Forefront TMG and UAG Phase out/alternatives – Part 2

Hi again folks,

following the Part 1 of Forefront TMG and UAG Phase out/alternatives I will complete the series with the description of the available solutions for each ISA/TMG/UAG feature.

2. Finding the alternatives for each TMG/UAG features

Finding alternatives is far from being an easy exercise, there are many things to consider, I’ve already covered a few on my previous post, but some additional fundamentals may influence your decision, such as:

– Know-how of your team on determined technology/vendor, that may reduce the learning curve, training costs and the risk caused by faulty operations/implementation;

-Good vendor relationship and supportability are key elements for a less bumpy transition;

– Easy of use and manage (centralized) to make your team productive and fast responsive to the increasing business demand;

– Can’t restrict an Heterogeneous and interoperable ICT;

– A convergence of features on fewer solutions/vendors may simplify the management/operations burden and reduce Capex/Opex;

– Capable to respond to the new world order of Cloud, Big Data, Mobility and Social;

– Ultimately, respond to the business needs. All I’ve mentioned previously means nothing if you do not commit to the business goals. If you fail to do so, as a CIO/CSO you may turn yourself a shooting target, CEO’s, CFO’s and CMO’s are getting less tolerant with ICT misalignment, roadblocks and unresponsiveness.


I’ll leave you with the decision to be made, so to make your life easier I’ve created a table with the right mapping of available solutions that replace each feature of ISA, TMG and UAG.

On the following table you have:

– Mapping of available security features on ISA, TMG and UAG;

– Column “Transition path” is related to the available solutions that can replace each feature of ISA, TMG and UAG, you may opt for Microsoft Technology if available (highlighted with a Link for detailed information) or a 3rd-Party Vendor;

– Column “Security solution type” with the acronym of the standard names of Security solutions available on the market. On this column you have more than one type, that’s because there are different types of solutions that can respond to that particular feature, select one;

    • Features
ISA TMG UAG Transition path Security solution type ( * )
Route X X   Windows Server 2012 RRAS
– 3rd party vendor
WAI, ENF or UTM for SMB’s
NAT X X   Windows Server 2012 RRAS
– 3rd party vendor
WAI, ENF or UTM for SMB’s
Edge Firewall X X   3rd party vendor ENF or UTM for SMB’s
     Stateful Packet filtering X X   3rd party vendor ENF or UTM for SMB’s
Application Layer Firewalling X X X 3rd party vendor WAF, ENF or UTM for SMB’s
     HTTP Filter X X X 3rd party vendor WAF, ENF or UTM for SMB’s
     HTTPS Inspection   X X 3rd party vendor WAF, ENF or UTM for SMB’s
Intrusion Prevention and Intrusion Detection system X X   3rd party vendor WAI, ENF or UTM for SMB’s</
Web proxy and Web caching Server X X   Web proxy:
– 3rd party vendor
Web Caching Server:
Windows Azure Caching Services for Cloud solutions integration
IIS Application Request Router
– 3rd party product
SWG, PaaS or UTM for SMB’s
     URL Filtering   X   – 3rd party vendor SWG or UTM for SMB’s
     Malware Inspection   X   – 3rd party vendor SWG or UTM for SMB’s
Forward Proxy X X   – 3rd party vendor WAF, ADC or UTM for SMB’s
Reverse Proxy X X X WS 2012 R2 Web Application Proxy (basic)
– 3rd Party product
WAF, ADC or UTM for SMB’s
VPN Server (Client VPN and Site to Site VPN) X X   Windows Server 2012 RRAS
– 3rd party vendor
WAI, ENF or UTM for SMB’s
E-Mail Protection Gateway X X   Exchange Online Protection
– 3rd party vendor
SEG, SWG, SaaS or UTM for SMB’s
SSL VPN     X – 3rd party vendor SRA
Direct Access     X Windows Server 2012 Direct Access
– 3rd party vendor

( * ) – Glossary:  Go to section ‘1.3 Get familiar with security industry solution types’ on Part 1


3.  3rd Party Vendors

In this section you have a table with the available solutions of 3rd Party vendors for each type of Security solution.

If you already had identified from the above section which type of solutions you need to replace each feature of ISA, TMG and UAG, after completing all the feature set you probably ended up with a few solutions that you may need to implement.

Some types of solutions may cover more than one feature, it maybe wise that you can converge as many features has you can in one type of solution as long as it can respond to the business requirements.

Some 3rd Party vendors can easily integrate different solution types from their portfolio, sometimes we are just talking about licensing a particular module or service and don’t even need to provision dedicated Hardware.

Here are the tables of each Security solution type and their designated 3rd Party solutions:

WAI – Wired and Wireless Access Infrastructure
Vendor/Solution Reference
Cisco Switches
Cisco Routers
Cisco Prime Infrastructure
Cisco Mobility Services Engine
HP FlexCampus Network Solutions
Aruba Networks Unified Networks
Aruba Networks Mobility Access Switches
Aruba Networks Wireless Lan
Aruba Networks ClearPass
Others Alcatel-Lucent Enterprise, Motorola Solutions, D-Link, Dell, Huawei, Adtran, Juniper Networks, Xirrus, Netgear, Fortinet, Enterasys Networks
ENF – Enterprise Network Firewall
Vendor/Solution Reference
Check Point Next Generation Firewall
Checkpoint Software Blade
Checkpoint Security Appliance
Palo Alto Networks Firewall Platforms
Palo Alto Network Virtualized Firewalls
Fortinet Next Generation Firewalls
Fortinet High Performance Firewall / VPN
Cisco Firewalls ASA
Juniper Networks SRX Series Services Gateways
Juniper Networks SSG Series Secure Services Gateways
Juniper Networks ISG Series Integrated Security Gateways
Others Dell SonicWall, StoneSoft, Mcafee, Watchguard, Sophos, Huawei, Barracuda Networks, Netasq, HP
UTM- Unified Threat Management
Vendor/Solution Reference
Fortinet Unified Threat Management
Check Point GAiA
Dell SonicWall TZ Series Unified Threat Management Firewall (Small)
Dell SonicWall NSA Network Security Appliance Series (Mid-range)
Dell SonicWall SuperMassive Series (Enterprise)
Watchguard XTM Next-Generation Network Security
Sophos Unified Threat Management
Others Cisco, Juniper Networks, Cyberoam, Netasq, Huawei, gateprotect, Clavister, Kerio
SWG – Secure Web Gateway
Vendor/Solution Reference
Cisco Web Security Appliance
Cisco Cloud Web Security
Blue Coat ProxySG
Blue Coat ProxyAV (ProxySG AV Add-on)
Blue Coat Web Flter (ProxySG Web Filter Add-on)
Blue Coat Secure Web Gateway Virtual Appliance
Blue Coat Web Security Service (Cloud Service)
Websense Websecurity Gateway (Appliance)
Websense Websecurity Gateway Anywhere (Hybrid)
Websense Cloud Websecurity Gateway
Zscaler Cloud Web Security
Barracuda Web Filter (Appliance)
Barracuda Web Filter Vx (Virtual)
Barracuda Web Security Service (Cloud)
Mcafee Web Gateway (Appliance)
Mcafee SaaS Web Protection (Cloud)
Symantec Web Gateway
Symantec Web Security.Cloud
Others Trend Micro, Trustwave-M86 Security, Sophos, ContentKeeper Technologies, Sangfor, Phantom Technologies, EdgeWave, Optenet
WAF – Web Applicaiton Firewall
Vendor/Solution Reference
F5 – Big IP (WAF module – license)
Imperva SecureSphere Web Application Firewall
Barracuda Web Application Firewall:
Barracuda Web Application Firewall for Applications hosted on Windows Azure (NEW)
Radware Web Application Firewall
Citrix NetScaler AppFirewall
Others Breach Security, Deny all, Cisco, ModSecurity, Protegrity
ADC – Application Delivery Content
Vendor/Solution Reference
F5 – Big IP
Cytrix NetScaler 10
Radware Alteon
Barracuda Load Balancer ADC
Others Riverbed, A10 Networks, Brocade, Array Networks, Coyote Point, Cisco, Sangfor
SRA- Secure Remote Access
Vendor/Solution Reference
Dell SonicWall SSL VPN Secure Remote Access
Barracuda SSL VPN
F5 – Big IP Edge Gateway
Juniper Networks SA Series SSL VPN
Others Array Networks, Check Point, Citrix, Cisco, Cryptzone, Nexus, Palo Alto Networks, Sangfor Technologies


Please note that the mentioned 3rd party solutions and links may be subject to change.


4.  Should I stay or should I go

One of the major concerns is about the right time to start dephasing ISA, TMG and UAG.

Per Microsoft Support Lifecycle of these products, ISA Server still has extended support, TMG and UAG have Mainstream support until 2015 and extended support until 2020.

Products Released
Lifecycle Start Date Mainstream Support End Date Extended Support End Date
Internet Security and Acceleration Server 2006 Enterprise Edition
10/17/2006 01/10/2012 01/10/2017
Internet Security and Acceleration Server 2006 Standard Edition 10/17/2006


Products Released
Lifecycle Start Date Mainstream Support End Date Extended Support End Date
Forefront Threat Management Gateway 2010 Enterprise
12/1/2009 4/14/2015 4/14/2020
Forefront Threat Management Gateway 2010 Standard 12/1/2009
Products Released
Lifecycle Start Date Mainstream Support End Date Extended Support End Date
Forefront Unified Access Gateway 2010
1/26/2010 4/14/2015 4/14/2020


So, should you rush to the dephase process or hold your horses for a while?

Some time ago you had to respond to business needs, you defined your ICT priority areas and had to accommodate on your budget the investment of ISA, TMG or UAG, so you obviously have a ROI to achieve.

Despite the fact that there is a ROI to be accomplished, ISA Server is out of development and you can’t expect too much being developed during the Mainstream support of TMG and UAG.

Being secure stands for evolving into the dynamics of changing threats, regulations, compliance and business needs, which basically mean that you need to evaluate if your Forefront solutions can respond to these challenges, if they can’t, no matter if your ROI has been achieved it is prudent to move forward to a new solution.

All said, for the majority of organizations the sense for a transition process is NOW, again one size does not fit all, you need to evaluate your particular situation.



This completes the series of Forefront TMG and UAG Phase out/alternatives.


R-Tape Loading error,
Luís Rato


~ por Luis Rato em 4 de Janeiro de 2014.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da

Está a comentar usando a sua conta Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: