Life after TMG: Considering Sophos UTM as a TMG Replacement (Part 1)

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real Time Article newsletter.

We all know that our love affair with TMG will one day come to an end. Since Microsoft announced its plans to stop development and eventually stop support for many of its Forefront products, including our beloved Threat Management Gateway, many of us have started thinking ahead to the day when we’ll have to implement a replacement. A while back, I wrote a five-part series about some of the factors you should consider when you start evaluating possible replacement solutions. You can find the first article in that series here.

One replacement candidate that I kept hearing great things about, from others who either were still in the testing stage or who had gone ahead and made a replacement decision, was Sophos Unified Threat Management (UTM) solution. In fact, Sophos is heavily marketing this product as the idea TMG replacement UTM based appliances are being sold based on that promise. The best part is that you don’t have to buy a new appliance; you can run UTM on the server on which you run TMG, or in a virtual machine running on Hyper-V or VMware. You can also deploy it in Amazon’s Virtual Private Cloud. So you have plenty of options regardless of the design model you prefer.

You can also set up cluster nodes to distribute traffic for redundancy and load balancing, or use the high availability failover feature to create a “hot standby” system that will take over if the primary system fails.

Sophos has been in the security business for a long time and you might be familiar with their antivirus software. Their UTM solution is based on Astaro technology, which they acquired around four years ago. Gartner’s Magic Quadrant now classifies Sophos as Leaders Quadrant members in the unified threat management sector. Sophos UTM can, of course, be integrated with Active Directory for authentication, or it can use other LDAP, RADIUS, TACACS+ and Novell eDirectory authentication servers.

In the first of this series of articles, we’ll discuss some of the benefits of using Sophos UTM as a replacement for TMG and take a look at UTM’s firewall and NAT features and functionalities as well as its Intrusion Prevention System (IPS) feature. Then in subsequent installments, we’ll delve more deeply into additional features.

Sophos UTM Firewall

Threat management encompasses more than just firewall functionality, but the firewall is a vital component of any solution that aspires to take the place of TMG. Many members of consider TMG to be one of the best and easiest to use network firewalls available and that’s why there were so many moans and groans when Microsoft announced that it was being discontinued. We’re naturally going to look hard at firewall functionality when considering any replacement.

One of the criteria is the inclusion of standard stateful firewall functionality (a.k.a. dynamic packet filtering), so that the firewall tracks the state of each connection and stores the information in state tables, and identifies and blocks packets that do not match active connections.

Sophos bills the firewall component of UTM as a “next generation firewall” (NGFW). That is generally taken to mean a firewall that goes beyond traditional blocking of specific ports, and like most modern firewalls, Sophos adds many additional features never dreamed of in the old simple stateless firewall days. Like TMG, the Sophos NGFW includes the capability to do deep packet inspection to examine the content of the data packets to detect viruses, indicators of an attack or other traffic that’s not compliant with your policies.

One of the things that people really like about TMG is its application layer filtering, which allows you to control specific applications. Sophos UTM provides excellent visibility into the applications that are being used on your network and allows you to control access to them. You monitor Internet connections that are going through the firewall and you can see what’s happening as it happens, and set policies based on what you observe. You can also perform bandwidth shaping to give priority to certain business-critical applications.

The intrusion prevention system (IPS) capability of Sophos UTM makes it easy for you to see what is going on with web connections and detect web based attacks that are attempting to pass themselves off as legitimate web traffic.

Everybody hates dealing with the learning curve of getting to know a new product. The good news here is that the layout of the Sophos UTM firewall interface is sufficiently similar to that of TMG so that you won’t feel as if you’ve gone through the looking glass into a whole new world. Sophos is managed through a web interface called WebAdmin that opens to a dashboard from which you can get to the various functionalities (Network protection, web protection, endpoint protection, web filtering and web server protection, VPN, logging and so forth). The interfaces are nicely consistent from page to page. The dashboard also gives you an overview of the current threat status, resource usage and system configuration.

Creating firewall rules is easy; on the firewall overview page, you select the source(s), protocols and destinations and then specify the action (allow or deny), during a specified time period (or always). You can create sets of preconfigured objects to make things easier. You can group rules together and they are processed in order of position, as with TMG.

Figure 1

It’s also easy to block all communications from specific countries, which could be useful. This is done via a simple tab on the firewall page. Countries are identified using GeoIP databases and is supported only on IPv4 networks. There is also a tab labeled ICMP for controlling ICMP traffic and one called Advanced that is a catch-all for additional firewall and NAT rules such as connection tracking helpers, protocol handling and logging options.

NAT capabilities

The Sophos UTM also functions as a NAT gateway to translate public IP addresses to private ones on the internal network. You can easily create masquerading rules by selecting the internal network you want to masquerade, selecting the external network interface, and defining the external IP address to use (if the interface has more than one).

You can create the following types of NAT rules:

  • Source Network Address Translation (SNAT) can be used to masquerade the LAN’s private address space to its public address, mapping multiple source addresses to multiple destination addresses.
  • Destination Network Address Translation (DNAT) can be used to make internal services that use internal IP addresses accessible from outside the network.
  • Full NAT combines both source and destination mapping.
  • 1:1 NAT rules are used to map the IP addresses of a whole network to another network.
  • No NAT is a type of rule you can use to exempt specific hosts from NAT.

There is an option to automatically generate firewall rules to correspond to your NAT rule.

IPS capabilities

Intrusion prevention is similar in purpose too but separate from firewall functionality. TMG’s IPS feature has been one of its biggest selling points. Sophos UTM’s Network Protection node includes the ability to create and manage IPS rules that will use pattern signatures to recognize common attacks and block them. You can select which local networks are to be protected by the IPS and specify whether, when an IPS attack signature is detected, the system should just drop the data packet or send a packet to terminate the connection. The live log features lets you actively view the IPS rules in real time.

There are five types of IPS rule groups defined:

  • Operating system specific attacks
  • Attacks against servers
  • Attacks against client software
  • Protocol anomalies
  • Malware

You can select or deselect specific attacks within each group and you can choose, for each group, to drop the packets or to allow the packets through while generating an alert message in the IPS log to bring it to your attention. You can also select to notify the administrator via email or SNMP trap.

Intrusion prevention also includes options for defending against Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks, including TCP, UDP and ICMP flooding attacks. You can also configure port scan detection options, and you can create manual modifications to IPS rules.


Sophos UTM is a comprehensive threat management solution that provides most of the same functionalities as TMG. In this first installation of our series, we took a look at its firewall and NAT functionalities. One item on the “must have” list for many of the folks I’ve talked to who are looking for a TMG replacement is forward and reverse proxy functionality to match that of TMG. Sophos UTM delivers that capability. Another feature that’s important to many/most of those who are currently using TMG is its virtual private networking functionality, both for point-to-site VPN connections and for setting up and managing site-to-site VPNs. In subsequent articles, we’ll delve more deeply into those features, and wrap it up with an overview of the best of the rest as well as cost factors, installation and deployment considerations.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real Time Article newsletter.

About The Author

1 thought on “Life after TMG: Considering Sophos UTM as a TMG Replacement (Part 1)”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top