Reasons to Migrate from ISA Server 2006 to Forefront TMG 2010

Reasons to Migrate from ISA Server 2006 to Forefront TMG 2010

  • Comments 9
  • Likes

We know there are many customers who are extremely happy with ISA Server 2006 and have been putting off migration to Forefront TMG 2010. As 2010 is coming to an end, we think you should include migration to TMG 2010 as one of your new year resolutions.

This post will focus on showing you why and help you learn more about Forefront TMG 2010.

 

Value Proposition: Microsoft Secure Web Gateway with Forefront TMG 2010

Forefront Threat Management Gateway allows employees to safely and productively use the Internet without worrying about malware and other threats. It provides multiple layers of continuously updated protections against the latest Web-based threats, including URL filtering, antimalware inspection, and intrusion prevention.

 

Microsoft Forefront TMG Core Capabilities

Microsoft Forefront TMG 2010 is positioned as a Secure Web Gateway. The core new features of this product are:

  • URL filtering: improves blocking of malicious or inappropriate sites using aggregated data from multiple URL filtering vendors and the anti-phishing and malware technologies that also protect Internet Explorer 8 users.
  • HTTPS Inspection: inspect outbound HTTPS traffic in order to protect your organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as viruses and other malicious content that could infiltrate the organization undetected.
  • Intrusion Prevention (NIS): Protects against browser-based and other Microsoft vulnerabilities.
  • Web anti-malware: Provides highly accurate malware detection with the same world-class engine that is used by Microsoft Security Essentials and Microsoft Forefront products.
  • Support for Windows Server 2008 R2 (x64): first Microsoft Edge protection product that leverages the scalability and increased memory space improvements of the Windows 64 bit platform.

 

ISA Server 200X Capabilities

ISA Server 200x doesn’t offer the same Secure Web Gateway capabilities that Forefront TMG offers. ISA Server 200x is commonly used in a Proxy (forward and reverse) type of scenario. Forefront TMG inherits all the ISA Server 2006 capabilities and adds new features to provide more comprehensive protection, while providing a seamless migration path.

Side by Side Comparison

Use the table below to compare ISA 2006 to TMG 2010 feature wise:

image

What you can do on TMG that you cannot do on ISA

Back in May 2010 I wrote a post on my personal blog where I covered some common scenarios where customers commonly ask if they can use ISA. I selected the top 5 scenarios where there is a real need in the environment, however such a need cannot be answered by ISA Server. The good news is that it can be definitely be answered with TMG. Check the full article at http://blogs.technet.com/b/yuridiogenes/archive/2010/05/28/can-i-do-this-on-isa-server-no-but-you-can-with-tmg.aspx

Learn more about Forefront TMG 2010

Below are some resources that are available for learning about and trying Forefront TMG 2010:

Author

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team

 

Reviewer

Ori Yosefi

Senior Program Manager

Microsoft Forefront Threat Management Gateway Team

Comments
  • I´ve been running TMG2010 since the release and I´m very happy with TMG2010. the migration from ISA2006 didn´t produce any problems.

  • So many good reason to use TMG. But why is there no certification exam available for it?

  • I'm just wondering if you can run the TMG Firewall Service under a Domain Account context...?

  • Hello,

    @Rob - thanks for your comments and we are glad it's working good for you.

    @Peter - we are still working on this, unfortunetly we have no ETA.

    @Kris - As of now you can't, but we are considering this for future updates. More info will be available as soon as we have it.

    Thanks,

  • @yuridio

    Please I would be very interested in this! Maybe you have an alternative way of accomplishing what we are trying to do?

    The reason we need the ISA to run under a domain user context (service account) is so that we can create an SPN for it. This way we can load balance (using third party load balancer) multiple virtual TMG servers using and authenticating using Kerberos on the web listener. after the web listener have authenticated the users the backend authentication towards a load balanced sharepoint farm is using a different SPN with kerberos constrained delegation. However, without the possibility to run the TMG as a service account we are unable to register an SPN for it and then Kerberos Auth fails on the listeneer level (we have it working with 1 TMG and the SPN registred directly to the MACHINENAME (Network Service).... We can't even get NTLM to work on the listener level as it would have been a great backup plan.... Can i get in contact with you via MS Support?

  • Hello Knrj,

    This is exactly what we are working on behind the scenes to have it soon (the possibility to have TMG services running in a domain account), however as of now this is not supported (changing the service account), so don't even try to do it or open a case for it.

    As soon as we have more news about this change we will post it here.

    Thanks.

  • Reason not to migrate:

    - Site-2-Site VPN Connections no longer working with Drayteks Vigor-Routers (see the support incident 110051441982509).

    - IPv6 unsupported as before.

    What are MS' plans on securing the IPv6 Web anyway?

  • I have to agree with HUI.  Lack of IPv6 support is UNFORGIVEABLE in TMG 2010.

    What the hell were you guys thinking?

    JamesNT

  • To keep your network Secure from unawanted  hacker  i preffer to TMG instead of ISA 2006 we are going to upgrade it from ISA 2006 To TMG

    Dilawar khan

    ITSE KSA

    dilawar.khan82@gmail.com

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment