[isapros] Re: FW: TMG Unsupported

  • From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: isapros <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 24 Dec 2009 00:36:20 +0000

Hey Jerry,

Yeah, I've seen the blog; that's why I asked if it was only localhost support 
for IPv6 and DA. From what I have seen in the IAG docs, they talk about UAG 
being in a perimeter network, so I was curious about what would be providing 
the edge firewall role if TMG doesn't support IPv6???

I am running UAG DA in production since RC0, but thanks for the links ;)

Someone asked the question of "why two products..." at TechEd Berlin; the 
answer from David Cross was "there just wasn't time to amalgamate the products 
into a single version for this release..."

Cheers

JJ

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: 23 December 2009 17:42
To: isapros
Subject: [isapros] Re: FW: TMG Unsupported

Jason,

You can install TMG on a DA server but the assumption is that the DA server is 
straddling your edge.  For specifics, see the following link.

http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

I don't think, however, that you'll be able to put TMG in front of UAG.  Keep 
in mind that UAG installs a gimped, full version of TMG, and UAG is used for 
providing a highly available DA edge (as I understand it so far) and 
centralized management.
The following links have information regarding UAG/DA.

http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA
http://technet.microsoft.com/en-us/library/ee522953.aspx

The following is a thread I started on the IAG/UAG forum regarding this.

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

While Ben Ari responded to my post, he never addressed a core, unspoken 
question I presented (among others): Why separate the functionality of managing 
remote and protected access into two separate products?  I mean, we already 
have the complete TMG product installed on UAG, right...? (o.O)

I had been hoping the posting would have generated more discussion but it 
doesn't look as if that's going to happen, which is a shame.

Jerry
On Wed, Dec 23, 2009 at 10:37 AM, Jason Jones 
<Jason.Jones@xxxxxxxxxxxxxxxxx<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>> wrote:
Hey Jim,

The "not so nice":

HTTPS Inspection limitations

Issue: There are a number of limitations you should be aware of when enabling 
the HTTPS Inspection feature on Forefront TMG.
Cause: The following features are not supported:

 *   Extended Validation (EV) SSL certificates.
EV certs are getting quite popular now, so I see the exclusion list having to 
grow quite quickly and an unpleasant admin overhead :(


Forefront TMG does not support IPv6 traffic
Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).
Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is 
blocked by default.
Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG 
computer or array members. To disable the IPv6 stack on the Forefront TMG 
computer or array member, see Knowledge Base article 
KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> 
(http://go.microsoft.com/fwlink/?LinkId=179983).
This is a real shame as a lot of "hardware vendors" now provide this out of the 
box; this could make it hard to introduce TMG as a 'proper firewall' if 
customers are seriously looking at deploying IPv6 :(

Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated 
edge firewall in front of UAG running DA? Or is it only when DA is installed on 
the TMG host itself?

A lot of other statements fall into "same as ISA" or "glad to see them listed" 
:)

One that I think should be included (that isn't) is a statement about the lack 
of support for stateful session failover when using NLB/HLB, as I believe TMG 
EE still cannot do this. A lot of people seem to assume it does, especially 
when comparing to 'da competition'.

Cheers

JJ


Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>>

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: 23 December 2009 15:19
To: isapros
Subject: [isapros] Re: TMG Unsupported

As in...?

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jason Jones
Sent: Wednesday, December 23, 2009 7:15 AM
To: isapros
Subject: [isapros] FW: TMG Unsupported

Cool, nice to see some in there and not so nice to see others I hoped would be 
supported...handy doc though :)

Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: 
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx><mailto:jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>>

From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> 
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: 23 December 2009 14:30
To: isapros
Subject: [isapros] TMG Unsupported

We just published the "unsupported stuff" for TMG on TechNet.
http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of 
reference.



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: