network. Since the release of the TMG firewall, the Network Inspection System has shown itself to be extremely effective in blocking these types of exploits.
Forward web proxy
ISA and TMG have their roots in Microsoft Proxy Server and they still retain the ability to act as a web proxy server. There are a couple of different types of web proxies. A forward web proxy server is a machine that accepts HTTP, HTTPS and FTP connections from a web proxy client and forwards them to the destination web server. The client machines must have their browsers configured to be clients of the web proxy server. In some cases, such as that of the TMG firewall, you don’t need to configure the browsers to use the TMG firewall as the web proxy server because there is a web proxy “redirector” of sorts in the TMG firewall that will pass web traffic up to the web proxy component, even if the client browser isn’t configured to be a web proxy client.
The web proxy server receives the request from the web proxy client and then recreates the request and forwards it to the destination web server. Because the web proxy server has complete knowledge of the request, it can do a number of things to modify the request. In addition, since the destination web server sees the web proxy server as the client, it can also modify the responses receive from the destination web server before forwarding that response to the client.
You will see examples of this in a later section, when I talk about the TMG firewall’s role as web security gateway.
Reverse web proxy
We said a forward web proxy server accepts web requests from client systems on the corporate network and forwards them to web servers on the Internet. In contrast, the reverse web proxy server accepts web requests from clients located anywhere on the Internet and forwards those requests to a web server on the intranet.
Similarly to the forward web proxy server, the reverse web proxy server can modify the requests and responses from and to the Internet based client before sending them. This allows the TMG firewall to do a number of things to better secure the connections to the web servers that you’re hosting on your intranet:
- You can require authentication before forwarding the connection
- You can require authorization before forwarding the connection
- You can control which commands the Internet clients can send to the internal web server
- You can prevent DoS attacks against your web servers on the intranet
In addition, the reverse web proxy server (like the forward web proxy server) can cache responses.
Web caching server
A web caching server is almost always a web proxy server, too. A web caching server can store the web pages that the web proxy clients, whether they be internal or external, request. When a different client subsequently asks for the same page, the page is returned from the web proxy cache instead of from the web server out on the Internet.
This has different advantages based on whether the caching is taking place for forward or reverse web proxy. In a forward proxy scenario, the web caching can significantly speed up the web browsing experience for your users. When the first user requests a particular web page, that page is retrieved from the destination web server and placed in the web proxy cache. When a second user asks for the same page, the TMG firewall will either immediately return the page from its web proxy cache, or check the destination web server to see if the paged is changed, and if the page has not changed, return the page from the web proxy cache. The TMG firewall maintains pages in both an in-memory cache and in a disk cache. Returning a page from the TMG firewall on your local network, across (typically) a gigabit network connection, will be much faster than bringing it in from a distant web server over a (typically) one to 50 megabit per second Internet connection.
The situation is a bit different with reverse proxy. In a reverse web proxy caching scenario, the goal is not to speed up the experience. Instead, the goal is to reduce the load on your web servers on the intranet. When an external user requests a page from one of your internal web servers, that page is cached on the TMG firewall and then returned to the web browser of the user out there somewhere on the Internet. When another user on the Internet makes a request for that same page, that page is returned from the web proxy cache instead of being returned from your intranet web server. This reduces the load on the web servers and potentially can improve performance for intranet users of the same web server.
Web security gateway
One of the major improvements that was introduced in the TMG firewall was the “web protection” features. Web protection is accomplished through two main mechanisms: web anti-malware and URL filtering.
The web anti-malware feature of TMG inspects the responses received from web servers on the Internet, looking for malware. The TMG firewall uses the Microsoft antivirus engine to inspect the responses and the malware signatures are updated several times a day. You can trickle responses to your users so that they see something is happening when they are downloading files from the Internet, or they can be presented with a page that shows a progress bar. If there is malware in the response, the TMG firewall will block the file from being downloaded.
The URL filtering feature allows you to control which sites your users can access. This is a flexible feature that allows you to block sites based on pre-defined categories, or you can create your own categories. In addition, if you think a site doesn’t belong in a particular category, you can remove the site from the category. Likewise, if you think a site belongs in a specific category, you can place it in the category to which you think it belongs. URLs can be either whitelisted with “allow” rules or blocked using “deny” rules, so you have a lot of flexibility for controlling users’ web browsing behavior.
A Winsock proxy is similar to a SOCKS proxy. The Winsock proxy feature of the TMG firewall allows any network application on the client to forward its requests to the TMG firewall and allows the TMG firewall to proxy the request to the destination server. The primary difference between a Winsock proxy and a SOCKS proxy is that with a SOCKS proxy, you have to configure the application with information about the name or address of the SOCKS proxy server. In contrast, the TMG firewall takes advantage of the Firewall client (TMG client) so that applications transparently forward their connections to the TMG firewall. This means that you don’t have to configure the applications to use the TMG firewall as their proxy server.
Remote access VPN server
A remote access VPN server is a server that can accept VPN connections from VPN clients. The connection is like a virtual Ethernet connection between a VPN client and the VPN server, and provides a secure way for remote clients to connect to the network. The TMG firewall can apply all security and protection features on the VPN client connections, so that stateful packet and application layer inspection is applied to all traffic moving between the VPN client and the servers on your intranet. You can create very fined grained policies to control what VPN clients can do while connected to your network, so that you can limit them to specific protocols, servers and applications while connected.
Site to site VPN gateway
In contrast to the remote access VPN server functionality, the site to site VPN gateway feature allows you to connect entire networks to each other (rather than just connecting individual remote clients to your network). In the role of site to site VPN gateway, the TMG firewall acts as a type of network router, routing connections from one network to another network through a VPN connection over the Internet. Similar to the remote access VPN server role, the site to site VPN connections can be filtered using all the same features that protect any other kind of connection moving to or through the TMG firewall.
As you can see, the TMG firewall is much more than just a firewall or just a web proxy server. It’s the Swiss army knife of network devices and it performs all of these roles in an exceptionally secure and performant fashion. The next time someone asks you what the TMG firewall does, you can say “well, it does a lot of things!” and then you can tell them about its capabilities as a forward and reverse web proxy server, network firewall, web caching server, web protection server, Winsock proxy server, remote access VPN server and site to site VPN gateway.