Sometimes Microsoft branding and renaming of products really confuses people. The whole ISA/TMG/IAG/UAG re-branding debacle really threw me for a loop. At first the renaming seemed pretty simple, but Microsoft is also re-positioning the products and I don't think MS has done a good job of clarifying the products. So today at TechED I stopped by the security booth and tried to wrap my brain around the changes. Here's what I learned from the MS ForeFront guys.
The ForeFront Threat Management Gateway (TMG, formerly ISA) is now being positioned as an outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates. One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridiging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site's SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer will downloads from the internet via HTTPS bypass malware scanning. Pretty cool!
While you can still use TMG as a reverse proxy for publishing internal web sites to the internet, that is not the recommended use. This is a big change from ISA, which is very commonly used as a reverse proxy.
The ForeFront Unified Access Gateway (UAG, formerly IAG) according to Microsoft is now the preferred solution for inbound access to internal corporate resources. This includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess. Like IAG which included ISA under the hood, UAG will also include the TMG engine. Like IAG, in UAG you will not directly configure TMG. TMG is merely there to protect the UAG, not to provide TMG functionality for other applications.
To boil it all down, you will ONLY use TMG if you want a corporate internet proxy to protect users from web based malware. If you want a reverse proxy, such as publishing OWA and MOSS to the internet, you will now use UAG. If you want both scenarios, then you will have both TMG and UAG servers. Yes TMG can technically do both just as ISA can, but this is no longer a Microsoft recommended configuration.
Another noteworthy tidbit I learned is that MS is really pushing for virtualizing TMG and UAG. Among many benefits, this would allow you to scale out very quickly should you have high demand and need to increase the number of servers.
For additional informatin on UAG, see this link. For more information on TMG, see this link.
I was confused! This helps, thanks for the clarification.
ReplyDeleteThank you very much for that clarification... i've been tinkering with TMG (my first look at anything in the ISA family)
ReplyDeleteAlso, if they're pushing for virtualization, wonder if UAG and TMG could live on the same virtual host...
good job - thanks for clarification
ReplyDeleteso the only reason to use UAG as a reverse proxy is so they can charge for a CAL. The external connector (EC) license is technically for external customers and not employees. So, think we will be keeping ISA or TMG for reverse proxy only.
ReplyDeleteSeems ridiculous.
ReplyDeleteMicrosoft extorting people once again.
BUILD it into the same product as it always has been !!!!
So now we need another OS license and server. Good On Yas
Thanks for explaining these terms, I got really confused with the terms and new functionalities
ReplyDeleteThank you for the succinct explanation.
ReplyDeleteAnd Naz, it's not extortion (lol) rather providing better products and creating a delineation of the two.
Here is a really good brake down from MS (video presentation).
ReplyDeletehttp://channel9.msdn.com/Events/TechEd/Europe/2012/SIA208