Beyond Forefront TMG and UAG: Where Do We Go Now?

With the demise of Microsoft’s venerable Forefront Threat Management Gateway (TMG) 2010 and the powerful Forefront Unified Access Gateway (UAG) 2010 platforms, many organizations are looking for viable upgrade alternatives for providing edge security and remote access for their organizations. For those seeking to move forward using Microsoft-based solutions on the Celestix appliance platform, there are a few different upgrade paths available depending on the unique requirements of each deployment. In some cases, workloads can be migrated to new services in Windows Server 2012 R2 running on the Celestix E and VE Series platforms. For others, third-party alternatives will need to be investigated.

Beyond Forefront TMG and UAG: Where Do We Go Now?The particular upgrade path for each scenario depends largely on the deployment model and services required for each solution. For example, TMG is a comprehensive edge security gateway providing firewall services, forward and reverse proxy, and VPN (client-based and site-to-site). UAG is a premium remote access gateway providing SSL VPN, advanced web application publishing, and secure Remote Desktop Gateway services. A subset of features from each of these platforms is available on the Celestix E and VE series platforms. Others are not.
Let’s take a look at some common deployment scenarios for both TMG and UAG and their corresponding upgrade paths.

TMG Firewall – At its core, Forefront TMG is a mature and robust enterprise network firewall. With a long, proven track record for security and stability, along with Common Criteria EAL 4+ certification, the TMG firewall provides formidable protection for organizations large and small. Unfortunately the Celestix E and VE series do not include this functionality. Organizations wishing to replace their existing Forefront TMG firewalls will have to investigate third-party solutions.

TMG Forward Web Proxy – Forefront TMG and its advanced web protection services (URL filtering, integrated antimalware, intrusion detection/prevention, and SSL termination/inspection) serves as an excellent secure web gateway. Here again, these features have not been carried forward on the Microsoft platform. Organizations seeking to replace the TMG firewall and secure web gateway will have to look at various solutions available from third-parties.

TMG Reverse Web Proxy – For many years the Forefront TMG firewall (and its predecessor ISA Server) were commonly deployed as a reverse proxy to protect popular on-premises Microsoft web applications such as Outlook Web App (OWA), SharePoint, and more. Here the Celestix E and VE series platform can be leveraged to provide the same level of security and protection for these workloads. The E and VE series include the Web Application Proxy (WAP) feature of the underlying Windows Server 2012 R2 operating system that can be used to publish on-premises web-based applications and optionally provide claims-based or Active Directory user pre-authentication.

TMG Virtual Private Networking – Forefront TMG includes support for both client-based and site-to-site virtual private networking (VPN). Client-based VPN is provided using a variety of protocols including PPTP, L2TP/IPsec, and SSTP. Site-to-site VPN leverages industry standard IPsec. The Celestix E and VE series platform also provide support for both client-based remote access and site-to-site VPN, with the additional benefit of supporting IKEv2 for client-based VPN. The Celestix E and VE series also include support for DirectAccess, which is a significant improvement over traditional VPN. DirectAccess provides seamless and transparent, always-on, bi-directional remote corporate network connectivity for managed Windows clients.

UAG SSL VPN – Forefront UAG is a powerful and flexible SSL VPN platform that can be used to provide secure remote access to individual applications hosted on premises. UAG provides advanced capabilities compared to TMG, and can provide more granular access control and supports a wide array of authentication repositories. For organizations seeking to replace their existing UAG platform, the Celestix E and VE solutions do provide some level of support for web application publishing. However, the feature set does not provide one-to-one parity for features included in UAG. For example, customers who need to provide granular access based on device type and configuration or who require an application portal (multiple applications published with a single URL) will have to investigate third-party alternatives.

UAG DirectAccess – For organizations who have deployed DirectAccess on Forefront UAG, the Celestix E and VE series is now the platform of choice for DirectAccess. The E and VE series includes many more features as part of the DirectAccess workload including flexible network placement (support for perimeter/DMZ placement with private IPv4 addresses and single NIC configuration), enhanced high availability with support for external load balancers and geographic redundancy, and improvements in scalability and performance.

UAG Remote Desktop Gateway – Virtual Desktop Infrastructure (VDI) is a popular solution for many companies who need to provide secure remote access to the widest variety of client platforms and devices. While the Remote Desktop Protocol (RDP) makes a solution like this possible, the protocol itself is not exactly firewall friendly. UAG includes support for the Remote Desktop Gateway role and provides features like integrated pre-authentication and ubiquitous access over SSL and TLS. The Remote Desktop Gateway functionality is also available on the Celestix E and VE series platform.

As you can see, the migration path from TMG and UAG to current Celestix platform offerings hinges on which solution is currently deployed and how it is being leveraged. Customers using TMG for application publishing and VPN remote access can safely transition to the E and VE platforms. Those that are using TMG for an edge firewall or outbound proxy will have to look at other alternatives. Customers using UAG may find the E and VE platforms suitable for their needs if they aren’t using any of the advanced UAG web application publishing features. UAG Remote Desktop Gateway deployments can migrate easily to the E and VE series.

If you’re interested in learning more about your TMG and UAG migration/upgrade path, visit here or drop a note to [email protected].

Watch our Webinar videos:

Beyond Forefront TMG: Evaluating Viable Upgrade Options

3 Reasons To Upgrade From Forefront UAG


more blogs