Publishing Exchange, etc, without TMG/ISA

[ANON86364]

Hi guys, I've always used ISA and now TMG as a firewall in more complex scenarios with multiple servers hosting sites/services. This allows me to examine specific web requests all on port 80 and 443 and direct them to the appropriate server such as the Exchange server for OWA, or to a web server for other sites. With TMG now possibly being phased out or it's future up in the air, what other firewall products do you guys suggest with similar capabilities?

Perhaps another way to answer my concern is, is there a better way publish Exchange OWA so that I don't have sites using the same ports on different servers?

[sc302 Veteran]

I have always done one outside ip for a specific service. I have never done a single outside to host multiple services utilizing the same port(s).

Owa, VPN, and web on different external ip's using one to one nat.

[ANON86364]

I have always done one outside ip for a specific service. I have never done a single outside to host multiple services utilizing the same port(s).

Owa, VPN, and web on different external ip's using one to one nat.

So for your Exchange server you have all the roles on the one box and you're using what for your firewall? Windows firewall?

[HSoft]

We use TMG (and ISA in the past) and have very close ties with Microsoft and haven't heard that Microsoft are phasing out their firewall solutions. I know they are pushing UAG as a solution but I'm sure they'll have a product similar to ISA/TMG when they phase that particular product out.

[ANON86364]

We use TMG (and ISA in the past) and have very close ties with Microsoft and haven't heard that Microsoft are phasing out their firewall solutions. I know they are pushing UAG as a solution but I'm sure they'll have a product similar to ISA/TMG when they phase that particular product out.

Just do a Google search for "future of TMG" and it's clear that there is serious noise around what's to become of TMG. It could be just a consolidation of the Forefront line. I'm just curious what people are doing without TMG/ISA. It seems to me that there is really no other product that comes close. What gets me right now is that TMG does not work at all on Server 2012 and there aren't plans to make work.

http://www.techrepublic.com/blog/window-on-windows/the-demise-of-threat-management-gateway-is-microsoft-backing-away-from-the-edge/4387

[sc302 Veteran]

So for your Exchange server you have all the roles on the one box and you're using what for your firewall? Windows firewall?

That depends on the site. 80 and 443 would go to the cas and 25 would go to the spam filter. The db can be separate. Web services can be seperated as well.

[HSoft]

Just do a Google search for "future of TMG" and it's clear that there is serious noise around what's to become of TMG. It could be just a consolidation of the Forefront line. I'm just curious what people are doing without TMG/ISA. It seems to me that there is really no other product that comes close. What gets me right now is that TMG does not work at all on Server 2012 and there aren't plans to make work.

http://www.techrepub...m-the-edge/4387

Ah yes, for 2012 Msft is currently pushing UAG (which is more expensive and may be too much for what you are looking for). We're just starting our migration to 2012 servers so haven't come across the TMG/2012 problem yet.

[briangw]

We use F5 for the routing portion but I can't say much else as I just manage Exchange and OWA from within.

[sc302 Veteran]

Sorry I didn't realize you were asking about the firewall. No no windows firewall other than for internal traffic. I consider it a security breach to use windows firewall as your routing firewall, this is due to the simple fact that they are on the forefront of being compromised all of the time, more than any other company. How was it put, windows is like having a house in the bad neighborhood in town that has barred up windows and a heavy steal door. I choose to live in a better part of town where people aren't always trying to break in. The Windows house has been robbed too many times.

Cisco, sonic wall, fortinet, juniper, or even pfsense, monowall, or smoothwall distros.

[cluberti]

As someone who's used ISA and TMG since ISA2000, and also uses and deals with Cisco, Checkpoint, and Juniper solutions as well, nothing really comes close to ISA and TMG, and no, running on Windows hasn't been the (usually overblown) security risk people think it is. Sadly, Microsoft has no roadmap for TMG, but considering it and 2008R2 underneath it should be supported for many years, you have time either to wait and see what the forefront line becomes over the next 5-6 years, or to move to something else that will do parts of each job.

As to publishing, you have to go back to opening ports and services on other equipment. As sc302 mentions, it's simply opening external ports on external IPs on the external interface, and routing them to the appropriate ports on the internal IP address(es) of the internal servers.