Introduction
Since the formal announcement from Microsoft of the end-of-life for Forefront Threat Management Gateway (TMG) 2010, many have been looking for a suitable replacement for TMG. While there are myriad contenders, one that is often overlooked is TMG! Say what?!? Yes, that’s right. TMG. While TMG has been officially deprecated, it is still supported until April of 2020 and can still serve as an excellent network security solution, with a few caveats. Although there will not be another new version of TMG in the future, and there will be no more feature enhancements made to TMG (only security updates and bug fixes), there are a number of deployment scenarios for which Forefront TMG 2010 is still a viable option. In fact, TMG has some important features and functionality that have yet to be duplicated by another vendor. So, when considering a replacement for your Forefront TMG 2010 firewall, think again. You may just be surprised to find out that TMG is still the best alternative for your deployment scenario. Although Forefront TMG will be supported for many years to come, and the majority of features will continue to work in to perpetuity, there are a few areas in which some TMG functionality will be degraded prior to the end of support date. Let’s explore those deployment scenarios and discuss which roles and functions TMG will capably serve and which features might require an alternative solution.
Network Firewall
At its core, Forefront TMG 2010 is a 64-bit routing network firewall that provides stateful packet filtering and layer 3-7 traffic inspection. It provides the ability to define routing or NAT relationships between networks, and does it in a secure manner using a default deny firewall policy. In addition, the Forefront TMG firewall’s core engine operates in kernel mode and is highly resilient, enforcing granular connection limits that effectively prevent the firewall from being DoS’d due to direct denial-of-service attacks, or indirect DoS attacks due to network flooding caused by a virus outbreak on a protected network. The network firewall features of Forefront TMG will continue to work without issue indefinitely. If you’re using Forefront TMG 2010 as a basic firewall today, you can safely continue to do so for quite some time to come.
Basic Forward Proxy Server
In addition to serving as an excellent routing firewall, one of Forefront TMG’s most commonly deployed features is the forward proxy server. In this role, TMG proxies requests from internal network clients to the public Internet and serves as a single, trusted host to access the Internet.
Implementing a forward proxy server has many benefits. It provides an aggregation point for all outbound access, which allows for centralized policy enforcement, consolidated logging and reporting, as well as providing a platform for additional content inspection such as Data Leakage Prevention (DLP) solutions. In addition, the TMG firewall can provide content caching which not only speeds up common Internet requests, it can reduce the bandwidth used on Internet links. Also, TMG supports the use of the Forefront TMG Firewall Client, which is a software component installed on Windows workstations that serves as a transparent proxy for Winsock applications. This is a powerful and compelling feature of the basic forward proxy server role that allows TMG to proxy both web-based and non-web based applications.
Another important feature that TMG provides in the basic forward proxy server scenario is that of authentication. With TMG you can enforce strong user and group-based authentication for web proxy and firewall clients, and you can do so leveraging NTLM and/or Kerberos Active Directory authentication. While there are a number of proxy server alternatives on the market today, and most can perform some type of client authentication, the TMG is unique in that it can do so transparently and by using native domain authentication methods by virtue of the host being joined to the domain. This allows TMG administrators to leverage Kerberos authentication, when configured correctly, for outbound web proxy requests. This enables much more accurate and secure authentication, in addition to providing significantly improved scalability. To my knowledge, there are no proxy solutions on the market today that can leverage Kerberos for authentication web proxy requests. I also know of no other vendor that provides a transparent Winsock proxy client. Here, using the Forefront TMG firewall as a basic authenticating web proxy server and content cache, along with using the Forefront TMG firewall client to provide transparent proxy services for non-web based protocol traffic, the TMG firewall is still an excellent solution in this deployment scenario.
Reverse Web Proxy Server
A reverse web proxy server, used for providing secure remote access to internal web-based applications, is another role that the Forefront TMG firewall can continue to provide well in to the future. Again, many alternatives are available, but as with the forward web proxy server role, TMG continues to offer features that other solutions don’t. For example, when publishing web applications such as Exchange and SharePoint, TMG can use strong authentication with client certificates and perform protocol transition to obtain Kerberos tickets on behalf of users. To my knowledge, this is a capability that is still unique to Forefront TMG 2010. Additional features of the reverse web proxy role, including content caching, HTTP compression, application layer traffic inspection, strong user and group-based authentication, and application farm load balancing are not affected by the deprecation of the product and will continue to operate effectively for quite some time.
Virtual Private Networking (VPN)
For many customers, the Forefront TMG 2010 firewall is deployed to provide secure remote network-layer access to the corporate network, most often for network and systems administrators but increasingly for end user access to data and applications that don’t lend themselves well to application publishing via other means like reverse web proxy. Built on the venerable Routing and Remote Access Service (RRAS) of the Windows operating system, TMG provides enhancements for client-based remote access by enabling firewall-policy restricted access. TMG also includes support for modern remote access protocols such as SSTP, which provide easy to deploy and ubiquitously available remote network access for field-based clients. Additionally TMG can also serve as an excellent site-to-site VPN to connect remote branch offices and even enable cross-premises network connectivity to hosted public-cloud Infrastructure-as-a-Service (IaaS) providers such as Windows Azure and Amazon Web Services. Once again, all of TMG’s VPN capabilities, both client-based and site-to-site, will continue to function effectively for quite some time.
Are There Drawbacks for the Continued Use of Forefront TMG?
I realize until now I’ve painted a pretty rosy picture of the Forefront TMG 2010 firewall post-EOL announcement. The reality is, however, that although there are some deployment scenarios in which the TMG firewall will perform capably for many years to come, there are some drawbacks to doing so. The most pressing issue is the fact that Forefront TMG 2010 cannot be installed on the latest release of the Windows Server operating system. Although Windows Server 2008 R2 is still supported, and will be for many years, it is not as secure as Windows Server 2012 R2. Also, Forefront TMG cannot be installed on Windows Server core, which in my opinion is a serious drawback. That’s not to say that TMG on Windows Server 2008 R2 is not secure, because it most certainly is! When properly prepared using industry standard and product specific best practices such as service hardening and attack surface reduction, SSL hardening, and following administrative best practices, it is as secure as anything solution available today. There have been a number of security enhancements in later releases of Windows that TMG will not benefit from, however. In addition, the lack of support for IPv6 by TMG will be a serious limiting factor in the not-so-distant future. Another potential area of concern is the lack of native support for publishing future versions of Microsoft applications like Exchange and SharePoint. Today, TMG has built-in deployment wizards that only provide support for publishing Exchange and SharePoint 2010. New releases such as Exchange 2013 and SharePoint 2013 can be published of course, but it does require some manual configuration and may also present supportability issues in the future.
Extending Forefront TMG Functionality with Third-Party Integrations
Although Forefront TMG 2010 will be supported until the year 2020, there are some features that will suffer from degraded functionality beginning in 2016. Microsoft has announced that it will cease to support the URL Reputation Services (URS) that TMG relies on for web site categorization on December 31, 2015. Also, Microsoft will no longer produce anti-malware and Network Inspection System (NIS) signature updates past this date (although they will continue to function, albeit with outdate signature files). If you have deployed the TMG server as a basic forward web proxy, reverse proxy, or VPN, this will have no effect on the functionality of TMG. However, if you’ve deployed TMG as an advanced forward web proxy and are relying on these services to provide intelligent threat management, these services will be degraded well before the support expires for the product. For this deployment scenario, there are a number of excellent on-premises and cloud-based third-party solutions that can be leveraged to address this shortcoming, however.
What about Licensing?
The official “end-of-life” announcement from Microsoft is actually a bit misleading. It should be “end-of-sale”, and at that, it really should be “end-of-sale by Microsoft”. If you’re deploying Forefront TMG 2010 today, you will have had to obtain the required processor licenses for TMG prior to December 1, 2012. Although no longer for sale by Microsoft, new Forefront TMG 2010 licenses can be obtained from a Microsoft OEM partner in the form of a virtual or hardware appliance version of TMG. However, the Web Protection Service (WPS) subscription license is no longer available via any channel. If you’re planning to use the TMG firewall to provide advanced web protection, a third-party solution will be required if you don’t already own WPS or you don’t have the Enterprise CAL (eCAL) option.
Summary
It was a sad day when Microsoft announced that they were abandoning the future development of the Forefront TMG 2010 firewall. It is widely deployed, and in my opinion was one of the best solutions for protecting Microsoft networks and workloads. It provided unique features and capabilities that, even today, are not provided by competing solutions. All is not lost, however! TMG is most certainly in its waning days, but as the sunset approaches for this fine product there’s still a few more good years left, I’m sure! Depending on your deployment scenario and specific requirements, Forefront TMG can still be a valuable solution. If you’re in need of a network firewall, a basic forward or reverse proxy server, or a client-based or site-to-site VPN, then TMG can still be deployed successfully. For advanced web protection features, third-party solutions are available to bridge some of those gaps. My advice to you is to look closely at your requirements and don’t discount the Forefront TMG 2010 firewall. Keep calm, and deploy TMG!
