Forefront TMG 2010 End of Life Statement
Note: This post updated on 4/22/2015 to reflect current information about the status of the Microsoft Reputation Service (MRS) after December 1, 2015.
Today, Microsoft announced the Forefront TMG 2010 product will be discontinued. Microsoft will continue to provide mainstream support for TMG until April 14, 2015, and extended support until April 14, 2020. The Forefront TMG 2010 Web Protection Services (WPS) will be discontinued on December 31, 2015. Beginning on January 1, 2016, Web Protection Service (URL filtering) will cease to function and the Microsoft Reputation Service (MRS) will be shutdown permanently. Virus and malicious software scanning and the Network Inspection System (NIS) will continue to operate but will no longer receive updates.
The end of life for Forefront TMG 2010 comes as part of sweeping changes made to the entire Forefront protection suite of products. In addition to ending development of Forefront TMG 2010, Microsoft also announced that Forefront Protection for Exchange (FPE), Forefront Protection for SharePoint (FPSP), Forefront Security for OCS (FSOCS), and Forefront Protection Server Management Console (FPSMC) are all being discontinued. Forefront Online Protection for Exchange (FOPE), which has been a part of Office 365, is being renamed Exchange Online Protection.
Looking ahead, Forefront Unified Access Gateway (UAG) 2010 and Forefront Identify Manager (FIM) 2010 R2 both have current roadmaps and will continue to be developed, although it is likely that they will not continue under the Forefront brand name.
Connect
Richard Hicks' Forefront TMG Blog 
This is extremely disappointing news…I guess these suites of products just weren’t making enough money for Microsoft to justify continued development. I suppose at this point we will hope for a 3rd party company to come along and help our ISA/TMG installations migrate to a new solution moving forward…
Hi Richard
With this news is confirmed what Deb Shinder public a year ago (http://blogs.isaserver.org/shinder/2011/05/27/death-of-tmg/) about the death of TMG.
Which product do you think should replace TMG … From my point of view the output of this product leaves a big gap.
regards,
Like no one saw this comming. Great product, bad marketing of it.
No question, this leaves a significant security gap for organizations protecting access to the Internet. There are a number of excellent solutions out there though, but none were as good as Forefront TMG 2010, IMO.
Agreed. The writing was on the wall for quite some time. I tired to remain optimistic until the end though! Outstanding product, definitely not marketed to its full potential. Really could have been something special had it continued.
Could anymore make some recommendations for similar products? Would Websense cut it?
Any recommendations as far as replacing TMG?
what can we use as an alternative, that works the same?…(AD integration, has proxy services, reporting, and FW all in one). I’m really bummed….
What someone should do is scoop up TMG from MS. Someone like GFI who focuses on the SMB could really take it forward in my opinion. While it would suffer not being promoted by an “enterprise focused” company, it might flourish even more with the SMB market and GFI’s partners pushing it forward. Better yet, why doesn’t Celestix take up the baton and move it forward by getting the code from MS? I would definitely invest in more Celestix products if that happened.
There are many products on the market that would probably suffice in the place of Forefront TMG 2010. I’d suggest looking at solutions included in the most recent Gartner Magic Quadrant for Secure Web Gateways: http://www.gartner.com/id=2025616
See my earlier reply regarding recommendations for replacing Forefront TMG 2010. Garter reference is probably worth looking at.
Finding a replacement for Forefront TMG 2010 will be challenging, but see my previous reply regarding the use of Gartner as a reference to guide your search.
Interesting thought, for sure! Not sure if Microsoft would sell the source code to Forefront TMG 2010, but who knows. Not sure if Celestix is interested in continuing in this market as they are moving in to the identity management space. Would be nice if someone could continue it though, just not sure how probable that is at this point.
The other thought I had was to migrate to UAG. There wasn’t anything about MS killing it off and it sounded as though, and I’m reading a little into it, that UAG will stick around and become a new name. Since it offers SSL VPN, Direct Access and secure application access for Exchange, SharePoint and Remote Desktop Services it might be an alternative to look into. UAG does use TMG under the covers so…
Hello Richard
I did a search and found this comment on the TechNet support forums: http://bit.ly/TPU8aW here makes an interesting observation:
It’s moments like this where Microsoft’s actions are so confusing and don’t add up.
From the announcement:
We are discontinuing any further releases of the following Forefront-branded solutions:
•Forefront Protection 2010 for Exchange Server (FPE)
•Forefront Protection 2010 for SharePoint (FPSP)
•Forefront Security for Office Communications Server (FSOCS)
•Forefront Threat Management Gateway 2010 (TMG)
•Forefront Threat Management Gateway Web Protection Services (TMG WPS)
and…
“It is important to note that there are no significant changes to the Forefront Identity Manager or Forefront Unified Access Gateway roadmaps. These solutions continue to be actively developed. Forefront UAG 2010 SP2 was released in August 2012 and Forefront Identity Manager 2010 R2 was release in June 2012. ”
In summary they are dropping TMG and keeping UAG, but…. UAG uses TMG…
“By default, Forefront Threat Management Gateway (TMG) is installing during Forefront Unified Access Gateway (UAG) Setup. Forefront TMG is installed as a complete product, and is not modified to run on a Forefront UAG server.” -http://technet.microsoft.com/en-us/library/ee522953.aspx
Using this logic TMG continues under the UAG roadmap… or the Forefront Product Teams don’t have a grasp on their own products.
How you feel about it !?
Migrating to Forefront UAG 2010 is an excellent idea if you are only using Forefront TMG 2010 for application publishing and limited VPN. UAG does not provide any outbound access, nor does it include site-to-site VPN capabilities either. If you’ve deployed Forefront TMG as a secure web gateway you’ll be forced to look at another solution.
Forefront UAG 2010 does, in fact, include Forefront TMG 2010 to provide protection for UAG and to provide array support. While UAG does have a roadmap and will continue in some form, the next release will not include TMG. I expect that the next release of UAG will look very different than it does today.
Had a bit of a funny/unfortunate story regarding TMG and UAG capabilities recently that seemed apropos of this thread that I came across today in my Googling, so I thought I’d share:
Our requirement was to replace legacy Novell iChain “soft appliances,” which were publishing various web sites and services to the internet. Long story short, we had a requirement of several dozen sites of needing to “publish” both http://www.ourwebsite.com AND ourwebsite.com to the internet. (The sans-www URL could have either redirected to the full www url or just replied with same website content as the www.) After a long time of scratching our heads and wondering how we could publish an .ourdomain.com UAG app under an ourdomain.ourdomain.com portal trunk, (the http://www.ourdomain.com app took 2 minutes,) we decided to call MS support and see what we were missing.
Once we got an MS engineer on the line, he literally scratched his head, said, “well I don’t think it can do that,” and then asked me to hold. After about 10 minutes of “verifying with his seniors and a contact on the product development team” he asked me if I had any TMG (or ISA for that matter) servers in the environment, b/c “they are able to very simply do what you are trying to do.” So we ended up not paying for the service request, and were recommended to just deploy TMG rather than UAG. He then asked us to write up in our own words a description of our issue that he was unable to help us solve, so that he could forward it on to the UAG product development team.
What’s unfortunate is that once the next UAG version comes out, with a brand new “under the hood” TMG replacement firewall product that I assume will handle both IPv4 & IPv6, (and hopefully now supports the issue I just described,) I will have yet another migration to go through. 😦
Most interesting! UAG is a fascinating product for sure, and it can do some pretty incredible things. However, there are times when it falls completely flat on doing the basics! Also interesting that they concede that TMG is the best solution and recommend it directly in spite of the fact that it has been discontinued! As for the next release of UAG, I expect the “replacement” for the TMG firewall will simply be the Windows firewall. This would follow the same model as Windows Server 2012 DirectAccess. Microsoft touts it as being “edge ready and edge capable” but I’m not buying that and neither are most security-minded network engineers. With that, UAG would be relegated to perimeter or DMZ deployments, deployed exclusively behind an existing edge security solution.
Yes, I would have to agree re: “edge ready.” Perhaps it is just the age-old “_NEVER_ directly expose an ‘unprotected’ Windows Server to the internet” rule that makes it very hard to truly believe that without some beefier-seeming, “dedicated firewall product” being involved, that it is ready to live at the edge.
If the next incarnation of the Windows Firewall is released one day and we suddenly find it marketed as “brand new and based on Microsoft TMG technology,” or something to that effect, I wouldn’t be surprised. It would just mean that the “single SKU” Windows Server product just got a seriously upgraded version of one of it’s core components, a’ la DA in Server 2012.
The silver lining of all of this could be a focus on “baking in” significantly better components in the Windows OS, such as the security of TMG firewall, and the easy to use remote access found in DA, to make an overall more competitive product in the “server os” space.
At the end of the day, there is still a full-blown UAG product to sell, to do all the web forward-caching, pre-authenticating, portal trunking, etc., but at least now the plain old OS will also be that much more secure and robust to begin with.
Or maybe I’m being waaaay to optimistic. 😉
There have long been rumors that perhaps the Forefront TMG 2010 firewall technology would be included in the base operating system. I think it would be a great idea, but I’m not holding my breath either. 😉
In which operating system is goint to be included?
It is not likely that TMG functionality will be included in any release of the Windows operating system. I was just speculating, that’s all. 🙂
https://www.facebook.com/#!/pages/We-Want-Microsoft-TMG-Server-To-Be-Continued-Again/419672131437449
Please like this page
If Microsoft isn’t swayed by the millions of licensing dollars they give up by discontinuing Forefront TMG 2010, I doubt a Facebook page will bring it back. I went ahead and liked the page though, just to show my support. 🙂
Hello Evryone,
Seeking help, i am trying to migrate TMG 2010 from one server to another server(win 2008)
as my present server has completed its life cycle, i tried to import same policies which were there in my old server but it is not working. external trafiic is not talking to new TMG niether inernal traffic..am i missing out any prerequisite thats need to be done before i migrate TMG. I am using same hardware and OS in which my present TMG 2010 which is working.
Please Help.
Have you verified IP addresses, subnet masks, and static routes? Also, if your Forefront TMG 2010 firewall is behind another router/firewall, make sure that is configured properly as well.
Thnx 🙂
Thanks Richard for your time and reply..yes i have verified IP address, static routes.. yeah we are using a ISA fire wall but we have added the new IP address..does HOST name of new firewall got to be same as old? does it play a role here ?
No, not in a reverse proxy scenario it shouldn’t.
Hi Richard,
Good information thanks, but I’m trying to confirm if Celestix offer the Web Protection Service as part of their base products as you can no longer buy this license from Microsoft? I’m trying to keep TMG going with our customers, via devices, but need to know if WPS is included…
Thanks,
James.
It is interesting that Microsoft discontinued TMG (although it ihas long been speculated) while Lync 2013 continues to require a reverse proxy. No formal documentation has been issued on what their recommendations are for a replacement/workaround and UAG does not officially support anything that is not using a web browser. It will likely be September before they even make a statement about Lync 2013, more or less support it in some broken fashion like they currently do with Lync 2010 today.
Needless to say this is very disappointing, although it is a movement toward the “why do you really need a reverse proxy” philosophy that seems to eminate from Microsoft in the past year or so.
Yes, Forefront UAG is only a partial solution for Lync, as it only supports publishing of the web components. I hoping that UAG v.Next will address some of these shortcomings. 🙂
Hi James,
None of the OEM appliance manufacturers could sell the Web Protection Service subscription even when it was available from Microsoft, so I don’t expect anything has changed there. I’ll confirm with Microsoft on this and get back to you if I find out anything interesting.
Thanks!
Hi Richard,
Thanks for getting back to me and this is what I suspected….. I will wait to hear if you find anything different but I will take the stance that it isn’t an option for the time being!!
Thanks again and congratulations on your new role!! 🙂
Thanks,
James.
Thanks James!
We purchased two TMG appliances from a tird-party last year but are just implementing them now. We knew TMG was recently discontinued but much to our surprise the Anti-v/Filtering subscription is no longer for sale!
What can we do with these boat anchors and is there any tird-party solution that can run on top of TMG to provide the same functionality?
Thank you so much.
Contact me directly for a workaround. Also, there are third-party AV integrations available for TMG. ESET has one that I know of for sure – http://www.eset.com/us/beta/gateway-forefront-tmg/. There are others too, I’m sure.
Richard – we are in the same situation (we deployed just after the cutoff date, and with our Enterprise Agreement not being renewed until next year, we aren’t “automatically eligible” for subscription.) May I also contact you directly, as you told King Buzzo above, in regards to the workaround? The 120 day trial just expired, and we’re seeing all sorts of scans and scams in the logs/in our web server logs.
Certainly. 🙂
Sophos UTM is a very good replacement. We have tested several solutions and Sophos comes close to TMG
In my opinion, Fortigate UTM Firewall is the best replacement for TMG. Always use hardware appliance when it comes to security. I find Fortigate is far more cheaper than Cisco ASA though. Fortigate is al-in-one (AV, Anti-Spam, IDS/IPS, Anti-malware, URL Fitering and more)
I agree. For many years I thought that Fortinet was mostly a SOHO UTM vendor and not really an Enterprise play. Recently they’ve really caught my attention and it appears I was quite wrong. They have some impressive gear, that’s for sure. Definitely a worthy replacement for Forefront TMG 2010!
Now if only they would have a client that works for Windows XP and Windows 7 that is analogous to the TMG Forefront Client!
I’m with you there! The lack of a Winsock Layered Service Provider (LSP) like the Forefront TMG client is really the biggest shortcoming for any solution being considered to replace TMG. Hopefully someone is working on one. They could win a TON of customers if they are!
I am not too familiar with the TMG specific software, but we have been using Pearl Software for our web filtering needs to manage our networks, and we could not be happier.
Great! Does it integrate with Forefront TMG 2010 directly? Or indirectly?
This is a very very very mistake for microsoft!!!👎😕
Hello,
Good day!
Dear Sir,
i have installed TMG 2010 and created url filtering rule for facebook.com but that problem is ever after five minutes i can see that the users can access facebook. and then i check in TMG MMC so i can see that the Category Query says me that facebook.com is unknown….but just after five minutes i can see facebook has been automatically blocked and i can also see in Category Query it says me facebook is in blog/wiki category…
so why it is changing automatically every after 5 or 10 minutes 😦 ?
where is the problem ???
i need your help please !!
i’ll glade for your kind help.
I can only assume that MRS was unreachable for a period of time after you installed TMG. You should be able find more information about the status of MRS in the “alerts” section in the TMG management console.
Hi all,
Is there any one going to put TMG into production? If no, what is the REAL & COMPLETE solution to replace TMG (RP & LB) features?? Windows 2012 R2 WAP is really stuck!!!
I don’t think you’ll find a lot of new TMG deployments today, but I can tell you from experience that TMG will be around long after support is discontinued. I still know of some production ISA 2004 deployments in the world! The best replacement for TMG really depends on your individual requirements. The Sophos UTM is a good alternative for SMB, and the Fortinet solution is an excellent choice for the enterprise.