What does TMG currently do?
Multiple networks - External (Public), Internal (Lan), DMZ
Forward proxy - allow/deny outbound web access. Rules can be created to filter
- URL, domains or pre-defined URL catergories
- Active Directory users and groups or anonymous access
- Source computer IP address
- File types
Reverse proxy - ability to publish internal resources to the internet, such as Webmail/OWA
Monitoring and logging
L2TP/IPSEC VPN connection
Microsoft ending support for TMG 2010 is a popular discussion within the IT industry with many organisations finding themselves in the same position looking at alternative solutions. I have been actively involved in discussions on LinkedIn, speaking with peers and suppliers and conducting my own research.
The solutions reviewed were as followed:
Sophos UTM – recommended by one of our suppliers, in LinkedIn groups and also ISAServer.org, a popular website dedicated to TMG and is predecessor ISA Server.
Microsoft UAG – Microsoft’s Unified Access Gateway,
Barracuda – suggested in LinkedIn groups
Palo-Alto – suggested by our ISP, Virgin Media. Product of choice in their implementations
Websense Web Filter – industry renowned web filtering
Sophos UTM - all runs on a single hardware appliance or as software on a virtual machine and the functionality is subscription based.
Barracuda - in all honesty I found it difficult to get answers from Barracuda via their website, online chats and conversations with their official Twitter account. I was also promised a call from sales which I never received... however what I was able to gather is that we would possibly require three different appliances (Barracuda Web Filter, Firewall and Application Firewall) to get all the functionality of TMG. This may not be the case, but I gave up trying to find out.
Based on the simplicity of one vender being able to offer TMG's functionality in a single appliance, I decided to investigate Sophos UTM further.
Sophos provide a number of different sized hardware appliances (and also software to run on a virtual server) suited for all sized organisations.
You purchase the appliance out-right, aswell as licence subscriptions and 24/7/365 premium support for the desired term.
You can subscribe for the Firewall, Network, Web, Webserver, Email and Wireless protection. All are avaliable under the Full Guard subscription package which may work out cheaper then picking and choosing individual subscriptions. Sophos also provide Enpoint protection, but this is licenced seperately.
When I questioned Sophos about what would happen in the event of a hardware failure, I was told it could take upto 72 hours to get a replacement. There's no additional service to improve on this, so our only option was to look at getting a second Sophos UTM box configured for high avaliabilty (active/passive). Luckily there was a promotion with the reseller to buy one box, get another free :)
Sophos actually came and spent a day with me to give a demo and to find out a bit more of what we were trying to achieve... this was really useful. I came out of it feeling very impressed at what I had seen and confident that Sophos UTM will provide all the functionality of TMG... and more. Some of the additional benefits include:
Simple management interface - via web browser, meaning it can be accessed and managed from many different devices. Similar feel to TMG with creating networks and rules etc
High avaliability - a second Sophos UTM on standby should the primary UTM fail
Backup internet connections should the primary connection go down
Priorise bandwidth Quality of Service (QoS)
Automatic daily local backup of configuration with the option to also email out the backup file elsewhere
Automatic firmware downloads and scheduled install. No additional charge for updates
Web access policies can be created based on source MAC address
Granular application control policies (i.e allow Facebook, but block Facebook chat)
Granular reporting which is much, much better than TMG! Report on users, groups, blocked sites and much more. You can even report on what users have typed into search engines! There is also the ability to configure email subscriptions
Increased security for web server publishing URL hardening, form hardening, cookie signing, SQL injection protection etc
SSL Client VPN
Clientless HTML 5 web portal for publishing work resources via a web browser (seems similar to RD Web Apps) - customisable per user.
Protection against 'man in the middle attacks', port scanning and DNS flood attacks.
Coming soon in version 9.2
Two factor authentication
Create a warning message/prompt for users to accept before accessing a certain site, rather then block the site completely (useful for Dropbox and similar)
I was also really impressed with the simplicty of setting up wireless access points. Wireless keys can issued a number of ways, including one option where a different key is generated automatically daily and emailed to reception staff!
Sophos have a RED box (Remote Ethernet Device) which securely connects branch offices without local setup (i.e no leased line or ethernet extension required between sites). The RED box creates an encypted tunnel between sites upto 360mpbs. This could also be considered as an option for home workers.
I hope this post helps in your own search for a replacement to TMG. Good luck