The Cloud Security Man

Cloud Security is Job One for the Cloud Security Man

Choosing Between Forefront TMG or Forefront UAG for Publishing Scenarios

Choosing Between Forefront TMG or Forefront UAG for Publishing Scenarios

  • Comments 5
  • Likes

Your first decision when planning a publishing solution using Forefront TMG 2010 (TMG) or Forefront UAG 2010 (UAG) is to determine which of the two products best fits the needs of the deployment.

Both TMG and UAG can securely publish Exchange, SharePoint, Terminal Services and web-based line of business applications to the Internet. However TMG and UAG offer some features or support some scenarios that the other does not. So, the first step in choosing which product to use is deciding what features you need or think you may need.

Some deployments may actually benefit from using both TMG and UAG to satisfy specific requirements. For example, you might use UAG to provide a unified portal experience for your inbound Web-based client access, use TMG to protect Internet access for your internal users, and use Forefront TMG to provide certificate-based authentication to your mobile device-enabled workforce.

The following table compares both products at a functional level:

Feature or Capability

Forefront Threat Management Gateway 2010

Forefront Unified Access Gateway 2010

Scale Out Using Arrays

Arrays enable you to apply the same configuration setting to multiple machines participating in the same array

X

X

Network load balancing of the publishing array

Network Load Balancing (NLB) enables high availability and transparent failover for participants in the NLB array

X

X

Load Balancing of Back-End Servers

Integrated Web Farm load balancing enables you to load balance connections to back-end web servers, removing the need for a hardware load balancer behind the web gateway

X

X

Single network interface deployment

The web gateway can be deployed in a single NIC configuration, so that NICs do not span multiple networks

X

 

Enterprise Management (multiple nodes in one array)

Enterprise Management enables the administrator to manage multiple arrays located throughout the organization from a single management interface; in addition, configuration for all arrays is stored in a centralized location which located off any of the array members

X

 

Integrated Windows Authentication

Integrated Windows Authentication enables SPNEGO, Kerberos or NTLM authentication with the web gateway

X

 

Support two-factor authentication for web applications

Two-factor (multi-factor) authentication enables the administrator to require users to present two or more pieces of information to access resources

X

X

Certificate Authentication with ActiveSync

Certificate authentication with ActiveSync increases the overall ActiveSync security scenario by requiring the device to present a certificate before allow access to Exchange Server resources

X

 

Upgrade Path from ISA 2006

While it’s not possible to do an in-place upgrade from ISA to TMG (because ISA was 32bit only and TMG is 64bit only), there is a clear and easy to perform upgrade path.

X

 

Authorization Using Endpoint Policies

Endpoint detection determines the state of the device connecting to the gateway and enforces access policy based on the results of the endpoint detection

 

X

SharePoint rich client support (MSOFBA)

MSOFBA is a protocol that provides forms based authentication, instead of basic authentication, when you use Office client applications

 

X

Federation support with ADFS

Use integration support for ADFS to enable federated identity scenarios

 

X

Endpoint Session Cleanup

Endpoint session cleanup provides a mechanism to remove information obtained from the server during the course of the session; removal takes place on log off.

 

X

Port Scalability

Port scalability enables you to publish more resources while using fewer ports on the receiving interface of the web gateway

 

X

Password Lockout Protection (at a node level)

Password lockout protection protects the user account from being inadvertently locked out by either a friendly or malicious user; user is locked out of the gateway, but not in the Active Directory.

 

X

Granular access policies

Granular access policies enable the administrator to control access to applications and to components of applications, based on the results of user and device assessments.

 

X

Support for DirectAccess

DirectAccess is a new remote access technology that enables users to be always connected to the intranet and enables IT to always be connectivity to the users – all done transparently without user intervention

 

X

Portal functionality to publish multiple line-of-business applications

Portal functionality enables users to connect to a single URL to access a portal page that contains applications and services available to the user, based on the results of user and device assessment.

 

X

Load balancing support for HTTP-based protocol access from the Internet

Load balancing enables an array of web gateway to handle more requests more efficiently by evenly distributing connections among members of the load balanced array.

X

X

Highly Customizable

Customizable according to the support guidelines and the development policies and processes for Microsoft partners

 

X

Built-in Wizards for Exchange

Built-in wizard for publishing Exchange web services makes it simple to publish these resources using a secure default configuration

X

X

Outlook Web Access “Look and Feel”

Both UAG and TMG provide a log on page experience that is similar to the one provided by Exchange Outlook Web Access (OWA).

X

X

Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication

Forms based authentication enables users to enter credentials in an easy to use form to authenticate with the web gateway

X

X

Publish Outlook Anywhere using Basic or NTLM authentication

X

X

Publish Microsoft Exchange ActiveSync using Basic authentication

X

X

Support two-factor authentication for Exchange ActiveSync

X

 

Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP

X

 

Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server

Email inspection can be performed on the web gateway to protect against spam and malware

X

 

Protect and filter Internet access for internal users from malware and other Web-based threats

The web gateway can perform URL filtering to block undesirable web sites and scan and block malware delivered from the web

X

 

Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses

UAG has a Port Scalability feature that allows UAG to use multiple source IP address on its internal interface to contact the published CAS servers, allowing it to overcome the limit of 60000 ports maximum in a single IP address.

 

X

Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc.

Endpoint detection can be performed to insure that the client attempting to access the OWA Exchange web service meets corporate security standards before allowing access

 

X

Built-in features for SharePoint publishing

The web gateway has wizards and other technologies that make intelligent decisions on how to best publish SharePoint resources

X

X

Thanks to Fernando Cima and Carsten Kinder for developing this table.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Comments
  • Hi

    nice post, I was looking for information on tmg 2 factor authentication. I like to know if it is possible to provide 2 factor authentication to some users in AD using the TMG. Also how does the TMG provide 2 FA ? is it via delegation to a radius server to do the 2nd Factor authentication ?

    thanks

  • So with the announcement of TMG support ending will UAG change fundamentally or add components missing here? Plus SP2 would add pieces missing here yes?

  • Agreed about UAG SP2. This table needs to be revised accordingly.

  • Hi,

    I have arrived to this blog post because I'm trying to implement a solution, and deploy it with Azure VM, based on UAG SSO to access a SharePoint,

    This solution is built with three VM, one containing a Domain Controller, one containg the SharePoint itself and the third one containing UAG.I have to say that this implementation works perfectly in my laptop as Hyper-V VMs

    The question is if I can deploy these three VMs to Azure, and make it work as well as they work in my laptop. Obviously the two VMs containing the DC and the Sharepoint implementation work well in Azure. But, about the VM containing UAG, is it possible to experience some issue with networking treatment that UAG does with web  requests?

    Any help would appreciate buecause I'm stuck with this part of my solution

    Thanks in advance

  • UAG requires two NICs and Azure supports only one NIC in VMs placed on a Azure Virtual Network.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment