Forefront TMG 2010 Replacement Options
Since Microsoft formally announced the end of life for the venerable Forefront TMG 2010 firewall, the most common question I hear is “What should I replace my Forefront TMG firewall with?” It’s an excellent question, and one that I can’t really answer for you definitively. Since Microsoft has elected to leave this space entirely, you’ll obviously be replacing it with a solution from another vendor. But which one? Well, the answer is “it depends”. There are many excellent firewalls, web proxies, and secure web gateways on the market today. So-called “Next Generation Firewalls” are gaining in popularity as well, and provide some interesting capabilities a security administrator can leverage to provide increased protection for their corporate networks. Which one to choose depends on many factors, and will vary greatly depending on your deployment scenario. My suggestion when evaluating potential replacements for your Forefront TMG 2010 firewall is to take a look at your current configuration, review your corporate security policy to determine network security requirements, then begin researching products that include the features you need. If you take a look at the latest Gartner Magic Quadrant for Secure Web Gateways or Next Generation Firewalls and choose a product in the leaders or challengers quadrants you will probably be satisfied. Regardless which solution you choose, demand a proof-of-concept or insist on an evaluation period with which you can return the product for a full refund if it doesn’t meet your needs or expectations. Be open-minded during the process, as you’re not likely to have the comfort level with the new solution as you do with your existing Forefront TMG 2010 firewall. If you are using your Forefront TMG 2010 firewall as a dedicated remote access solution, I would encourage you to look closely at Windows Server 2012 remote access VPN and especially DirectAccess.
Keep in mind that although Microsoft has announced the end of life for Forefront TMG 2010, it will still be supported for many years to come. You will have full feature functionality until the end of 2015, and the product will be supported in some fashion until early 2020 so there’s no need to rush. Perhaps the best replacement for Forefront TMG 2010 hasn’t even been created yet! If you have questions about Forefront TMG 2010 replacements, or you are in the process of evaluating another solution to replace your existing Forefront TMG firewall today, feel free to ask questions or share your experiences by commenting below. Thanks!
Connect
Richard Hicks' Forefront TMG Blog 
We decided that this summer we will be moving to a Cisco ASA 5515 for VPN, Firewall, and IPS. A Websense appliance for transparent proxy and URL and malware filtering. I would be lying if I didn’t say this would cost us around 100 times more then TMG. However, I know I will be getting some of the best currently out there to replace what we have now.
Nice article, I am using TMG for publication and reverse proxy.
I am looking for something similar for Exchange Publication, Website Publication,..
Any thoughts ?
This setup is a popular alternative to Forefront TMG 2010, that’s for sure. And certainly I’ve replaced quite of few of those with TMG in the past! Looking ahead though it’s a good “best of breed” solution to support secure web access and still provide secure remote VPN access as well.
Forefront UAG 2010 is an excellent solution for publishing and reverse proxy scenarios. And unlike TMG, UAG still has a product roadmap which is always a good thing. 🙂
Those that would like to stick with a Windows platform I would invite to take a look at WinGate. It’s been around since before MS Proxy server was released in 1997, and has come a very long way since then. It has a firewall, http proxy, reverse proxy, SSL features as well as mail features and a proprietary VPN solution for site-site. We are also very responsive when it comes to new customer requirements.
Not sure if WinGate is an enterprise solution, but it might be a good fit for many SMB’s. I’ll definitely give that a look though! 🙂
Hi Richard. WinGate certainly used to target mainly SOHO back in the late 90’s, but now we have quite a few much larger customers (many 1000s of users), and features more tailored to enterprise, such as Active Directory integration, SQL connectors etc. WinGate 7 is quite different to any other proxy we’ve seen, so if you (or any other reader) would like a demo, feel free to contact our support desk at [email protected].
>full feature functionality until the end of 2015
The NIS wasn’t really good supported in the past 😦
ms should publish a gapa-sdk…
NIS was a great feature as long as you clearly understood it’s scope. It definitely had a purpose, but it was focused mainly on preventing vulnerabilities in Microsoft operating systems and applications from being exploited remotely. Essentially, NIS was there to “protect the house” so to speak. The “house” being Microsoft. 🙂 I agree that making GAPA accessible through an API of some sort to allow for the creation of custom signature would have been great. However, NIS and GAPA operate in kernel mode, so if you get things wrong in kernel mode you can crash the system in an instant – not exactly something Microsoft wanted to support! Again, NIS is great, but definitely not a substitute for a full-featured enterprise IDS/IPS like TippingPoint or SourceFire for sure. 🙂
what about GFI webmonitor as a replacement of TMG
I’m not that familiar with the GFI Webmonitor product. It appears to have some web filtering capabilities, but I don’t believe it is a full-featured enterprise-class firewall and web proxy like Forefront TMG 2010 is. It may meet your requirements, however.
Hi Richard. I’d be really interested in what sort of deployment you’d describe as Enterprise-class. E.g. number of client computers, link capacity, and certain required features. Many readers may have requirements for smaller deployments, but may not know whether to consider themselves in this class or not, and suggested alternatives may or may not then suit their needs.
Excellent point, Adrien. Thank you very much for bringing that to my attention. I spend all of my time in the “enterprise” space, typically meaning very large customers (both in terms of size and revenue) and my viewpoints largely reflect that. Many of my readers may in fact fit in to the small or mid-sized category with requirements for much smaller deployments and a very different set of requirements, certainly. In the context of this discussion, “enterprise-class” to me would start with some level of independent certification or attestation, such as Commmon Criteria (Forefront TMG 2010 is CC EAL4+) or ICSA Labs. In addition, an enterprise solution would require things like redundancy and high availability capabilities, centralized management, etc. There’s obviously much more to it than that, but I should be more sensitive when I reply about Forefront TMG alternatives and consider that not everyone fits my definition of “enterprise” and that other solutions may in fact be an adequate option, depending on their environment.
We’re using TMG for reverse proxy SSO into all our intranet web apps tied into AD for authentication. Our internal ‘cloud’ apps are all using integrated authentication internally for all users. With TMG we’ve published all these apps externally to our users using a customized sign on screen that once they sign into one, they can bounce to the others as they are all linked together. We are going to HATE to lose this functionality!!
Well you lost it…. At least from Microsoft. I know UAG might still be a product from them but TMG/ISA is gone. I don’t have a feeling personally on what to replace it with today. One or two products have been mentioned on this blog but a definitive TMG replacement is unknown to me.
UAG is the only Microsoft alternative at this point. In terms of reverse proxy, it will easily handle SSO and includes much more advanced functionality than TMG. There are many non-Microsoft solutions on the market today that provide this functionality, but I don’t have any first hand experience with them so I can’t say how well they work or how they compare to TMG.
anyone already try Kemp Technologies?
Some people said that is a solution for replace TMG. Let me know if one of you already try..
I looked at Kemp for Load Balancers in the past. They seem to be a decent MFG. As far as a TMG replacement I don’t know but I wouldn’t dismiss them by any means. If you do an eval please follow up.
TMG Web filter subscription is not available anymore… So the need to replace this is now!
Not so fast! WPS may not be for sale any longer, but there are some excellent alternatives. Check out the Zscaler cloud security solution. An excellent way to extend the life of your Forefront TMG 2010 firewall and secure web gateway!
Hello , recently in a project that my company is realizing it was decided to implement FF TMG 2010 in a DMZ . The reason for this choice is the requirement to use only Common Criteria certified products in the DMZ . The function of Forefront is the control of HTTP and FTP traffic . What do you think of this choice ? There are alternative products certificates that could be used ? Thank you
Have a look at the solutions from Fortinet. I believe they are Common Criteria certified.
http://www.fortinet.com/press_releases/2015/fortinet-earns-common-criteria-certification.html