So you’re looking for a replacement for your existing Forefront TMG 2010 firewall and secure web gateway? Well, you might be surprised to learn that the best replacement available today for TMG is…TMG! That’s right. Sounds crazy? Let me explain.
When Microsoft made its formal Forefront TMG 2010 end-of-life statement back in September of 2012, they simply stated that they would no longer add any new features or functionality to TMG in this release, and that they would not be producing any new releases going forward. They also stated that they would discontinue selling TMG later that year. None of the functionality provided by TMG ceased to function, however. In addition, as a Microsoft OEM partner, Celestix networks can still sell TMG as a part of our optimized, hardware appliance solution; the Celestix MSA Series security appliance. If you’re preparing to deploy TMG for the first time, or you’re planning to expand an existing TMG deployment, the Celestix MSA featuring Microsoft Forefront TMG 2010 is still available for purchase today.
What about support, you say? Well, Microsoft has stated that they will continue to provide support for TMG until April of 2020. Celestix dedicated support is available until 2023. You can deploy TMG today on the Celestix platform with full confidence that you won’t be left out in the cold with a solution you can’t support.
So, what makes TMG so compelling, even today? It provides essential network protection, inbound and outbound, in a single, consolidated solution. It also provides features and functionality that are not available in competing offerings. Consider the following deployment scenarios:
Network Firewall – Forefront TMG 2010 is an excellent network firewall capable of providing positive traffic control to and from any protected or untrusted networks. TMG is Common Criteria Certified EAL4+ and can safely be deployed on the network edge, or as a back firewall to compliment an existing edge firewall.
Forward Proxy Server – Many organizations still rely on proxy servers to provide a high level of security and isolation for internal clients accessing resources on the public Internet. When deployed as a forward proxy server, TMG can enforce strong user and group based authentication using native Active Directory authentication protocols such as NTLM and Kerberos. In addition, TMG includes support for the TMG Firewall Client, which is a software component that is installed on Windows client machines that provides transparent proxy capabilities for Winsock applications. This is a feature that is not available with any competing solution on the market today. TMG does include native URL filtering and virus/malicious software scanning, however, these will no longer be supported beginning January 2016. There are numerous third-party solutions, both on-premises and cloud-based, that can address this need. TMG can also provide inspection for HTTPS encrypted communication.
Reverse Proxy Server – TMG can be configured as a reverse proxy server, allowing secure remote access to on-premises web applications such as Exchange OWA, SharePoint, and many more. In this deployment, TMG can perform pre-authentication for published web sites, ensuring that only valid, authenticated and authorized users can access internal resources. TMG provides support for forms-based authentication, which can be customized to match the look and feel of your existing web application. Also, TMG provides strong authentication support with Smartcards or One-Time Password (OTP) solutions such as Celestix HOTPin. TMG can also perform deep application-layer traffic inspection, preventing many types of attacks from affecting published web applications.
Web Content Cache – TMG can be configured to cache web content in both the forward and reverse proxy server roles. By enabling caching, frequently requested web content is stored locally on the appliance and is delivered to the user at LAN speeds, improving page loading performance and user experience significantly. This has the added benefit of also reducing bandwidth utilization on WAN links. TMG can also apply HTTP compression to reduce the amount of data downloaded, further improving performance.
VPN Server – Providing secure remote access to on-premises data and applications is handled by client-based VPN on TMG. TMG supports multiple access protocols, such as PPTP, L2TP/IPsec, PPTP and IKEv2. TMG also provides secure branch office and public cloud network connectivity through the use of site-to-site VPN.
With the exception of URL filtering and anti-malware services, all of the features and functionality provided by Forefront TMG 2010 will continue to function effectively well past the published support deadlines. If you are deploying TMG as a secure web gateway, TMG can provide the base platform capabilities which can be effectively extended and enhanced using one of many third-party security integrations.
End of life doesn’t mean end of usefulness. Many competitors are spreading fear, uncertainty, and doubt (FUD) regarding TMG’s functionality and end-of-life, but it certainly isn’t dead yet! In fact, when working with customers who are considering replacing TMG, the best replacement many find is actually TMG itself. It provides unrivaled security, performance, and ease of management that are difficult to find on the market today. The Celestix MSA Series security appliance featuring Forefront TMG 2010 is still an excellent edge security solution and comprehensive secure web gateway, so keep calm and deploy TMG using the Celestix MSA today.