Your first decision when planning a publishing solution using Forefront TMG 2010 (TMG) or Forefront UAG 2010 (UAG) is to determine which of the two products best fits the needs of the deployment.

Both TMG and UAG can securely publish Exchange, SharePoint, Terminal Services and web-based line of business applications to the Internet. However TMG and UAG offer some features or support some scenarios that the other does not. So, the first step in choosing which product to use is deciding what features you need or think you may need.

Some deployments may actually benefit from using both TMG and UAG to satisfy specific requirements. For example, you might use UAG to provide a unified portal experience for your inbound Web-based client access, use TMG to protect Internet access for your internal users, and use Forefront TMG to provide certificate-based authentication to your mobile device-enabled workforce.

The following table compares both products at a functional level:

Feature or Capability	Forefront Threat Management Gateway 2010	Forefront Unified Access Gateway 2010
Scale Out Using Arrays Arrays enable you to apply the same configuration setting to multiple machines participating in the same array	X	X
Network load balancing of the publishing array Network Load Balancing (NLB) enables high availability and transparent failover for participants in the NLB array	X	X
Load Balancing of Back-End Servers Integrated Web Farm load balancing enables you to load balance connections to back-end web servers, removing the need for a hardware load balancer behind the web gateway	X	X
Single network interface deployment The web gateway can be deployed in a single NIC configuration, so that NICs do not span multiple networks	X
Enterprise Management (multiple nodes in one array) Enterprise Management enables the administrator to manage multiple arrays located throughout the organization from a single management interface; in addition, configuration for all arrays is stored in a centralized location which located off any of the array members	X
Integrated Windows Authentication Integrated Windows Authentication enables SPNEGO, Kerberos or NTLM authentication with the web gateway	X
Support two-factor authentication for web applications Two-factor (multi-factor) authentication enables the administrator to require users to present two or more pieces of information to access resources	X	X
Certificate Authentication with ActiveSync Certificate authentication with ActiveSync increases the overall ActiveSync security scenario by requiring the device to present a certificate before allow access to Exchange Server resources	X
Upgrade Path from ISA 2006 While it’s not possible to do an in-place upgrade from ISA to TMG (because ISA was 32bit only and TMG is 64bit only), there is a clear and easy to perform upgrade path.	X
Authorization Using Endpoint Policies Endpoint detection determines the state of the device connecting to the gateway and enforces access policy based on the results of the endpoint detection		X
SharePoint rich client support (MSOFBA) MSOFBA is a protocol that provides forms based authentication, instead of basic authentication, when you use Office client applications		X
Federation support with ADFS Use integration support for ADFS to enable federated identity scenarios		X
Endpoint Session Cleanup Endpoint session cleanup provides a mechanism to remove information obtained from the server during the course of the session; removal takes place on log off.		X
Port Scalability Port scalability enables you to publish more resources while using fewer ports on the receiving interface of the web gateway		X
Password Lockout Protection (at a node level) Password lockout protection protects the user account from being inadvertently locked out by either a friendly or malicious user; user is locked out of the gateway, but not in the Active Directory.		X
Granular access policies Granular access policies enable the administrator to control access to applications and to components of applications, based on the results of user and device assessments.		X
Support for DirectAccess DirectAccess is a new remote access technology that enables users to be always connected to the intranet and enables IT to always be connectivity to the users – all done transparently without user intervention		X
Portal functionality to publish multiple line-of-business applications Portal functionality enables users to connect to a single URL to access a portal page that contains applications and services available to the user, based on the results of user and device assessment.		X
Load balancing support for HTTP-based protocol access from the Internet Load balancing enables an array of web gateway to handle more requests more efficiently by evenly distributing connections among members of the load balanced array.	X	X
Highly Customizable Customizable according to the support guidelines and the development policies and processes for Microsoft partners		X
Built-in Wizards for Exchange Built-in wizard for publishing Exchange web services makes it simple to publish these resources using a secure default configuration	X	X
Outlook Web Access “Look and Feel” Both UAG and TMG provide a log on page experience that is similar to the one provided by Exchange Outlook Web Access (OWA).	X	X
Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication Forms based authentication enables users to enter credentials in an easy to use form to authenticate with the web gateway	X	X
Publish Outlook Anywhere using Basic or NTLM authentication	X	X
Publish Microsoft Exchange ActiveSync using Basic authentication	X	X
Support two-factor authentication for Exchange ActiveSync	X
Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP	X
Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server Email inspection can be performed on the web gateway to protect against spam and malware	X
Protect and filter Internet access for internal users from malware and other Web-based threats The web gateway can perform URL filtering to block undesirable web sites and scan and block malware delivered from the web	X
Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses UAG has a Port Scalability feature that allows UAG to use multiple source IP address on its internal interface to contact the published CAS servers, allowing it to overcome the limit of 60000 ports maximum in a single IP address.		X
Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc. Endpoint detection can be performed to insure that the client attempting to access the OWA Exchange web service meets corporate security standards before allowing access		X
Built-in features for SharePoint publishing The web gateway has wizards and other technologies that make intelligent decisions on how to best publish SharePoint resources	X	X

Thanks to Fernando Cima and Carsten Kinder for developing this table.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

There’s a continuing debate in the IT Pro community whether or not you can host quality content on a wiki. If you don’t know what a wiki is, it’s a platform where anyone can post content and then after the content is posted, anyone can edit it.

Seems like a good idea, since IT Pros can share their collective experience and enhance the content – essentially creating a global “brain trust” that enables the possibility of creating the most comprehensive and most accurate content possible.

Of course, there are other perspectives on the intrinsic value of a wiki that let’s everyone edit documents. The following video embodies this sentiment.

Well, regardless of which end of the wiki debate you might find yourself, one thing is clear – there is a ton of great information on the TechNet wiki now, and the amount and the quality of the content continues to grow.

Proof of this comes from the recent posting of the Forefront Threat Management Gateway (TMG) 2010 Troubleshooting Survival Guide. Yuri Diogenes worked day and night, night and day, for weeks to put together this vital resource that is sure to benefit all TMG firewall administrators. You can find the TMG Troubleshooting Survival Guide over at:

http://social.technet.microsoft.com/wiki/contents/articles/forefront-threat-management-gateway-tmg-2010-troubleshooting-survival-guide.aspx

And remember – it’s on the wiki! That means you can add information, correct incorrect information, or even insert comments into the document. Share what you’ve learned about troubleshooting the TMG firewall. We want to you participate because It takes a village to troubleshoot the TMG firewall

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

From what I hear, this year is going to be the year where we see the wave of enterprise Windows 7 rollouts take place. While I’m not sure how these assessments are made, it makes sense from where I sit. Windows 7 Service Pack 1 has been released and end users, admins and the media have all been complimentary of Windows 7. Let’s face it – Windows 7 just plain rocks!

For this reason, I expect that we’re going to see a lot of new DirectAccess deployments being planned and executed. What’s one of the biggest goodies you get with Windows 7? I’d argue that DirectAccess is on the top five list.

If you’ve already deployed DirectAccess, you’ve seen your users and management love what it’s done for their productivity and overall computing experience. I’ve seen the same here at Microsoft. If someone who has been on DirectAccess for a few weeks somehow can’t get it to work, they show all the physical symptoms of withdrawal. Sweating, anxiety, fear, sadness, depression, and cravings all appear to those deprived of DirectAccess (OK, probably not everyone in the company has those symptoms when DirectAccess isn’t working, but that’s what happens to me).

Of course, it’s always nice to see external commentators say something nice about DirectAccess. And that happened a couple of weeks ago on The Register. The Registers motto is “Biting the Hand that feeds IT” – which is consistent with their hard hitting approach to reporting on technology issues. So you know if they say something nice, they mean it.

So when I read this quote at http://www.theregister.co.uk/2011/03/18/windows7_move/ I cried tears of joy:

“…there are real improvements in Windows 7…Direct Access, which requires Windows 7 and at least one instance of Server 2008 R2, lets users connect to file shares across the internet and without VPN. This is lighter weight and less risky than VPN, which gives all or nothing remote access…”

Sure, it’s not glowing or gushy but that’s not how The Register rolls.

What it does say to me is that they think DirectAccess is a good thing and one of the important reasons to strongly consider integrating DirectAccess early in your Windows 7 deployment plans.

Thanks!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

Many of your might know my friend Yuri Diogenes from the great work he’s done over the years for ISA Server and the TMG firewall. Yuri has spent the last several years working in the CSS Security Team, and most of his work was focused on Forefront products.

Last Month, Yuri moved from the support organization to the Information Experience (iX) organization (which includes technical writers and advanced technical communicators).  Yuri has hit the ground running and I expect that he will have a long and successful career in the iX organization – it’s in his blood!

With that as an introduction, I’d like to let you in on a contest that Yuri is starting in the near future. In this contest you’ll need to be able to answer questions about Forefront products, such as TMG, UAG and Forefront Security for Exchange. But instead of just answering questions, you’ll need to subscribe to Yuri’s twitter feed so that you can *get* the questions! How’s that for sly?

Head on over to Yuri’s blog for more information on the contest – and good luck!

http://blogs.technet.com/b/yuridiogenes/

Yuri Diogenes – Friend of those in the trenches

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

In the continuing saga of the “No Usable Certificate(s) 0x103” error, which has been discussed in two previous blog posts:

http://blogs.technet.com/b/tomshinder/archive/2010/03/30/troubleshooting-the-no-usable-certificate-s-ip-https-client-error.aspx

and

http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx#3415408

we’ll expand on the explanation for the reason why the computer certificate isn’t included in the NTAUTH store on the UAG DirectAccess server. In the second link noted above, we discovered that we’ll see the “No Usable Certificate(s) 0x103 error when there is no CA certificate contained in the NTAUTH store of the UAG DirectAccess server.

What we didn’t discuss was “why wasn’t there a CA certificate in the NTAUTH store of the UAG DirectAccess computer?

If you look in the comments section over at http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx#3415408 you’ll see that a UAG DirectAccess server admin is having this problem – there is no CA certificate in the NTAUTH store on the UAG DirectAccess server. What he discovered is that while the client machines had this certificate installed, the UAG DirectAccess server didn’t and he thought reason for this is that only the client systems were receiving certificates through autoenrollment; the UAG DirectAccess server was not obtaining a computer certificate through autoenrollment.

I thought this was interesting and did a little research on the subject.

At http://msmvps.com/blogs/bradley/archive/2009/02.aspx?PageIndex=3 you can find the following information:

“…A Windows client's Enterprise NTAuth store is a local cache of certificates
published in the NTAuthCertificates store in Active Directory. These
certificates are propagated from Active Directory to Windows clients via
Group Policy. Since the workstation is not members of a domain, the local
NTAuth cache is not being updated and so is empty…

Resolution:
---------------------------
The local NTAuth store can be manually populated using certutil.exe.
Certutil -enteprise -addstore NTAuth CaCertificate.cer
The physical location for the NTAuth store is:
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
When the issuing CA certificate is added to the NTAuth store…”

The distribution of the enterprise CA certificate is separate from the distribution of the computer certificates through autoenrollment. Distribution of the CA certificate is automatic and distributed through Group Policy mechanisms and is done when the machine joins the domain. In contrast, distribution of the computer certificate through autoenrollment is something that you need to configure manually and target the machines that you want the certificates assigned to, and then requests are sent to the CA for certificate distribution to the requesting client.

Our UAG DirectAccess server admin discovered the answer at support.microsoft.com/.../295663. Check this out:

“The contents of the NTAuth store are cached in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:

certutil -enterprise -addstore NTAuth CA_CertFilename.cer”

Our hats are off to you, anonymous UAG DirectAccess admin!

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder