Whether ’tis nobler in the mind to suffer the slings and arrow of outrageous hackers, or to take arms against a sea of troubles, and by opposing end them? TMG, UAG, which do I want? With their new branding strategy, Microsoft has once again muddied up the waters of their security line to such a point that if you are going by the name of the product, you have no idea whether you want it or some other one. I’d call upon Ray Ozzie and Steve Ballmer to demand that marketing pick a product naming convention and stick with it, on pain of death, but I’ve met some of those marketing guys…they’re kind of scary. With the workstation line going from 2000 to XP, to Vista, to 7, to I’ll bet you lunch the next one will NOT be called 8, we could at least know that we were dealing with a workstation. Now we are going from ISA 2006 and IAG 2007 to TMG 2010 and UAG 2010. Seems kind of straight forward at first, until you look at your ISA deployments, which I bet are doing reverse proxy, and then you read that Microsoft does not recommend TMG for that….you should use UAG. This post is intended to help clear some things up on that.
TMG 2010
What it is: the successor to ISA 2006, offering the best combination of forward proxy, internal client protection through malware inspection, anti-x and content blocking by category (additional subscriptions required,) client VPN, and LAN to LAN VPN. It has IPS/IDS capabilities, application filters, and while I would never recommend it for the role, it can do packet filtering firewall duties to. TMG 2010 is scalable; it can do arrays and network load balancing, you can install multiple servers as arrays, and you can work with redundant ISP connections too. It is also capable of doing SSL inspection to protect your clients from malware in HTTPS streams, by dynamically generating certificates and transparently proxying connections. TMG can also do Network Inspection for VPN clients; protecting your internal network from remote users who are out of compliance with network policy.
What it is not: an application portal, like Citrix, Whale/IAG, or what a lot of people refer to when they talk about SSL VPNs but what they mean is presenting internal applications over an HTTPS connection.
TMG 2010 is going to be your go-to product nine times out of ten if you are coming from an ISA background. Forget the market glitz for a minute…it’s there to sell UAG and TMG. Don’t get me wrong, UAG is awesome… but that awesomeness is for a task more focused on your employees, not your customers. If you want a multipurpose platform, capable of excelling at protecting you from threats, you want TMG. If you are going to publish your corporate website, OWA, and SharePoint, TMG is for you.
TMG 2010 MBE
What it is: TMG 2010 lite. For the small to medium size business who will not be installing arrays, using redundant ISP circuits, or worrying about network load balancing their TMGs, this will work out just fine. You also lose HTTPS inspection, Network Inspection, and email security features, but for most SMBs, that is not so big a deal.
What it is not: TMG 2010 standard edition.
UAG 2010
What it is: the successor to the Whale Application Gateway/IAG 2007. UAG is the go-to solution when you have a workforce that is remote, and you want to make their experience as close as possible to being on the LAN, but you don’t want to have them first connect to a VPN. Sure UAG does some of the more traditional things like TMG does…it better. It is built on top of TMG. Where UAG is really going to shine is when you want to publish internal applications using port forwarding, file shares, and web based apps through a secure portal. It will also rock your socks once you are ready to support DirectAccess; the new seamless VPN technology that enables client to connect over the Internet securely, without the end user even realizing what they are doing. UAG is the sort of product you will use in place of secure application portals, or even Citrix Application Gateways.
What it is not: a cost effective way to publish your public facing, anonymous access web servers, or your internal servers that you have published in the past through ISA 2006, like SharePoint and Exchange. It will certainly do them quite well, but if that is all you have planned, you’re in maximum overkill territory. Stick with TMG.
Feature UAG MBE TMG Firewall √ √ site-to-site VPN √ √ remote access VPN √ √ √ Web proxy √ √ Caching √ √ Arrays for load balancing and failover √ √ Non-domain joined gateway √ Windows Server 2008 64-bit support √ √ √ Web anti-malware √ √ HTTPS inspection √ E-mail security √ Network Inspection System √ ISP redundancy √ Centrally manage √ Application Publishing √ √ √ -Granular application filtering √ -Endpoint health detection √ -Out of the box support for publishing many third party application √ Remote Desktop and RemoteApp Integration √ DirectAccess √ √ Comparing UAG, TMG, and TMG MBE
Hopefully you are now a bit more clear on the differences, and when you would choose one over the other. If you are trying to protect your internal users with a scalable solution that can also protect common MS apps and world-accessible websites offered to users outside the corporate LAN, use TMG. If you are looking for a smaller scale solution that does most of the same things, use TMG MBE. If you want to extend client/server LAN applications to your remote work force without the need for a traditional VPN solution, use UAG.
So, are you a current ISA2006 user? Are you here because you’re looking at your upgrade options? Leave a comment and let us know where things stand with you.
No related posts.
{ 4 comments… read them below or add one }
Thank you so much for the break down. It is the best I have found. Microsoft has done a very poor job explaining what these products do and don’t do.
-Thanks for the nice comment. Glad you found it helpful. Ed
This was very helpful, thank you!
-you’re welcome! ed
thanks for this, MS should link people to this explanation, I’ve burnt a morning figuring out which direction to go in when replacing ISA.
Cheers,
Jim
You’re welcome…while this might not map out to MSFT’s marketing plan, it is what makes sense, and works, for me. I’m glad you found it helpful.
Thanks for commenting!
Ed