[isapros] Re: FW: TMG Unsupported

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Wed, 23 Dec 2009 14:41:46 -0600

One very very important thing to consider is that unless you have a
native IPv6 network and network applications, you're going to need DNS64
and NAT64. You can buy 3rd party products at extra cost, or take
advantage of UAG's built in translation technologies. Then after your
network and all network applications are native IPv6, you don't have to
worry about it (that should be in about 20 years) J

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Richard Hicks
Sent: Wednesday, December 23, 2009 12:03 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: FW: TMG Unsupported

 

"Why separate the functionality of managing remote and protected access
into two separate products?  I mean, we already have the complete TMG
product installed on UAG, right...? (o.O)"

 

The thing to remember here is that UAG is being positioned as the
"premium" remote access solution.  Obviously TMG still includes remote
access capabilities, but it lacks the enhanced features that UAG
provides, such as SSL VPN, portal publication, etc.

 

 

 

 

Richard Hicks - Forefront MVP

MCSE, MCITP:EA, WCE-WS

Senior Sales Engineer

Product Specialist - Edge Security Solutions

Celestix Networks, Inc.

440 Mission Court, Suite 231

Fremont, CA  94539

510.668.0700 x6734 [Office]

949.330.3919 [Cel]

rhicks@xxxxxxxxxxxx

www.celestix.com <http://www.celestix.com/> 

tmgblog.richardhicks.com <http://tmgblog.richardhicks.com/> 

mvp.richardhicks.com <http://mvp.richardhicks.com/>  - NEW!

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Wednesday, December 23, 2009 9:42 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: FW: TMG Unsupported

 

Jason,

 

You can install TMG on a DA server but the assumption is that the DA
server is straddling your edge.  For specifics, see the following link.

 

http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-wi
ndows-7-directaccess.aspx

 

I don't think, however, that you'll be able to put TMG in front of UAG.
Keep in mind that UAG installs a gimped, full version of TMG, and UAG is
used for providing a highly available DA edge (as I understand it so
far) and centralized management.

The following links have information regarding UAG/DA.

 

http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA

http://technet.microsoft.com/en-us/library/ee522953.aspx

 

The following is a thread I started on the IAG/UAG forum regarding this.

 

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread
/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

 

While Ben Ari responded to my post, he never addressed a core, unspoken
question I presented (among others): Why separate the functionality of
managing remote and protected access into two separate products?  I
mean, we already have the complete TMG product installed on UAG,
right...? (o.O)

 

I had been hoping the posting would have generated more discussion but
it doesn't look as if that's going to happen, which is a shame.

 

Jerry

On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <
Jason.Jones@xxxxxxxxxxxxxxxxx> wrote:

Hey Jim,

The "not so nice":

HTTPS Inspection limitations

Issue: There are a number of limitations you should be aware of when
enabling the HTTPS Inspection feature on Forefront TMG.
Cause: The following features are not supported:

 *   Extended Validation (EV) SSL certificates.
EV certs are getting quite popular now, so I see the exclusion list
having to grow quite quickly and an unpleasant admin overhead :(


Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for
DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic
is blocked by default.
Solution: It is recommended that you disable IPv6 traffic on the
Forefront TMG computer or array members. To disable the IPv6 stack on
the Forefront TMG computer or array member, see Knowledge Base article
KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> (
http://go.microsoft.com/fwlink/?LinkId=179983).
This is a real shame as a lot of "hardware vendors" now provide this out
of the box; this could make it hard to introduce TMG as a 'proper
firewall' if customers are seriously looking at deploying IPv6 :(

Can you expand on the "except for DirectAccess"? E.g. could TMG be a
dedicated edge firewall in front of UAG running DA? Or is it only when
DA is installed on the TMG host itself?

A lot of other statements fall into "same as ISA" or "glad to see them
listed" :)

One that I think should be included (that isn't) is a statement about
the lack of support for stateful session failover when using NLB/HLB, as
I believe TMG EE still cannot do this. A lot of people seem to assume it
does, especially when comparing to 'da competition'.

Cheers

JJ


Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 23 December 2009 15:19
To: isapros
Subject: [isapros] Re: TMG Unsupported

As in...?

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Wednesday, December 23, 2009 7:15 AM
To: isapros
Subject: [isapros] FW: TMG Unsupported

Cool, nice to see some in there and not so nice to see others I hoped
would be supported...handy doc though :)

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 23 December 2009 14:30
To: isapros
Subject: [isapros] TMG Unsupported

We just published the "unsupported stuff" for TMG on TechNet.
http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of
reference.




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

• Follow-Ups:
  • [isapros] Re: FW: TMG Unsupported
    • From: Jason Jones

• References:
  • [isapros] FW: TMG Unsupported
    • From: Jason Jones
  • [isapros] Re: FW: TMG Unsupported
    • From: Jerry Young
  • [isapros] Re: FW: TMG Unsupported
    • From: Richard Hicks

Other related posts:

• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Jerry Young
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported - Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Jason Jones
• » [isapros] Re: FW: TMG Unsupported- Thomas W Shinder
• » [isapros] Re: FW: TMG Unsupported- Richard Hicks
• » [isapros] Re: FW: TMG Unsupported- Jerry G. Young II

1. Home
2. isapros
3. Archive
4. 12-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---