Forefront TMG and UAG Phase out/alternatives – Part 1

Hi there guys,

many of you are already aware that Microsoft announced the end of line for the security products “Forefront”, based on the announcement on 12/09/2012 the following products had been discontinued:

Important Changes to Forefront Product Roadmaps – 12/09/2012:

“We are discontinuing any further releases of the following Forefront-branded solutions:

    • Forefront Protection 2010 for Exchange Server (FPE)
    • Forefront Protection 2010 for SharePoint (FPSP)
    • Forefront Security for Office Communications Server (FSOCS)
    • Forefront Threat Management Gateway 2010 (TMG)
    • Forefront Threat Management Gateway Web Protection Services (TMG WPS)”


Until last month Forefront had only 2 products left, Microsoft Forefront Unified Access Gateway (UAG) and Microsoft Forefront Identity Manager (FIM).

There was a lot of concerns around the continuity of a particular product, namely Forefront UAG as it’s core is based on the discontinued Forefront TMG. On 17/12/2013 we finally had some clarity (many people expected this…) and the Product group announced the end of line of UAG on the current version.

Important Changes to Forefront Product Roadmaps – 17/12/2013:

“Based on product strategy, customer feedback, and prevailing market dynamics, Microsoft has made the decision not to deliver any further full version releases of Forefront UAG.”

However FIM is expected to be taken out from Forefront and be part of a Cloud Service somewhere in 2015, Identity-as-a-Service should be a reality at that time and to achieve a simplified model that requires a lot of transformation, I have my idea about what should be coming but that’s just a guess.


So based on many customers feedback and concerns I had about this topic I ended up with some common and frequent questions:

  • What are the alternatives for TMG and UAG?
    Answer: It depends.
  • When should I start dephasing TMG and UAG?
    Answer: It depends.

I don’t want to leave you with the typical consultant answer and more uncertainty so I’ll guide you through the relevant concerns that will help you moving forward.


1. Before you start looking for alternatives

1.1 Forefront TMG and UAG features

As you probably know TMG and UAG are multi-feature products so you first need to determine what features you are using on your infrastructure.

The following table can help you to identify which features are present on ISA, TMG and UAG and with that you can easily map to your own network environment what’s being used.


Features ISA TMG UAG
Route X X  
Edge Firewall X X  
     Stateful Packet filtering X X  
Application Layer Firewalling X X X
     HTTP Filter X X X
     HTTPS Inspection   X X
Intrusion Prevention (IPS) and Intrusion Detection (IDS) system X X  
Web proxy and Web caching Server X X  
     URL Filtering   X  
     Malware Inspection   X  
Forward Proxy X X  
Reverse Proxy X X X
VPN Server (Client VPN and Site to Site VPN) X X  
E-Mail Protection Gateway X X  
Direct Access     X


1.2 Industry standards, compliance, regulations and good practices

Prior to your decision you must consider if you need to comply with specific regulations and standards, depending on the industry segment you are in there are particular objectives that you may need to achieve to avoid penalties or avoid the harm of your business, this may involve the mitigation of certain threats, appropriate auditing and reporting capabilities, commit with OLA’s, SLA’s, RTO/RPO, etc.

Do bear in mind that technology means nothing if people and processes are not part of the equation.

Just an example, the Payment card Industry (PCI DSS 2.0 standard) requires that public-facing web-applications are protected with a Web Application Firewall (WAF). It does not mention which are the elements required for the WAF solution, however Security best practices and Standards should be taken into consideration, the Web Application Firewall Criteria is to be considered as a mandatory guideline for your security implementation and part of it underlines the top 10 web application security flaws that should be mitigated.

Many security vendors will state that their solutions commit to OWAP – top 10 web application security flaws, PCI DSS and many other security standards, these maybe good indicators for what you need to achieve, however many times securing your environment may involve more than one solution to mitigate multiple layers of threats, ease technology integration, facilitate user experience and provide the required business functionality. All in all, one size does not fit all and you probably will have to consider multiple solutions/vendors.


PCI DSS 2.0 compliance (section 6.6):


PCI DSS 2.0 Requirements Testing Procedures
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

· Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes

· Installing a web-application firewall in front of public-facing web applications

6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:

· Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:

– At least annually

– After any changes

– By an organization that specializes in application security

– That all vulnerabilities are corrected

– That the application is re-evaluated after the corrections

· Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

Note: ―An organization that specializes in application security‖ can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team.


OWASP 2013 – Top 10 Web application security flaws:

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards


OWASP – Web Application Firewall Criteria:

  • Protection Against OWASP Top Ten!
  • Very Few False Positives (i.e., should NEVER disallow an authorized request)
  • Strength of Default (Out of the Box) Defenses
  • Power and Ease of Learn Mode
  • Types of Vulnerabilities it can prevent.
  • Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.
  • Both Positive and Negative Security model support.
  • Simplified and Intuitive User Interface.
  • Cluster mode support.
  • High Performance (milliseconds latency).
  • Complete Alerting, Forensics, Reporting capabilities.
  • Web Services\XML support.
  • Brute Force protection.
  • Ability to Active (block and log), Passive (log only) and bypass the web trafic.
  • Ability to keep individual users constrained to exactly what they have seen in the current session
  • Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)
  • Form Factor: Software vs. Hardware (Hardware generally preferred)

1.3 Get familiar with security industry solution types

For each business requirement that are certain solution types provided by the security industry which you can find on the following table (click on the highlighted solutions for further description):

Security Solution Description
WAI Wired/Wireless Access Infrastructure
ENF Enterprise  Network Firewall
UTM (Small, Medium Business) Unified Threat Management for Small Medium Business
SWG Security Web Gateway
WAF Web Application Firewall
ADC Application Deployment Controller
SEG Secure Email Gateway
SaaS Software as a Service
PaaS Platform as a Service
SRA Secure Remote Access

You’ll need this table later on for Glossary proposes and every time you start digging into 3r-party vendors their solutions will probably be compartmented like this.


This ends the first Part of Forefront TMG and UAG Phase out/alternatives. Have a look on Part 2 to complete the series.


R-Tape Loading error,
Luís Rato


~ por Luis Rato em 3 de Janeiro de 2014.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da

Está a comentar usando a sua conta Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: