Ok, thanks for the background... Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 23 December 2009 17:52 To: isapros Subject: [isapros] Re: TMG Unsupported The EV certificates are actually the same as the CNG certificates - not enough design/coding/testing cycles. It's truly sukky, but you can't do everything with finite resources. The IPv6 effort is the same; what we thought we could accomplish turned out to be a much larger beast. Again; with UAG/DA on teh horizon and that being the grand goal for MS, we had to make choices. You can see where IPv6 was already team goal in the WPAD script, logging, default protocols, etc. - we just didn't get to do the remaining work necessary to make it work right. Stateful session failover isn't as simple as many folks make it sound and sadly, while NLB doesn't support it, we can't. TMG doesn't do anything with NLB that the NLB product doesn't allow. ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of Jason Jones [Jason.Jones@xxxxxxxxxxxxxxxxx] Sent: Wednesday, December 23, 2009 7:37 AM To: isapros Subject: [isapros] FW: TMG Unsupported Hey Jim, The "not so nice": HTTPS Inspection limitations Issue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG. Cause: The following features are not supported: * Extended Validation (EV) SSL certificates. EV certs are getting quite popular now, so I see the exclusion list having to grow quite quickly and an unpleasant admin overhead :( Forefront TMG does not support IPv6 traffic Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess). Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default. Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> (http://go.microsoft.com/fwlink/?LinkId=179983). This is a real shame as a lot of "hardware vendors" now provide this out of the box; this could make it hard to introduce TMG as a 'proper firewall' if customers are seriously looking at deploying IPv6 :( Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated edge firewall in front of UAG running DA? Or is it only when DA is installed on the TMG host itself? A lot of other statements fall into "same as ISA" or "glad to see them listed" :) One that I think should be included (that isn't) is a statement about the lack of support for stateful session failover when using NLB/HLB, as I believe TMG EE still cannot do this. A lot of people seem to assume it does, especially when comparing to 'da competition'. Cheers JJ Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 23 December 2009 15:19 To: isapros Subject: [isapros] Re: TMG Unsupported As in...? From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Wednesday, December 23, 2009 7:15 AM To: isapros Subject: [isapros] FW: TMG Unsupported Cool, nice to see some in there and not so nice to see others I hoped would be supported...handy doc though :) Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 23 December 2009 14:30 To: isapros Subject: [isapros] TMG Unsupported We just published the "unsupported stuff" for TMG on TechNet. http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of reference.