Mind the TMG gap
Mind the TMG gap
In September last year, Microsoft announced that it was discontinuing its Forefront Threat Management Gateway (TMG) as part of a number of major changes to its Forefront product line.
This was in an "effort to better align security and protection solutions with the workloads and applications they protect". While Microsoft has pledged to provide current Forefront TMG customers with mainstream support up until the end of 2015 and extended support until 2020, the move – that surprised many customers – does present some challenges and raises the question about what will replace it.
Microsoft's Forefront TMG, formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), has been a key component of the solution for organisations deploying Microsoft Exchange, Lync or SharePoint.
One of the key features of TMG is that it offers customers a way to publish and protect workload servers such as Exchange Client Access Servers; especially in internet facing deployments where a clean and secure separation between the backend critical infrastructure and the public internet is essential.
TMG has proved particularly popular for use with Exchange infrastructures because of its relatively easy-to-deploy, reverse-proxy functionality. This is essential when you have a demilitarised zone (DMZ) to ‘sanitise' incoming connections from the internet before passing traffic onto servers hidden by an internal network.
Microsoft's decision to end TMG is part of a bigger picture. The company plans to integrate more security controls into the cloud with its Microsoft Office 365 solution and also replace TMG with its Unified Access Gateway (UAG).
However, it's not quite that simple. For a start, UAG can be up to twice as expensive and depending on what part of the world you are based, the cost of transition could be painful.
Secondly, for applications such as Exchange, there are some functionality gaps that UAG currently does not cover, such as two-factor authentication for ActiveSync devices or certificate-based authentication for OWA. Also, it is not just Exchange; while UAG has more features than TMG it also does not, as yet, fully support some Lync functionality and is overkill if used for only this purpose.
So for companies that do not want to migrate to Office 356 or adopt UAG, what are the options?
Many companies already deploy hardware load balancing appliances from companies such as Kemp in conjunction with TMG in order to publish Microsoft workload servers for internet facing applications. As well as separating the critical infrastructure from the external internet, load balancers stop traffic ‘at the gate' and make sure that users are automatically connected to the best performing server.
If one becomes inaccessible, the load balancer will automatically re-route traffic to other functioning servers so that users always experience optimum performance. The load balancer may also offload processor intensive SSL encryption to speed up the throughput.
So, now that ‘end of life' time has arrived for TMG, other companies such as Kemp, will be looking to build on existing core technologies such as the reverse proxy function to fill the gap left by TMG.
For organisations and businesses facing life without TMG, the addition of security features into their load balancers will continue to deliver protection along with scalability and high reliability.