The confusing state of Microsoft’s TMG and UAG firewall and proxy software
来源:互联网 发布:飓风雾化器做芯数据 编辑:程序博客网 时间:2024/06/05 16:04
I have been trying out Microsoft’s ForeFront Unified Access Gateway (UAG) recently, partly because it is theonly supported way to publish a SharePoint site for Windows Phone. This was my first go with the product, though I am already familiar with the Threat Management Gateway (TMG) and its predecessor Internet Security and Acceleration Server (ISA) – and before that Proxy Server, dubbed “Poxy Server” by admins frustrated with its limitations. All these products are related, and in the case of UAG and TMG, more closely than I realised.
Note that Microsoft has indicated that the current version of TMG, 2010, is the last. What is happening to UAG is less clear.
What I had not realised until now is that TMG installs as part of UAG, though you are not meant to use it other than for a few limited uses. It is mainly there to protect the UAG server. The product positioning seems to be this:
- Use UAG for publishing applications such as SharePoint, Direct Access (access to Windows files shares over the internet) and Exchange. It is essentially a reverse proxy, a proxy for publishing and protecting server applications.
- Use TMG for secure internet access for users on your network.
This means that if you want to use Microsoft’s platform for everything possible, you are expected to run both UAG and TMG. That is OK for enterprises but excessive for smaller organisations. It is odd, in that TMG is also a capable reverse proxy. TMG is also easier to use, though that says more about the intricate user interface of TMG than it does about the usability of TMG. Neither product can be described as user friendly.
The complexity of the product is likely to be one of the reasons TMG is now being discontinued. It is a shame, because it is a decent product. The way TMG and ISA are designed to work is that all users have to authenticate against the proxy before being allowed internet access. This gives administrators a high degree of control and visibility over which users access which sites using which protocol.
Unfortunately this kind of locked-down internet access is inconvenient, particularly when there are a variety of different types of device in use. In many cases admins have to enable SecureNAT, or in other words unauthenticated access, partly defeating the purpose, but there is little choice.
ISA Server used to be supplied as part of Small Business Server (SBS); but when I spoke to Microsoft about why it was dropped in SBS 2008, I was told that few used it. Businesses preferred a hardware solution, whether a cheap router modem from the likes of Netgear or Linksys, or a security appliance from a company like Sonicwall, Cisco or Juniper.
The hardware companies sell the idea that a hardware appliance is more secure, because it is not vulnerable to Windows or Linux malware. There is something in the argument, but note that all security appliances are more software than hardware, and that a Windows box will be patched more regularly. ISA’s security record was rather good.
My hunch is that ease of use was a bigger factor for small businesses. Getting ISA or TMG to do what you want can be even more challenging that working out the user interface of a typical hardware appliance, though perhaps not with the more complex high-end units.
As for UAG, I have abandoned the idea of testing it for the moment. One of the issues is that my test setup has only one external IP. UAG is too elaborate for a small network like mine. I am sticking with TMG.
- The confusing state of Microsoft’s TMG and UAG firewall and proxy software
- What is the difference between Microsoft TMG and UAG ?
- Explaining the Microsoft Forefront TMG Firewall Lockdown Mode
- Software Engineering and the Art of Design
- Adobe and the Future of Software
- Proxy and State in Python
- what's the different between forward proxy and reverse proxy?
- Software Development and Newton's Laws of Motion
- The Laws of Software Process: A New Model for the Production and Management of Software
- The Process of TCP Connection and State Transfer
- Architectural Styles and the Design of Network-based Software Architectures
- The Art of Software Architecture: Design Methods and Techniques
- Architectural Styles and the Design of Network-based Software Architectures
- Facebook, Google, and the Rise of Open Source Security Software
- Code: The Hidden Language of Computer Hardware and Software 总结
- What's the difference and compatibility of CGLayer and CALayer?
- Microsoft is killing the TMG?
- Automatic Discovery for Firewall and Web Proxy Clients
- 颜色空间---HSV
- EditText设置可以编辑和不可编辑状态
- 我在江北学安全(三) Broken Web Application各个击破
- FastMM、FastCode、FastMove的使用
- SHELL脚本的基础知识5——显示数据
- The confusing state of Microsoft’s TMG and UAG firewall and proxy software
- SHELL脚本的基础知识4——处理用户输入
- 日期控件My97DatePicker使用实例
- SQL函数说明大全
- MFC中的定时器SetTimer的使用
- SHELL脚本的基础知识3——更多结构化命令
- oracle 索引
- WebScarab关键源码分析(3)(续)
- SHELL脚本的基础知识2——使用结构化命令