Hey Jerry, Yeah, I've seen the blog; that's why I asked if it was only localhost support for IPv6 and DA. From what I have seen in the IAG docs, they talk about UAG being in a perimeter network, so I was curious about what would be providing the edge firewall role if TMG doesn't support IPv6??? I am running UAG DA in production since RC0, but thanks for the links ;) Someone asked the question of "why two products..." at TechEd Berlin; the answer from David Cross was "there just wasn't time to amalgamate the products into a single version for this release..." Cheers JJ Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: 23 December 2009 17:42 To: isapros Subject: [isapros] Re: FW: TMG Unsupported Jason, You can install TMG on a DA server but the assumption is that the DA server is straddling your edge. For specifics, see the following link. http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx I don't think, however, that you'll be able to put TMG in front of UAG. Keep in mind that UAG installs a gimped, full version of TMG, and UAG is used for providing a highly available DA edge (as I understand it so far) and centralized management. The following links have information regarding UAG/DA. http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA http://technet.microsoft.com/en-us/library/ee522953.aspx The following is a thread I started on the IAG/UAG forum regarding this. http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196 While Ben Ari responded to my post, he never addressed a core, unspoken question I presented (among others): Why separate the functionality of managing remote and protected access into two separate products? I mean, we already have the complete TMG product installed on UAG, right...? (o.O) I had been hoping the posting would have generated more discussion but it doesn't look as if that's going to happen, which is a shame. Jerry On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>> wrote: Hey Jim, The "not so nice": HTTPS Inspection limitations Issue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG. Cause: The following features are not supported: * Extended Validation (EV) SSL certificates. EV certs are getting quite popular now, so I see the exclusion list having to grow quite quickly and an unpleasant admin overhead :( Forefront TMG does not support IPv6 traffic Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess). Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default. Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> (http://go.microsoft.com/fwlink/?LinkId=179983). This is a real shame as a lot of "hardware vendors" now provide this out of the box; this could make it hard to introduce TMG as a 'proper firewall' if customers are seriously looking at deploying IPv6 :( Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated edge firewall in front of UAG running DA? Or is it only when DA is installed on the TMG host itself? A lot of other statements fall into "same as ISA" or "glad to see them listed" :) One that I think should be included (that isn't) is a statement about the lack of support for stateful session failover when using NLB/HLB, as I believe TMG EE still cannot do this. A lot of people seem to assume it does, especially when comparing to 'da competition'. Cheers JJ Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>> From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: 23 December 2009 15:19 To: isapros Subject: [isapros] Re: TMG Unsupported As in...? From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jason Jones Sent: Wednesday, December 23, 2009 7:15 AM To: isapros Subject: [isapros] FW: TMG Unsupported Cool, nice to see some in there and not so nice to see others I hoped would be supported...handy doc though :) Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>> From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: 23 December 2009 14:30 To: isapros Subject: [isapros] TMG Unsupported We just published the "unsupported stuff" for TMG on TechNet. http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of reference. -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer