TMG Retired by Microsoft - What product to use going forward?

[n30_mkii]

Hi all, we currently have an ISA 2006 setup which is configured with an internal / perimeter / external setup.

We have web servers and external services in the DMZ leg and have a split DNS to access the content. We publish sites using TMG utilising listeners and the radius client abilities.

Now the question at the minute is around moving to a new product. A couple of my colleagues have just attended TMG 2010 training and would like to move to that, however I have reservations as mainstream support will stop in 2015 and will only then be extended paid for support if we have any issues.

UAG is still going to be supported but is more expensive and has features we won't leverage, we only really need the firewall / DMZ setup and web publishing. I'm thinking it would be a good time to look at a hardware or software replacement so thought I would get peoples opinions on what you use and what you would do in our situation?

I will feel a little dirty implementing a TMG 2010 setup knowing that it's life is going to be limited

 

[kefkef]

Usual MS lifespan would apply to them both surely (UAG currently shows EoM in 2015 and EoE 2020)? Roughly 5yrs from release they go end of mainstream, 10yrs they go end of extended. They'll still have security patches going and plenty of companies will support them through that lifecycle for config/setup purposes.

We're currently running our DMZ through Cisco ASA's and are binning the ISA2004 platform we use for internet proxy and replacing with Sophos web appliances.

 

[Burnsy2023]

I will feel a little dirty implementing a TMG 2010 setup knowing that it's life is going to be limited

I am currently planning a huge new IT system and TMG was a core part of my design as a back firewall and publishing service. UAG might fit most of my requirements but I'll have to re-evaluate my whole design. I suppose I should have picked up on the product roadmap earlier.

I don't think I could bring myself to implement a product that has such limited support when this system will be in place probably for the best part of a decade. I also need web publishing for services like Lync 2013 and Exchange 2013 which obviously TMG won't get.

This really has put a spanner in the works.

 

[paradigm]

It's a really weird decision that there is no replacement product (well, there is, but not for at least 6 months).

I'm now going to have to move towards outing our current TMG environment.

 

[prj1865]

We are just about to implement TMG2010. I knew this was coming but i'll worry about replacing it in 4 years time.

 

[Burnsy2023]

It's a really weird decision that there is no replacement product (well, there is, but not for at least 6 months).

I'm now going to have to move towards outing our current TMG environment.

Whats the replacement product?

 

[n30_mkii]

Whats the replacement product?

Indeed I believed they were no longer interested in replacing the firewall type aspect of ISA/TMG, but have seen mentions of a cloud based product which will be no use for us.

 

[paradigm]

It will be the "cloud" based services that replace TMG. Not sure how you determine that it's not for you though. It should be based on the next iteration of System Center (ie the one due after 2012 SP1), and will be utterly seamless.

I can't wait until we can have our entire infrastructure as a service (obviously with a presence on site in a hybrid-cloud style environment).

 

[kefkef]

Not sure why people are so against implementing TMG2010 due to the mainstream support end date, are you saying that you have all upgraded every 2003 server as the mainstream support has ended, aren't bothering with Server 2008R2 or SQL2008 any more as mainstream ends in 2014/15?? It's supported until 2020 so is still a viable product to implement, you just don't get the free support (in 15yrs I've never used that!) and design/feature changes.

 

[Burnsy2023]

Not sure why people are so against implementing TMG2010 due to the mainstream support end date, are you saying that you have all upgraded every 2003 server as the mainstream support has ended, aren't bothering with Server 2008R2 or SQL2008 any more as mainstream ends in 2014/15?? It's supported until 2020 so is still a viable product to implement, you just don't get the free support (in 15yrs I've never used that!) and design/feature changes.

One of my main concerns is making sure that the web publishing side will be continually developed for new products, which TMG obviously won't.

 

[paradigm]

Not sure why people are so against implementing TMG2010 due to the mainstream support end date, are you saying that you have all upgraded every 2003 server as the mainstream support has ended, aren't bothering with Server 2008R2 or SQL2008 any more as mainstream ends in 2014/15?? It's supported until 2020 so is still a viable product to implement, you just don't get the free support (in 15yrs I've never used that!) and design/feature changes.

Actually, all our SQL boxes are 2008R2, or even SQL 2012.

 

[Burnsy2023]

Actually, all our SQL boxes are 2008R2, or even SQL 2012.

Is SQL 2012 completely backward compatible for products that support 2008?

 

[knowlesy]

would it be a sin to suggest Watchguard (used to be known as firebox) ? they have a variety of features and are pretty robust on a side note their SSL gear / UAG's competitor even works with IE10 from what I remember which UAG still currently doesn't support sigh

 

[n30_mkii]

The other main issue for me is that we will be unable to purchase it after December 1st so will be a no starter.

 

[MacRS4]

TMG features are also available in UAG.

Also, don't forget there's reverse proxy services built in to Windows IIS too - that'll work for a lot of services like Lync, SharePoint & Exchange. It's called Windows IIS Application Request Routing, or ARR.

 

[nickcardwell]

We are currently about to replace our old checkpoint firewall which also has a tmg beside it for certain things. All to be replaced with a fortigate firewall

 

[MacRS4]

Anyone interested in the ARR component - you can see how to set it up here.