Jason, You can install TMG on a DA server but the assumption is that the DA server is straddling your edge. For specifics, see the following link. http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx I don't think, however, that you'll be able to put TMG in front of UAG. Keep in mind that UAG installs a gimped, full version of TMG, and UAG is used for providing a highly available DA edge (as I understand it so far) and centralized management. The following links have information regarding UAG/DA. http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA http://technet.microsoft.com/en-us/library/ee522953.aspx The following is a thread I started on the IAG/UAG forum regarding this. http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196 While Ben Ari responded to my post, he never addressed a core, unspoken question I presented (among others): Why separate the functionality of managing remote and protected access into two separate products? I mean, we already have the complete TMG product installed on UAG, right...? (o.O) I had been hoping the posting would have generated more discussion but it doesn't look as if that's going to happen, which is a shame. Jerry On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx > wrote: > Hey Jim, > > The "not so nice": > > HTTPS Inspection limitations > > Issue: There are a number of limitations you should be aware of when > enabling the HTTPS Inspection feature on Forefront TMG. > Cause: The following features are not supported: > > * Extended Validation (EV) SSL certificates. > EV certs are getting quite popular now, so I see the exclusion list having > to grow quite quickly and an unpleasant admin overhead :( > > > Forefront TMG does not support IPv6 traffic > Issue: IPv6 traffic is not supported by Forefront TMG (except for > DirectAccess). > Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is > blocked by default. > Solution: It is recommended that you disable IPv6 traffic on the Forefront > TMG computer or array members. To disable the IPv6 stack on the Forefront > TMG computer or array member, see Knowledge Base article KB929852< > http://go.microsoft.com/fwlink/?LinkId=179983> ( > http://go.microsoft.com/fwlink/?LinkId=179983). > This is a real shame as a lot of "hardware vendors" now provide this out of > the box; this could make it hard to introduce TMG as a 'proper firewall' if > customers are seriously looking at deploying IPv6 :( > > Can you expand on the "except for DirectAccess"? E.g. could TMG be a > dedicated edge firewall in front of UAG running DA? Or is it only when DA is > installed on the TMG host itself? > > A lot of other statements fall into "same as ISA" or "glad to see them > listed" :) > > One that I think should be included (that isn't) is a statement about the > lack of support for stateful session failover when using NLB/HLB, as I > believe TMG EE still cannot do this. A lot of people seem to assume it does, > especially when comparing to 'da competition'. > > Cheers > > JJ > > > Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 > (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: > jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 23 December 2009 15:19 > To: isapros > Subject: [isapros] Re: TMG Unsupported > > As in...? > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Wednesday, December 23, 2009 7:15 AM > To: isapros > Subject: [isapros] FW: TMG Unsupported > > Cool, nice to see some in there and not so nice to see others I hoped would > be supported...handy doc though :) > > Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 > (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: > jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 23 December 2009 14:30 > To: isapros > Subject: [isapros] TMG Unsupported > > We just published the "unsupported stuff" for TMG on TechNet. > http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of > reference. > -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer