[isapros] Re: FW: TMG Unsupported

• From: Jerry Young <jerrygyoungii@xxxxxxxxx>
• To: isapros@xxxxxxxxxxxxx
• Date: Wed, 23 Dec 2009 12:41:31 -0500

Jason,

You can install TMG on a DA server but the assumption is that the DA server
is straddling your edge.  For specifics, see the following link.

http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

I don't think, however, that you'll be able to put TMG in front of UAG.
Keep in mind that UAG installs a gimped, full version of TMG, and UAG is
used for providing a highly available DA edge (as I understand it so far)
and centralized management.
The following links have information regarding UAG/DA.

http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA
http://technet.microsoft.com/en-us/library/ee522953.aspx

The following is a thread I started on the IAG/UAG forum regarding this.

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

While Ben Ari responded to my post, he never addressed a core,
unspoken question I presented (among others): Why separate the functionality
of managing remote and protected access into two separate products?  I mean,
we already have the complete TMG product installed on UAG, right...? (o.O)

I had been hoping the posting would have generated more discussion but it
doesn't look as if that's going to happen, which is a shame.

Jerry
On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx
> wrote:

> Hey Jim,
>
> The "not so nice":
>
> HTTPS Inspection limitations
>
> Issue: There are a number of limitations you should be aware of when
> enabling the HTTPS Inspection feature on Forefront TMG.
> Cause: The following features are not supported:
>
>  *   Extended Validation (EV) SSL certificates.
> EV certs are getting quite popular now, so I see the exclusion list having
> to grow quite quickly and an unpleasant admin overhead :(
>
>
> Forefront TMG does not support IPv6 traffic
> Issue: IPv6 traffic is not supported by Forefront TMG (except for
> DirectAccess).
> Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is
> blocked by default.
> Solution: It is recommended that you disable IPv6 traffic on the Forefront
> TMG computer or array members. To disable the IPv6 stack on the Forefront
> TMG computer or array member, see Knowledge Base article KB929852<
> http://go.microsoft.com/fwlink/?LinkId=179983> (
> http://go.microsoft.com/fwlink/?LinkId=179983).
> This is a real shame as a lot of "hardware vendors" now provide this out of
> the box; this could make it hard to introduce TMG as a 'proper firewall' if
> customers are seriously looking at deploying IPv6 :(
>
> Can you expand on the "except for DirectAccess"? E.g. could TMG be a
> dedicated edge firewall in front of UAG running DA? Or is it only when DA is
> installed on the TMG host itself?
>
> A lot of other statements fall into "same as ISA" or "glad to see them
> listed" :)
>
> One that I think should be included (that isn't) is a statement about the
> lack of support for stateful session failover when using NLB/HLB, as I
> believe TMG EE still cannot do this. A lot of people seem to assume it does,
> especially when comparing to 'da competition'.
>
> Cheers
>
> JJ
>
>
> Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44
> (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN:
> jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: 23 December 2009 15:19
> To: isapros
> Subject: [isapros] Re: TMG Unsupported
>
> As in...?
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jason Jones
> Sent: Wednesday, December 23, 2009 7:15 AM
> To: isapros
> Subject: [isapros] FW: TMG Unsupported
>
> Cool, nice to see some in there and not so nice to see others I hoped would
> be supported...handy doc though :)
>
> Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44
> (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN:
> jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: 23 December 2009 14:30
> To: isapros
> Subject: [isapros] TMG Unsupported
>
> We just published the "unsupported stuff" for TMG on TechNet.
> http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of
> reference.
>



-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

• Follow-Ups:
  • [isapros] Re: FW: TMG Unsupported
    • From: Richard Hicks
  • [isapros] Re: FW: TMG Unsupported
    • From: Jason Jones

• References:
  • [isapros] FW: TMG Unsupported
    • From: Jason Jones

Other related posts:

• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported - Jerry Young
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported- Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported- Jerry G. Young II

1. Home
2. isapros
3. Archive
4. 12-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---