If you download, make sure you get the right bits: http://blogs.technet.com/edgeaccessblog/default.aspx I downloaded 3 days ago from the UAG site and it's an old version, and RDP (User Defined) is not available - very frustrating as any "current versions" should be updated... Anyway, give it a shot. Very kewl. However, be warned: Don't take the TMG install you get as what "TMG" is. They (Whale) uses a good bit of KY on it. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Tuesday, December 29, 2009 11:52 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: TMG Unsupported Question: I don't have big knowledge about UAG, but is not basically what Terminal Services on W2008 R2 is, or at least where TS is pointing with the web access and the gateway and all that stuff? I mean, probably UAG have some other features, but I love the new TS and is already part of windows. Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, December 29, 2009 2:41 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: TMG Unsupported UAG topics are definitely cool! Sooner or later ISAserver.org is going to change to forefrontedge or something like that :) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, December 29, 2009 12:56 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: TMG Unsupported I'm *keenly* interested, so I shall go back and see if I missed your post. There was a lot of chatter going on (elsewhere) so I may have missed it. If so, I apologize. I'm right in the middle of all of this and both Steve and I are doing what we consider "interesting" things with UAG and what it can and can't do (or is unsupported in doing). From what I've seen, I totally agree with you in the "why separate." That's why I'm not. I've already got SMTP filtered publishing working fine, and built my new DMZ to point to my Edge Server, which I honestly HATE doing, since I think the Forefront for Exchange Edge is crap, but since I'm writing a book about MSFT security, I have to include it. But rest assured, I'll say that. A simple greylist solution seems to fine for the majority of people out there, but I digress. Steve got all the RDP stuff working last night, and I thought I did, (and do) but so far our particular method of publishing RDP requires Win7, so I have to upgrade my laptop to find out. Tunnelling RDP3389 through SSL works fine for me though. But anyway, I'll go back and reply. I'm assuming everyone is OK with us moving topics to UAG on this list? Dr? It's YOUR list, so you are cool with that? t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Tuesday, December 29, 2009 5:54 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: TMG Unsupported Jim, Not to throw gas on the fire but (okay, well, maybe just a bit of lighter fluid)... Here's a quote from a recent post by Oleg Ananiev to my question I posed on the UAG/TMG forum. "Looking forward, we see UAG continues to evolve in enhncing and extending Remote Access solutions - ability to access corporate resources from outside. TMG, in turn, is primarily focusing on protecting employees from internet threats when accessing internet from the office." Orly? I posted this same question in response to that statement on the forums but does that mean Microsoft is considering making the TMG line a web proxy server only? On Tue, Dec 29, 2009 at 8:34 AM, Jerry Young <jerrygyoungii@xxxxxxxxx<mailto:jerrygyoungii@xxxxxxxxx>> wrote: I'm hurt. Incredibly hurt. :( I feel like Rodney Dangerfield - no respect. :( I could have sworn I posted a link that talked about what you could and could not do with UAG at the beginning of this thread. ;) There was even discussion around the topic of why bother separating the products when UAG installs a complete version of TMG, albiet gimped (since it only protects itself). I even provided a link to a newsgroup posting I made raising questions around the supported publishing scenarios (POP3, IMAP, OCS), specifically with regards to SMTP missing (POP3, IMAP clients can't send if there is no SMTP server). Referenced Link: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196 Side note: Oleg Ananiev finally responded saying that SMTP not being specifically given as a supported scenario was a "bug", to be addressed by updated docs for UAG 2010 RTM. I'll stop here lest I get started on the whole "why separate the products" topic again which people don't seem interested in. :P *grumble, consolidated published server rules, mumble, separate infrastructure for remote access, grunt, and, snort, protected access, cough* That being said, if you did figure out how to tweak UAG to allow for the first two unsupported scenarios, please share how? :) On Mon, Dec 28, 2009 at 5:42 PM, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote: LOL. I shoulda known - the first two things I did were the first two unsupported configurations ;) Makes sense tho- this UAG/TMG thing is a big "strange" to say the least. Steve had a good word for it, which I won't say here. But, I have to say, it is QUITE cool once you wrap your head around it... Thanks Jim. t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Monday, December 28, 2009 2:36 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported The closest to what you want they have at the moiment is http://technet.microsoft.com/en-us/library/ee522953.aspx ________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>] Sent: Monday, December 28, 2009 2:01 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Let me be more specific: Is there a document of unsupported configurations for UAG as there is for TMG that you know of (to Jim). t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Thor (Hammer of God) Sent: Monday, December 28, 2009 1:35 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Is there an unsupported doc for UAG? Steve and I are doing "interesting" things with the TMG config under UAG, and having to think "differently" in order to get it to work, but it would be nice to know what the "true" intent of UAG is insofar as TMG's "back end" is concerned. t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Monday, December 28, 2009 12:25 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported That's part of it, but by no means all. http://edge.technet.com/Media/ISA-to-TMG-Migration-Guidance/ might give you some idea... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf of Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>] Sent: Monday, December 28, 2009 11:16 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported So, can't we just export the 2006 Configuration (x32) into TMG( x64) - or won't that work? I mean, I ain't got nothin' fancy 'cept some self-signed certs... Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com/> Error! Filename not specified. Error! Filename not specified. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Sunday, December 27, 2009 10:36 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Could you elaborate on what you mean by "the tone"? While we realize we're likely to upset some folks, that's clearly not on the list of goals for this doc.. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of John Wilson Sent: Sunday, December 27, 2009 7:02 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Originally, my point was I didn't like the tone of the unsupported configs doc. I can now see the point of publishing this so people can know what they are getting into ahead of time. 2nd point: As with all things, I know when migrating 32 bit to 64 bit is necessary. When we "tore down the network", it wasn't because we didn't know what we were doing, it was an intentional redesign with days / weeks of planning. I'm usually the first one to suggest the 64-bit deal if it's an option. I just said it sucks - as in, it's not conveinient. EVEN IF a direct path were offered for 32-bit to 64-bit migration were technically feasable, I would STILL go with a clean install for the 64-bit for obvious reasons. As I said before, TMG as a product is fine. J Sent from my iPhone On Dec 26, 2009, at 10:39 PM, "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote: You misunderstood what I said: I wasn't saying to tear down the entire network to get it to X64 - I was saying to John, "remember when we tore down the network," (and did not go into those reasons, as he knows). We had very good reason to have to do so - and DID so in a corporate environment. If anyone was going to do the stoning it was us. The point is that sometimes you have to do things you don't want to do in order to get to the "right place." You just have to define what "the right place" is. Migrating 14 servers is no big deal. Migrating 1400 just requires a proper plan of action... No one said this would be easy. If anyone could do this, they wouldn't need us- they'd hire college kids... KNOWING the difference between TMG and ISA, I can why they did what they did... If others don't want to upgrade (for reasons that I personally would call "lazy") then that's fine. They don't have to. If dude wants to can TMG/ISA because he doesn't feel like doing the work, then goody for thim... That's what my point was. t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Greg Mulholland Sent: Saturday, December 26, 2009 12:52 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported That's really great, but i'm not about to 'tear down my entire' network to get it to x64. In a corporate environment you'd be stoned to death for even mentioning such. I kind of agree with everyone a little bit, i personally am planning a swing migration as its the best way i find i can reduce the downtime window to me end users. It was always the same with Exchange 2007 and Moss and others deal with it if you want it, if it doesn't add value to you then you are not bound to upgrade, the choice is yours. Jim is right where there have been many hidden unsupported config's for MS products and ive only found out after ive installed the product when problems occur. Personally i'd rather know before hand. Hope you all had a good Christmas. Greg From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Thor (Hammer of God) Sent: Thursday, 24 December 2009 5:59 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported First off, I very much respect your opinion... But we had x86 to x64 conversations YEARS ago... Remember when we tore down the entire network and rebuilt it from scratch? It was necessary.. Sometimes you have to do that. We have to progress, and sometimes doing so is not easy. t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of John Wilson Sent: Wednesday, December 23, 2009 10:42 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported I read the list of unsupported scenarios. While I agree there is a certain extent of necessity of unsupported configs due to the changes in underlying code /technologies, to me, this reads off on a wrong note. It's almost like Microsoft has taken a "You have to a given configuration, or else the product is not supported." attitude. In the past, I think they have been more of a "technology empowers business" attitude. The shift in mentality, for this piece of product documentation at least, bothers me. Hey, this may be just me reading it the wrong way, but if I was using ISA 2006 in organization, I could see where the decision makers would look at the list of unsupported configurations and say, "ISA and TMG costs a lot in liscensing, and seems like it isn't as flexible as the older product. Let's look at other options." That may or may not be a fair statement. But if I showed the documentation to certain people, I'm sure the project to upgrade wouldn't get approved. As far as 32-bit 2003 to 64-bit 2008 with no direct upgrade path, that sucks. But its the same issue users faced migrating from Exchange 2003 to Exchange 2007. So it's not a new thing. It's to be expected for certain products if you want to take advantage of the 64-bit architecture. John Wilson ________________________________ From: Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> To: "isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>" <isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>> Sent: Wed, December 23, 2009 1:05:35 PM Subject: [isalist] Re: TMG Unsupported Since you're interested in maintaining service during the change from ISA to TMG, you can't use an in-place upgrade anyway. At some point in any in-place upgrade process, that server is off-line. No getting around it. Have you ever considered a rolling upgrade? At most, it costs you 1 or 2 extra servers (that can be included or repurposed afterwards) and allows you to "silently" move your users from one deployment to another. If you do this on virtual deployments, it's even easier. Chapter 6 in the TMG book (also to be a sample chapter) is dedicated to this thought process and offers an example of "rolling" from ISA 2006 SE to TMG EE. ..it's only as hard as you choose to make it. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR [DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>] Sent: Wednesday, December 23, 2009 9:57 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported For the OS don't use excuses, Microsoft always did the same with ISA and lately with a lot of other products just to force you to migrate to 64 bits or 2008. And the instances, I have 14 (well there are 2 others not really in use) ISAs servers in total, believe me I would find out a way to continue protecting the network or providing proxy service while migrating other boxes. It is just a pain in .... to always do the same thing, that is why I promised last time to don't migrate to the next ISA version, the pain that was move from 2004 to 2006 was not worth the advantages on the new version. Believe me I'm closer to look for other products rather than upgrading, that is why I would like to read about the advantages. Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147 From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Wednesday, December 23, 2009 12:45 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported When you figure out how to do an "in place upgrade" from WS03 x86 to WS08 x64, you let us know? ..oh; and while you're at it, be sure to describe how the ISA 2006 instance is to continue operating (necessary for an in-place upgrade) on WS08 x64? Seriously; some in-place changes just aren't possible. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] on behalf of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR [DPietruszka@xxxxxx<mailto:DPietruszka@xxxxxx>] Sent: Wednesday, December 23, 2009 9:41 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Is there any link with a description of the advantages or new features of TMG over ISA2006? I want to see if playing the crappy Microsoft game of never offer an in place upgrade is worth or not the effort. Thanks Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Thor (Hammer of God) Sent: Wednesday, December 23, 2009 12:33 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: TMG Unsupported Shouldn't one say "TMG is not supported on 'certain' editions" rather than "on all editions? It makes it sound like every edition of 2008 is not supported. t From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Wednesday, December 23, 2009 6:29 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] TMG Unsupported We just published the "unsupported stuff" for TMG on TechNet. http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of reference. *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com/> *** -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer