Africa also urged to ‘Mind the TMG Gap’
By George Zervos, EMEA Sales Director at Kemp Technologies
In September last year, Microsoft announced that it was discontinuing its Forefront Threat Management Gateway product as part of a number of major changes to its Forefront product line in an, ‘effort to better align security and protection solutions with the workloads and applications they protect’.
While Microsoft has pledged to provide current Forefront TMG customers worldwide, including within high-growth developing markets, with mainstream support up until the end of 2015 and extended support until 2020, the move – that surprised many customers – does present some challenges and raises the question about what will replace it.
Microsoft’s Forefront TMG, formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), has been a key component of the solution for organisations deploying Microsoft Exchange, Lync or SharePoint. One of the key features of TMG is that it offers customers a way to publish and protect workload servers such as Exchange Client Access Servers; especially in internet facing deployments where a clean and secure separation between the back-end critical infrastructure and the public internet is essential.
TMG has proved particularly popular for use with Exchange infrastructures because of its relatively easy-to-deploy, reverse-proxy functionality. This is essential when you have a demilitarized zone (DMZ) to ‘sanitize’ incoming connections from the internet before passing traffic onto servers hidden by an internal network.
Microsoft’s decision to end TMG is part of a bigger picture. The company plans to integrate more security controls into the cloud with its Microsoft Office 365 solution and also replace TMG with its Unified Access Gateway (UAG) product.
However, it is not quite that simple. For a start, UAG can be up to twice as expensive. Depending on what part of the world you are based, the cost of transition could be painful. Secondly, for applications such as Exchange, there are some functionality gaps that UAG currently does not cover, such as two-factor authentication for ActiveSync devices or certificate-based authentication for OWA. And it is not just Exchange; while UAG has more features than TMG it also does not, as yet, fully support some Lync functionality and is overkill if used for only this purpose.
So for companies that do not want to migrate to Office 356 or adopt UAG, what are the options? This will have implications for companies that are taking this route and that want to leverage off the benefits and advantages that Microsoft office365 and UAG offers.
Many companies already deploy hardware load balancing appliances from companies such as KEMP in conjunction with TMG in order to publish Microsoft workload servers for internet facing applications. As well as separating the critical infrastructure from the external internet, load balancers stop traffic ‘at the gate’ and make sure that users are automatically connected to the best performing server. And if one becomes inaccessible, the load balancer will automatically re-route traffic to other functioning servers so that users always experience optimum performance. The load balancer may also offload processor intensive SSL encryption to speed up the throughput.
So, now that ‘End Of Sale’ time has arrived for TMG, KEMP will be extending its load balancing platform with new security features that build on existing core technologies such as the Reverse Proxy function to fill the gap left by TMG. This includes features such as end-point pre-authentication using Active Directory to protect workload servers from unauthorized access.
Clients will have to provide valid authentication information to gain access a service or be blocked.
Another feature is Single Sign On across multiple virtual services that means clients only have to enter authentication information once to access all services in a Single Sign On (SSO) group. For example, a client accessing Exchange will also be able to access SharePoint and other workloads if they are configured in the same SSO group. KEMP also supports Persistent Logging and Reporting, key connection types between the load balancer and Active Directory, as well as NTLM and Basic authentication communication from a client to the load balancer.
Both large and small businesses are deploying large numbers of internet facing applications to support ever expanding business requirements. This rapidly growing number of servers needs to be scalable and highly reliable and above all, access to these servers and services needs to be secure.
“For organisations and businesses facing life without TMG, the addition of security features into their load balancers will continue to deliver protection along with scalability and high reliability. And with companies such as Kemp adding these features at no additional cost, this option becomes increasingly attractive – particularly within high growth markets like Africa and Southern Africa,” says Paul Luff, Sales Manager at Kemp Technologies.