I’ve seen a few emails, blog posts and forum questions regarding how IT should plan for the next wave of Microsoft edge security solutions. As you probably already know, the ISA brand is going away and is being replaced with the Forefront Threat Management Gateway or TMG. The IAG brand is also going away (although this brand is not nearly as entrenched as the ISA brand) and it’s being replaced by the Unified Access Gateway or UAG.
What is TMG? It’s the next version of ISA. Like ISA, TMG is an inbound and outbound access gateway, VPN server, site to site VPN gateway and forward and reverse Web proxy (and outbound Winsock proxy). At its core, it’s a network network level firewall that performs stateful packet and application layer inspection on all communications moving to and through the firewall.
In contrast, the UAG is an inbound access device only. You do not use the UAG for any outbound access tasks. So, if you need both inbound and outbound access control handled by a single device, the UAG is definitely not for you.
The problem is that most organizations that use the ISA firewall separate their firewall deployments between inbound and outbound arrays. In that case, what should you do? The answer is easy: replace your inbound array with UAG and upgrade your outbound array with TMG.
Of course, UAG is quite a bit more expensive than TMG. So if cost is an issue, you might want to consider upgrading the inbound and outbound ISA arrays to TMG. On the other hand, UAG provides a significantly higher level of security for inbound Web connections than TMG. Also, UAG will represent a unified and integrated DirectAccess solution. Therefore, if you are not significantly cost constrained, and you plan on deploying DirectAccess, then UAG is the clear choice for inbound access.
If we reframe the issue a little bit, the answer becomes even easier. Most enterprises I’ve worked with use ISA only for inbound access control, and more precisely, reverse Web proxy. These companies deploy large reverse proxy arrays and deploy them in multiple locations. For these organizations, UAG is the clear solution, since they require the highest level of security and flexibility. While TMG would represent a “good enough” solution for inbound access control, they would be definitely “behind the curve” if they chose to go with TMG instead of UAG.
This presents an interesting problem for enterprise organizations who have standardized on ISA reverse proxy solutions. Most of them that I’m aware of have been using a Microsoft reverse proxy solution since Proxy 2.0. Even though UAG is built on top of TMG, the installation, configuration, management and maintenance experience with UAG is going to be significantly different than the ISA/TMG management experience.
This might mean a significant increase in administrative overhead and IT training costs due to changing over to the new reverse Web proxy platform. A natural question to ask is: in these challenging economic times, will enterprise IT departments with large ISA reverse proxy deployments be willing to eat the costs incurred with retooling their organizations to support a UAG solution?
For smaller orgs and mid market companies, they’ll most likely go with TMG, since they’ll want to take advantage of inbound and outbound access control and also keep their costs down. How far they’ll be able to keep their costs down is unsure at this time as the pricing model for TMG seems to be changing. While the price of the core platform isn’t known yet, we do know that there will be additional costs due to licensing of the anti-malware signatures. That said, even when you bake in the costs of the anti-malware signatures, the cost of TMG is likely to be much less than UAG.
TMG or UAG? On the surface, the answer is simple. However, when you consider the economic, social, political, and technological issues in their entirety, coming to the right answer might not be as easy as it seems. One thing is for sure, this isn’t going to be my last blog post on this issue 🙂
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)