[isapros] Re: FW: TMG Unsupported

• From: "Jerry G. Young II" <jerrygyoungii@xxxxxxxxx>
• To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
• Date: Wed, 23 Dec 2009 23:11:41 -0500

Ummm... Doesn't this then assume you're only using DA or another remote access technology since you are limited in what you can publish through UAG?

If you have an SSL site (or anything else you can publish) for external (non-corporate) users, wouldn't you need a different TMG infrastructure to provide that protected access?

I mean, you wouldn't be able to use UAG to provide access to internal resources for non-corporate, anonymous users, yeah?

What about OWA access if you're not on a corporate computer?

What about CWA if you're not on a corporate computer?

What about that corporate expense system if you're not on a corporate computer?

As I understand what's been written so far, UAG can only provide remote access to devices that are part of the corporate network...?

iPhoneから送信

On Dec 23, 2009, at 9:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:

There is no need for an “edge firewall” with UAG since TMG is already on board – and since you *must* have two public IP addresses on the UAG’s external interface for DA, it would lead to useless wa stage of public addresses.

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones

Sent: Wednesday, December 23, 2009 6:36 PM
To: isapros
Subject: RE: [isapros] Re: FW: TMG Unsupported



Hey Jerry,

Yeah, I’ve seen the blog; that’s why I asked if it was only localhost support for IPv6 and DA. From what I have seen in the IAG docs, they talk about UAG being in a perimeter network, so I was cur ious about what would be providing the edge firewall role if TMG doe sn’t support IPv6???

I am running UAG DA in production since RC0, but thanks for the links ;)

Someone asked the question of “why two products…” at TechEd Berlin; the answer from David Cross was “there just wasn’t time to amalgamate the products into a single version for this release …”

Cheers



JJ

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young

Sent: 23 December 2009 17:42
To: isapros
Subject: [isapros] Re: FW: TMG Unsupported



Jason,

You can install TMG on a DA server but the assumption is that the DA server is straddling your edge. For specifics, see the following link.

http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

I don't think, however, that you'll be able to put TMG in front of UAG. Keep in mind that UAG installs a gimped, full version of TMG, and UAG is used for providing a highly available DA edge (as I understand it so far) and centralized management.

The following links have information regarding UAG/DA.



http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA

http://technet.microsoft.com/en-us/library/ee522953.aspx

The following is a thread I started on the IAG/UAG forum regarding this.

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

While Ben Ari responded to my post, he never addressed a core, unspoken question I presented (among others): Why separate the functionality of managing remote and protected access into two separate products? I mean, we already have the complete TMG product installed on UAG, right...? (o.O)

I had been hoping the posting would have generated more discussion but it doesn't look as if that's going to happen, which is a shame.

Jerry

On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx > wrote:

Hey Jim,

The "not so nice":

HTTPS Inspection limitations

Issue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG.

Cause: The following features are not supported:

 *   Extended Validation (EV) SSL certificates.

EV certs are getting quite popular now, so I see the exclusion list having to grow quite quickly and an unpleasant admin overhead :(

Forefront TMG does not support IPv6 traffic

Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess). Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default. Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> (http://go.microsoft.com/fwlink/?LinkId=179983 ). This is a real shame as a lot of "hardware vendors" now provide this out of the box; this could make it hard to introduce TMG as a 'proper firewall' if customers are seriously looking at deploying IPv6 :(

Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated edge firewall in front of UAG running DA? Or is it only when DA is installed on the TMG host itself?

A lot of other statements fall into "same as ISA" or "glad to see them listed" :)

One that I think should be included (that isn't) is a statement about the lack of support for stateful session failover when using NLB/HLB, as I believe TMG EE still cannot do this. A lot of people seem to assume it does, especially when comparing to 'da competition'.

Cheers

JJ

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison

Sent: 23 December 2009 15:19
To: isapros
Subject: [isapros] Re: TMG Unsupported

As in...?

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones

Sent: Wednesday, December 23, 2009 7:15 AM
To: isapros
Subject: [isapros] FW: TMG Unsupported

Cool, nice to see some in there and not so nice to see others I hoped would be supported...handy doc though :)

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison

Sent: 23 December 2009 14:30
To: isapros
Subject: [isapros] TMG Unsupported

We just published the "unsupported stuff" for TMG on TechNet.

http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of reference.

--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

• References:
  • [isapros] FW: TMG Unsupported
    • From: Jason Jones
  • [isapros] Re: FW: TMG Unsupported
    • From: Jerry Young
  • [isapros] Re: FW: TMG Unsupported
    • From: Jason Jones
  • [isapros] Re: FW: TMG Unsupported
    • From: Thomas W Shinder

Other related posts:

• » [isapros] FW: TMG Unsupported - Jason Jones
• » [isapros] FW: TMG Unsupported - Jason Jones
• » [isapros] Re: FW: TMG Unsupported - Jerry Young
• » [isapros] Re: FW: TMG Unsupported - Richard Hicks
• » [isapros] Re: FW: TMG Unsupported - Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported - Jason Jones
• » [isapros] Re: FW: TMG Unsupported - Jason Jones
• » [isapros] Re: FW: TMG Unsupported - Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported - Richard Hicks
• » [isapros] Re: FW: TMG Unsupported - Jerry G. Young II

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription