[isalist] Re: TMG Unsupported

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 29 Dec 2009 12:22:08 -0800

If you download, make sure you get the right bits:

http://blogs.technet.com/edgeaccessblog/default.aspx

I downloaded 3 days ago from the UAG site and it's an old version, and RDP 
(User Defined) is not available - very frustrating as any "current versions" 
should be updated...

Anyway, give it a shot.  Very kewl.  However, be warned:  Don't take the TMG 
install you get as what "TMG" is.  They  (Whale) uses a good bit of KY on it.

t

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Tuesday, December 29, 2009 11:52 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: TMG Unsupported

Question:
I don't have big knowledge about UAG, but is not basically what Terminal 
Services on W2008 R2 is, or at least where TS is pointing with the web access 
and the gateway and all that stuff? I mean, probably UAG have some other 
features, but I love the new TS and is already part of windows.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Tuesday, December 29, 2009 2:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: TMG Unsupported

UAG topics are definitely cool! Sooner or later ISAserver.org is going to 
change to forefrontedge or something like that :)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Tuesday, December 29, 2009 12:56 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: TMG Unsupported

I'm *keenly* interested, so I shall go back and see if I missed your post.  
There was a lot of chatter going on (elsewhere) so I may have missed it.  If 
so, I apologize.  I'm right in the middle of all of this and both Steve and I 
are doing what we consider "interesting" things with UAG and what it can and 
can't do (or is unsupported in doing).  From what I've seen, I totally agree 
with you in the "why separate."  That's why I'm not.  I've already got SMTP 
filtered publishing working fine, and built my new DMZ to point to my Edge 
Server, which I honestly HATE doing, since I think the Forefront for Exchange 
Edge is crap, but since I'm writing a book about MSFT security, I have to 
include it.  But rest assured, I'll say that.  A simple greylist solution seems 
to fine for the majority of people out there, but I digress.  Steve got all the 
RDP stuff working last night, and I thought I did, (and do) but so far our 
particular method of publishing RDP requires Win7, so I have to upgrade my 
laptop to find out.  Tunnelling RDP3389 through SSL works fine for me though.

But anyway, I'll go back and reply.

I'm assuming everyone is OK with us moving topics to UAG on this list?  Dr?  
It's YOUR list, so you are cool with that?

t


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Tuesday, December 29, 2009 5:54 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: TMG Unsupported

Jim,

Not to throw gas on the fire but (okay, well, maybe just a bit of lighter 
fluid)...

Here's a quote from a recent post by Oleg Ananiev to my question I posed on the 
UAG/TMG forum.

"Looking forward, we see UAG continues to evolve in enhncing and extending 
Remote Access solutions - ability to access corporate resources from outside. 
TMG, in turn, is primarily focusing on protecting employees from internet 
threats when accessing internet from the office."
Orly?

I posted this same question in response to that statement on the forums but 
does that mean Microsoft is considering making the TMG line a web proxy server 
only?


On Tue, Dec 29, 2009 at 8:34 AM, Jerry Young 
<jerrygyoungii@xxxxxxxxx<mailto:jerrygyoungii@xxxxxxxxx>> wrote:
I'm hurt.  Incredibly hurt. :(

I feel like Rodney Dangerfield - no respect. :(

I could have sworn I posted a link that talked about what you could and could 
not do with UAG at the beginning of this thread. ;)  There was even discussion 
around the topic of why bother separating the products when UAG installs a 
complete version of TMG, albiet gimped (since it only protects itself).

I even provided a link to a newsgroup posting I made raising questions around 
the supported publishing scenarios (POP3, IMAP, OCS), specifically with regards 
to SMTP missing (POP3, IMAP clients can't send if there is no SMTP server).
Referenced Link: 
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

Side note: Oleg Ananiev finally responded saying that SMTP not being 
specifically given as a supported scenario was a "bug", to be addressed by 
updated docs for UAG 2010 RTM.

I'll stop here lest I get started on the whole "why separate the products" 
topic again which people don't seem interested in. :P

*grumble, consolidated published server rules, mumble, separate infrastructure 
for remote access, grunt, and, snort, protected access, cough*

That being said, if you did figure out how to tweak UAG to allow for the first 
two unsupported scenarios, please share how? :)
On Mon, Dec 28, 2009 at 5:42 PM, Thor (Hammer of God) 
<thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
LOL.  I shoulda known - the first two things I did were the first two 
unsupported configurations ;)  Makes sense tho- this UAG/TMG thing is a big 
"strange" to say the least.  Steve had a good word for it, which I won't say 
here.

But, I have to say, it is QUITE cool once you wrap your head around it...

Thanks Jim.

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Monday, December 28, 2009 2:36 PM

To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

The closest to what you want they have at the moiment is 
http://technet.microsoft.com/en-us/library/ee522953.aspx

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf 
of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>]
Sent: Monday, December 28, 2009 2:01 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported
Let me be more specific:  Is there a document of unsupported configurations for 
UAG as there is for TMG that you know of (to Jim).

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Thor (Hammer of God)
Sent: Monday, December 28, 2009 1:35 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

Is there an unsupported doc for UAG?  Steve and I are doing "interesting" 
things with the TMG config under UAG, and having to think "differently" in 
order to get it to work, but it would be nice to know what the "true" intent of 
UAG is insofar as TMG's "back end" is concerned.

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Monday, December 28, 2009 12:25 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

That's part of it, but by no means all.
http://edge.technet.com/Media/ISA-to-TMG-Migration-Guidance/ might give you 
some idea...

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf 
of Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>]
Sent: Monday, December 28, 2009 11:16 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported
So, can't we just export the 2006 Configuration (x32) into TMG( x64) - or won't 
that work?  I mean, I ain't got nothin' fancy 'cept some self-signed certs...

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>


Error! Filename not specified.
  Error! Filename not specified.




From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Sunday, December 27, 2009 10:36 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

Could you elaborate on what you mean by "the tone"?
While we realize we're likely to upset some folks, that's clearly not on the 
list of goals for this doc..

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of John Wilson
Sent: Sunday, December 27, 2009 7:02 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

Originally, my point was I didn't like the tone of the unsupported configs doc.

I can now see the point of publishing this so people can know what they are 
getting into ahead of time.

2nd point: As with all things, I know when migrating 32 bit to 64 bit is 
necessary. When we "tore down the network", it wasn't because we didn't know 
what we were doing, it was an intentional redesign with days / weeks of 
planning. I'm usually the first one to suggest the 64-bit deal if it's an 
option. I just said it sucks - as in, it's not conveinient. EVEN IF a direct 
path were offered for 32-bit to 64-bit migration were technically feasable, I 
would STILL go with a clean install for the 64-bit for obvious reasons.

As I said before, TMG as a product is fine.

J

Sent from my iPhone

On Dec 26, 2009, at 10:39 PM, "Thor (Hammer of God)" 
<thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
You misunderstood what I said:  I wasn't saying to tear down the entire network 
to get it to X64 - I was saying to John, "remember when we tore down the 
network," (and did not go into those reasons, as he knows).  We had very good 
reason to have to do so - and DID so in a corporate environment.  If anyone was 
going to do the stoning it was us.  The point is that sometimes you have to do 
things you don't want to do in order to get to the "right place."  You just 
have to define what "the right place" is.   Migrating 14 servers is no big 
deal.  Migrating 1400 just requires a proper plan of action...

No one said this would be easy.  If anyone could do this, they wouldn't need 
us- they'd hire college kids...  KNOWING the difference between TMG and ISA, I 
can why they did what they did...  If others don't want to upgrade (for reasons 
that I personally would call "lazy") then that's fine.  They don't have to.   
If dude wants to can TMG/ISA because he doesn't feel like doing the work, then 
goody for thim... That's what my point was.

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Greg Mulholland
Sent: Saturday, December 26, 2009 12:52 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

That's really great, but i'm not about to 'tear down my entire' network to get 
it to x64. In a corporate environment you'd be stoned to death for even 
mentioning such. I kind of agree with everyone a little bit, i personally am 
planning a swing migration as its the best way i find i can reduce the downtime 
window to me end users. It was always the same with Exchange 2007 and Moss and 
others deal with it if you want it, if it doesn't add value to you then you are 
not bound to upgrade, the choice is yours.

Jim is right where there have been many hidden unsupported config's for MS 
products and ive only found out after ive installed the product when problems 
occur. Personally i'd rather know before hand.

Hope you all had a good Christmas.

Greg

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Thor (Hammer of God)
Sent: Thursday, 24 December 2009 5:59 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

First off, I very much respect your opinion...  But we had x86 to x64 
conversations YEARS ago... Remember when we tore down the entire network and 
rebuilt it from scratch?  It was necessary..  Sometimes you have to do that.  
We have to progress, and sometimes doing so is not easy.

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of John Wilson
Sent: Wednesday, December 23, 2009 10:42 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

I read the list of unsupported scenarios. While I agree there is a certain 
extent of necessity of unsupported configs due to the changes in underlying 
code /technologies, to me, this reads off on a wrong note.

It's almost like Microsoft has taken a "You have to a given configuration, or 
else the product is not supported." attitude. In the past, I think they have 
been more of a "technology empowers business" attitude. The shift in mentality, 
for this piece of product documentation at least, bothers me.

Hey, this may be just me reading it the wrong way, but if I was using ISA 2006 
in organization, I could see where the decision makers would look at the list 
of unsupported configurations and say, "ISA and TMG costs a lot in liscensing, 
and seems like it isn't as flexible as the older product. Let's look at other 
options."

That may or may not be a fair statement. But if I showed the documentation to 
certain people, I'm sure the project to upgrade wouldn't get approved.

As far as 32-bit 2003 to 64-bit 2008 with no direct upgrade path, that sucks. 
But its the same issue users faced migrating from Exchange 2003 to Exchange 
2007. So it's not a new thing. It's to be expected for certain products if you 
want to take advantage of the 64-bit architecture.

John Wilson

________________________________
From: Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>>
To: "isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>" 
<isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>>
Sent: Wed, December 23, 2009 1:05:35 PM
Subject: [isalist] Re: TMG Unsupported
Since you're interested in maintaining service during the change from ISA to 
TMG, you can't use an in-place upgrade anyway. At some point in any in-place 
upgrade process, that server is off-line. No getting around it.

Have you ever considered a rolling upgrade?
At most, it costs you 1 or 2 extra servers (that can be included or repurposed 
afterwards) and allows you to "silently" move your users from one deployment to 
another.
If you do this on virtual deployments, it's even easier.
Chapter 6 in the TMG book (also to be a sample chapter) is dedicated to this 
thought process and offers an example of "rolling" from ISA 2006 SE to TMG EE.

..it's only as hard as you choose to make it.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf 
of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR 
[DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>]
Sent: Wednesday, December 23, 2009 9:57 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported
For the OS don't use excuses, Microsoft always did the same with ISA and lately 
with a lot of other products just to force you to migrate to 64 bits or 2008.
And the instances, I have 14 (well there are 2 others not really in use) ISAs 
servers in total, believe me I would find out a way to continue protecting the 
network or providing proxy service while migrating other boxes.

It is just a pain in .... to always do the same thing, that is why I promised 
last time to don't migrate to the next ISA version, the pain that was move from 
2004 to 2006 was not worth the advantages on the new version.

Believe me I'm closer to look for other products rather than upgrading, that is 
why I would like to read about the advantages.

Regards
Diego R. Pietruszka
MIS - Shift Manager
MSC (USA) - Interlink Transport Technologies
Direct Phone: (908)605-4147

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Wednesday, December 23, 2009 12:45 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

When you figure out how to do an "in place upgrade" from WS03 x86 to WS08 x64, 
you let us know?
..oh; and while you're at it, be sure to describe how the ISA 2006 instance is 
to continue operating (necessary for an in-place upgrade) on WS08 x64?

Seriously; some in-place changes just aren't possible.

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf 
of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR 
[DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>]
Sent: Wednesday, December 23, 2009 9:41 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported
Is there any link with a description of the advantages or new features of TMG 
over ISA2006? I want to see if playing the crappy Microsoft game of never offer 
an in place upgrade is worth or not the effort.

Thanks

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Thor (Hammer of God)
Sent: Wednesday, December 23, 2009 12:33 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Unsupported

Shouldn't one say "TMG is not supported on 'certain' editions" rather than "on 
all editions?  It makes it sound like every edition of 2008 is not supported.
t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Wednesday, December 23, 2009 6:29 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] TMG Unsupported

We just published the "unsupported stuff" for TMG on TechNet.
http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of 
reference.

***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com/> ***




--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: