Introduction
Microsoft Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security solution that can serve as a firewall, forward and reverse proxy server, web content cache, and Virtual Private Network (VPN) for both client-based remote access and site-to-site. It can be deployed in all of these roles, or any subset of them to provide essential protection for both inbound and outbound network communication from a variety of clients. TMG’s roots extend all the way back to Microsoft Proxy Server 1.0, first released in 1997. Although initially a dedicated web proxy, the release of Microsoft Internet Security and Acceleration (ISA) Server in 2000 was the first to include firewall and VPN services. Over the years there has been a lot of innovation for the product, with features being introduced that even today have yet to be replicated by any competitor.
Integrated Services
One of the hallmarks of the TMG solution is its tight integration with Microsoft-based network infrastructures and workloads. Historically, TMG and its predecessors were the solution of choice to provide critical network protection, aggregate Internet connectivity, and provide secure remote access to networks and applications such as Exchange Outlook Web App (OWA), SharePoint, and many others. Even today, no solution provides the high level of protection and ease of configuration that TMG does. The TMG firewall is still the only Windows-based edge security and remote access solution available. By virtue of being a domain member, the TMG firewall participates natively in domain communication, providing the ability to enforce strong user and group-based authentication and to authenticate users in a seamless and transparent manner using secure protocols such as NTLM and Kerberos. In reverse proxy deployment scenarios, TMG can perform protocol transition using Kerberos Constrained Delegation (KCD) and accept authentication credentials using authentication forms (username and password/OTP), client certificates, or smart cards. TMG can then obtain a Kerberos ticket on behalf of the remote user for authentication delegation to published internal applications. In forward proxy scenarios, Kerberos authentication can also be leveraged to provide the most secure and robust authentication for internal users accessing the public Internet.
Transparent Winsock Proxy
Another important and powerful feature supported with the TMG firewall is the TMG Firewall Client. The Firewall Client is an optional software component that can be installed on Windows computers to provide transparent proxy services for both web and non-web applications that use WinSock. The Firewall Client is a Layered Service Provider (LSP) that hooks into the client’s network stack at a low level to listen for WinSock calls that are destined for remote networks. When this happens, the TMG firewall client transparently routes the request to the TMG firewall which is then proxied to the public Internet. For example, if a user needs to access a Citrix server located outside of the corporate network, the user can initiate the request as they normally would and the TMG Firewall Client will intercept the request and direct it to the TMG firewall for remote delivery. Policies on the TMG firewall determine whether or not to allow the request. All traffic handled by the TMG Firewall Client is authenticated, so administrators can also enforce strong user and group-based permission for this traffic. The TMG Firewall Client can handle all TCP and UDP-based requests from applications that make use of the WinSock protocol.
Conclusion
These features make TMG unique among competing solutions. Although Microsoft recently announced the end-of-life for TMG, the solution will still be supported for many years to come, and these features will continue to function into perpetuity. While TMG’s development cycle has ended, current firewall administrators are reluctant to replace their existing Forefront TMG 2010 infrastructure and risk losing these important capabilities. Their organizations can continue to look forward to excellent network protection for many years to come.
For new customers wishing to leverage these and many other powerful features of TMG, you can still purchase Forefront TMG 2010 from Celestix on our advanced hardware appliance platform, which will be supported until 2023. Hopefully someone will have replicated all of TMG’s advanced features by then!