What Is Forefront TMG?
Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway from Microsoft. It is a Common Criteria certified (EAL4+) enterprise-class application-layer firewall that includes support for proxy services (forward and reverse proxy), content caching, and VPN (both site-to-site and remote access). Forefront TMG is licensed per processor; no client access licenses are required. It can be deployed in all of these roles, or any subset of them.
Secure Web Gateway
Forefront TMG 2010 is commonly deployed as a secure web gateway. With advanced web protection capabilities including URL filtering, gateway-integrated virus and malicious software scanning, intrusion detection and prevention, and outbound SSL inspection, Forefront TMG provides a high level of protection for internal clients when they are accessing resources on the public Internet. URL filtering and virus/malware scanning does require an additional license – the Web Protection Service subscription license.
Secure Remote Access
For secure remote access to Exchange and SharePoint, Forefront TMG 2010 excels. With tight AcitveDirectory integration, Forefront TMG can pre-authenticate users with native Forms-Based Authentication (FBA), ensuring that all access to Exchange CAS or SharePoint front-end servers is authenticated and authorized. Forefront TMG also supports multi-factor authentication using certificates or smart cards. Forefront TMG can even provide load balancing services for Exchange CAS and SharePoint front-end servers, eliminating the need for internal load balancing.
Secure Mail Relay
Forefront TMG 2010 can also be deployed as a secure mail relay. The Exchange Edge Transport role (Exchange 2007 SP2 and later) and Forefront Protection for Exchange (FPE) be installed directly on the Forefront TMG firewall. This allows for perimeter host consolidation and streamlined management, as e-mail policy and spam filtering are configured with a single interface – the TMG management console.
Virtual Private Networking
Virtual Private Networking (VPN) for both remote access and site-to-site are both included with Forefront TMG 2010. Fore remote access VPN, Forefront TMG supports three protocols – PPTP, L2TP, and SSTP. SSTP is a compelling new VPN protocol supported in Windows Vista SP1 and later clients. It uses SSL and is very firewall friendly. For site-to-site VPN, TMG supports PPTP, L2TP, and IPsec tunnel. IPsec tunnel is commonly used to terminate tunnel endpoints between TMG and third-party VPN products such as Juniper, Checkpoint, and Cisco.
The Forefront TMG networking model is very flexible, allowing it to be deployed as an edge firewall, back firewall, or internal firewall. Multiple perimeter (DMZ) networks can be configured, allowing for traffic segmentation and granular access control. Forefront TMG can also be configured as a dedicated unihomed proxy (transparent or explicit) in an existing perimeter network.
Forefront Threat Management Gateway (TMG) 2010 is a multi-layered perimeter defense system. An enterprise-class firewall with advanced web protection features such as URL filtering, gateway-integrated virus and malicious software scanning, network intrusion detection and prevention, and outbound HTTPS inspection, Forefront TMG provides exceptional protection from advanced, persistent threats. It also provides secure remote access to internal networks and applications and can serve as a consolidated secure mail relay.