Sometimes Microsoft branding and renaming of products really confuses people. For example, ISA vs TMG? The whole ISA/TMG/IAG/UAG re-branding debacle really threw me for a loop. At first the renaming seemed pretty simple, but Microsoft is also re-positioning the products and I don’t think MS has done a good job of clarifying the products. So today at TechED I stopped by the security booth and tried to wrap my brain around the changes. Here’s what I learned from the MS ForeFront guys.
The ForeFront Threat Management Gateway (TMG, formerly ISA) is now being positioned as an outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates. One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridiging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site’s SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer will downloads from the internet via HTTPS bypass malware scanning. Pretty cool!
While you can still use TMG as a reverse proxy for publishing internal web sites to the internet, that is not the recommended use. This is a big change from ISA, which is very commonly used as a reverse proxy.
The ForeFront Unified Access Gateway (UAG, formerly IAG) according to Microsoft is now the preferred solution for inbound access to internal corporate resources. This includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess. Like IAG which included ISA under the hood, UAG will also include the TMG engine. Like IAG, in UAG you will not directly configure TMG. TMG is merely there to protect the UAG, not to provide TMG functionality for other applications.
To boil it all down, you will ONLY use TMG if you want a corporate internet proxy to protect users from web based malware. If you want a reverse proxy, such as publishing OWA and MOSS to the internet, you will now use UAG. If you want both scenarios, then you will have both TMG and UAG servers. Yes TMG can technically do both just as ISA can, but this is no longer a Microsoft recommended configuration.
Another noteworthy tidbit I learned is that MS is really pushing for virtualizing TMG and UAG. Among many benefits, this would allow you to scale out very quickly should you have high demand and need to increase the number of servers.