Citrix NetScaler Forefront TMG 2010 Replacement White Paper
With the formal end of life announcement for Forefront TMG 2010 last year, many firewall and secure web gateway vendors have been touting themselves as replacements for TMG. The folks at Citrix recently made available a white paper [PDF] making their case as a comprehensive replacement for Forefront TMG. While I don’t have any personal experience with the NetScaler solution, it does appear to have many of the features that TMG administrators have come to rely upon, such as URL filtering, virus and malicious software inspection, SSL termination (HTTPS inspection), content caching, low-level intrusion detection and prevention, and VPN capabilities. In addition, the NetScaler supports flexible network placement with edge, back firewall, and unihomed (single-legged or one-arm) deployment options. The solution is available in both hardware appliance form factor and virtual appliance.
Citrix makes an attempt to position their solution as the ideal and comprehensive replacement for Forefront TMG, and while it does have many features that TMG provides there is one glaring omission – an alternative to the Forefront TMG Firewall Client. ISA and TMG administrators have long used the Firewall Client to provide seamless and transparent proxy services for Winsock applications. The firewall client enables fully authenticated proxy support for non-web based protocols, and it appears that the NetScaler does not include such capabilities.
As with most white papers comparing solutions like this, it is helpful to understand they are essentially marketing material designed to downplay the features of the competing solution while often embellishing their own features. There are also some inaccuracies with regard to Forefront TMG capabilities, which is also not uncommon in documents such as these. For example, the document states that Forefront TMG 2010 failover requires three nodes, which is incorrect. You can easily create a standalone array using Forefront TMG 2010 Enterprise Edition using two nodes.
Overall the Citrix NetScaler looks like a pretty good solution. If you are in the market today for an alternative to Forefront TMG 2010 (…and should you be? That’s a topic for a future post, so stay tuned!) then download their white paper and take a closer look.
Connect
Richard Hicks' Forefront TMG Blog 
Several questions/comments/concerns…
1) Where do they get their URL categorization from? Do they do it themselves or subscribe to a service from someone else?
2) Do they offer HTTPSi inclusion and exclusion capabilities?
3) Does their Malware Inspection offer scanning of attachments over 4 GB?
4) What does their VPN client look like? What OS support do they offer?
Just throwing these out to the community to see what anyone else’s experience has been with the NetScaler in these deployment scenarios…
I still like my ASA and Websense setup that I’m currently implementing this summer. The Websense appliance allows for port mirroring motoring for protocols other then http and https. But it’s little on the expensive side. But when it comes to network security it should be worth it.
Websense can be pretty heavy on the infrastructure requirements, but it is a popular configuration that works pretty well.
Does anyone know where to find info on implementing Netscaler as forward proxies?
Doesn’t seem to run on windows server 2012 though, The only alternative I’ve found is gfi but its web based ui is a pain compared to the tmg mmc snapin.
Looks like we will be using ESETs gateway security to replace the nips and malware scanning without loosing the excellent remote gui management through server manager/ mmc
I’ve never had anything but headaches with TMG as a reverse proxy for things like OWA and EAS. With NetScaler it was a total breeze, could even do it with the standard license. NetScaler as a forward proxy needs a higher licence than Standard for the feature, here’s a quick guide on it for quick setup: http://blogs.citrix.com/2010/02/25/netscaler-feature-of-the-day-deploy-as-a-forward-proxy/
I think you’re in the minority there, Michael. 🙂 TMG is a breeze to configure for OWA and EAS compared to many other solutions. Regardless, thanks for posting the information about NetScaler. I think that few people realize it can be a viable alternative to Forefront TMG 2010 going forward.