If you haven’t read the news about Microsoft’s new direction for its on-premises security products, you might not be aware that offerings such as Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) will not be carried forward into the future. FPE is being replaced by its cloud-based anti-malware companion, Forefront Online Protection for Exchange (FOPE – now renamed as Exchange Online Protection), supplemented with a single-engine anti-malware feature incorporated into Exchange 2013. At least you can buy third-party anti-malware products for Exchange if you don’t like the direction that Microsoft is taking. Or run another product alongside Exchange’s anti-malware feature to achieve a level of redundancy or multi-layered protection.
But what of TMG? I didn’t care very much for ISA Server, TMG’s predecessor. ISA was handicapped by its 32-bit nature and subsequent poor performance under load, a factor that was bitterly exposed in some of the higher-end engagements that I worked on. Great hopes were invested in TMG without ever being totally fulfilled, but it is a product that is very useful within an Exchange infrastructure because of its relatively easy-to-deploy reverse-proxy functionality, something that’s essential when you have a DMZ to sanitize incoming connections from the Internet before passing connections onto servers hidden by an internal network. Outlook Web App (OWA), Outlook Anywhere and ActiveSync, all generate heavy loads for TMG en route to a Client Access Server endpoint, so it’s a popular choice for Exchange administrators.
TMG has its limitations, with poor NAT support being one of the most obvious. But it did its job and is a Microsoft product, which means that documentation is acceptable and support available. Combining TMG with Exchange provides a single throat to choke when things go wrong, which is always a nice thing to have.
It might be natural to suppose that Microsoft’s Unified Access Gateway (UAG) might replace TMG, but that’s not really the case. First, UAG is more expensive than TMG. Depending on Microsoft pricing in the country where you reside, UAG might be twice as expensive as TMG, so the sheer cost of a transition will be painful. Second, TMG works with some Microsoft products to cover common scenarios very well. Exchange is one of these applications, and there are some functionality gaps that UAG will have to cover before it can be considered to be an adequate replacement. For example, two-factor authentication for ActiveSync devices or certificate-based authentication for OWA.
So Microsoft’s move to delete TMG from their product catalog from December 1, 2012 is curious. Mainstream support for TMG lasts until April 14, 2015 and the lights won’t fully go out until April 14, 2020, so time is available to find a long-term replacement, probably from a third-party software vendor, who might just follow the line taken by some companies of building specialized appliances in the form of virtual machines. We’ll see.
The move to go “all-in-the-cloud” with FOPE is more understandable from an engineering and economic perspective. It’s much easier and cheaper for Microsoft to concentrate on a single platform. They have to protect Office 365 anyway and more companies are moving to embrace utility cloud services that are commonly protected by FPE (Exchange, SharePoint, and Lync) so it’s good for Microsoft to focus their anti-malware efforts on Office 365. Removing the need to ship FPE releases additional engineering resources (people) and budget that can be invested in other areas, most likely those deemed to be emerging technologies rather than the somewhat ho-hum (but vitally important) domain that anti-virus and anti-spam has become. It also makes support easier as fewer variants have to be considered – and because all the problems are now going to occur within Microsoft’s own very tightly controlled Office 365 infrastructure. Overall, I imagine that dropping FPE will save Microsoft a ton of money.
Savings will come at the expense of customer discomfort. Microsoft will point to the cloud alternative, their commitment to include an anti-malware engine in Exchange 2013 (no news yet about SharePoint and Lync), and the preservation of customer choice insofar as you can disable Exchange’s anti-malware feature and replace it with whatever layers of anti-malware defences you choose to erect. Companies who use or plan to use Office 365 won’t be bothered by the shift in strategy, but those who plan to stay on-premises have a few decisions to make over the few months.
We don’t have all of the necessary information to make informed decisions yet. Like all switches in strategy, it takes time to digest the initial announcement before asking questions that are pertinent and relevant to your own infrastructure and circumstances. I think quite a few Microsoft account managers will have the opportunity to debate Microsoft’s new security product strategy before 2012 comes to a close. It should be an interesting few months.
Follow Tony @12Knocksinna