[isapros] Re: FW: TMG Unsupported

• From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
• To: isapros <isapros@xxxxxxxxxxxxx>
• Date: Thu, 24 Dec 2009 00:37:33 +0000

You mean your home network isn't native IPv6?? Shame on you! :)

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: 23 December 2009 20:42
To: isapros
Subject: [isapros] Re: FW: TMG Unsupported

One very very important thing to consider is that unless you have a native IPv6 
network and network applications, you're going to need DNS64 and NAT64. You can 
buy 3rd party products at extra cost, or take advantage of UAG's built in 
translation technologies. Then after your network and all network applications 
are native IPv6, you don't have to worry about it (that should be in about 20 
years) :)

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Richard Hicks
Sent: Wednesday, December 23, 2009 12:03 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: FW: TMG Unsupported

"Why separate the functionality of managing remote and protected access into 
two separate products?  I mean, we already have the complete TMG product 
installed on UAG, right...? (o.O)"

The thing to remember here is that UAG is being positioned as the "premium" 
remote access solution.  Obviously TMG still includes remote access 
capabilities, but it lacks the enhanced features that UAG provides, such as SSL 
VPN, portal publication, etc.


[cid:image001.jpg@01CA8431.47B13460]

Richard Hicks - Forefront MVP
MCSE, MCITP:EA, WCE-WS
Senior Sales Engineer
Product Specialist - Edge Security Solutions
Celestix Networks, Inc.
440 Mission Court, Suite 231
Fremont, CA  94539
510.668.0700 x6734 [Office]
949.330.3919 [Cel]
rhicks@xxxxxxxxxxxx<mailto:rhicks@xxxxxxxxxxxx>
www.celestix.com<http://www.celestix.com/>
tmgblog.richardhicks.com<http://tmgblog.richardhicks.com/>
mvp.richardhicks.com<http://mvp.richardhicks.com/> - NEW!

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Wednesday, December 23, 2009 9:42 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: FW: TMG Unsupported

Jason,

You can install TMG on a DA server but the assumption is that the DA server is 
straddling your edge.  For specifics, see the following link.

http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

I don't think, however, that you'll be able to put TMG in front of UAG.  Keep 
in mind that UAG installs a gimped, full version of TMG, and UAG is used for 
providing a highly available DA edge (as I understand it so far) and 
centralized management.
The following links have information regarding UAG/DA.

http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA
http://technet.microsoft.com/en-us/library/ee522953.aspx

The following is a thread I started on the IAG/UAG forum regarding this.

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

While Ben Ari responded to my post, he never addressed a core, unspoken 
question I presented (among others): Why separate the functionality of managing 
remote and protected access into two separate products?  I mean, we already 
have the complete TMG product installed on UAG, right...? (o.O)

I had been hoping the posting would have generated more discussion but it 
doesn't look as if that's going to happen, which is a shame.

Jerry
On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones 
<Jason.Jones@xxxxxxxxxxxxxxxxx<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>> wrote:
Hey Jim,

The "not so nice":

HTTPS Inspection limitations

Issue: There are a number of limitations you should be aware of when enabling 
the HTTPS Inspection feature on Forefront TMG.
Cause: The following features are not supported:

 *   Extended Validation (EV) SSL certificates.
EV certs are getting quite popular now, so I see the exclusion list having to 
grow quite quickly and an unpleasant admin overhead :(


Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is 
blocked by default.
Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG 
computer or array members. To disable the IPv6 stack on the Forefront TMG 
computer or array member, see Knowledge Base article 
KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> 
(http://go.microsoft.com/fwlink/?LinkId=179983).
This is a real shame as a lot of "hardware vendors" now provide this out of the 
box; this could make it hard to introduce TMG as a 'proper firewall' if 
customers are seriously looking at deploying IPv6 :(

Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated 
edge firewall in front of UAG running DA? Or is it only when DA is installed on 
the TMG host itself?

A lot of other statements fall into "same as ISA" or "glad to see them listed" 
:)

One that I think should be included (that isn't) is a statement about the lack 
of support for stateful session failover when using NLB/HLB, as I believe TMG 
EE still cannot do this. A lot of people seem to assume it does, especially 
when comparing to 'da competition'.

Cheers

JJ


Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>>

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: 23 December 2009 15:19
To: isapros
Subject: [isapros] Re: TMG Unsupported

As in...?

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jason Jones
Sent: Wednesday, December 23, 2009 7:15 AM
To: isapros
Subject: [isapros] FW: TMG Unsupported

Cool, nice to see some in there and not so nice to see others I hoped would be 
supported...handy doc though :)

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>>

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: 23 December 2009 14:30
To: isapros
Subject: [isapros] TMG Unsupported

We just published the "unsupported stuff" for TMG on TechNet.
http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of 
reference.



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

• Follow-Ups:
  • [isapros] Re: FW: TMG Unsupported
    • From: Richard Hicks

• References:
  • [isapros] FW: TMG Unsupported
    • From: Jason Jones
  • [isapros] Re: FW: TMG Unsupported
    • From: Jerry Young
  • [isapros] Re: FW: TMG Unsupported
    • From: Richard Hicks
  • [isapros] Re: FW: TMG Unsupported
    • From: Thomas W Shinder

Other related posts:

• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Jerry Young
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported- Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported - Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported- Jerry G. Young II

1. Home
2. isapros
3. Archive
4. 12-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---