If you haven’t read the news about Microsoft’s new direction for its on-premises security products, you might not be aware that offerings such as Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) will not be carried forward into the future. FPE is being replaced by its cloud-based anti-malware companion, Forefront Online Protection for Exchange (FOPE – now renamed as Exchange Online Protection), supplemented with a single-engine anti-malware feature incorporated into Exchange 2013. At least you can buy third-party anti-malware products for Exchange if you don’t like the direction that Microsoft is taking. Or run another product alongside Exchange’s anti-malware feature to achieve a level of redundancy or multi-layered protection.
Details of changes in Microsoft’s security product strategy
But what of TMG? I didn’t care very much for ISA Server, TMG’s predecessor. ISA was handicapped by its 32-bit nature and subsequent poor performance under load, a factor that was bitterly exposed in some of the higher-end engagements that I worked on. Great hopes were invested in TMG without ever being totally fulfilled, but it is a product that is very useful within an Exchange infrastructure because of its relatively easy-to-deploy reverse-proxy functionality, something that’s essential when you have a DMZ to sanitize incoming connections from the Internet before passing connections onto servers hidden by an internal network. Outlook Web App (OWA), Outlook Anywhere and ActiveSync, all generate heavy loads for TMG en route to a Client Access Server endpoint, so it’s a popular choice for Exchange administrators.
TMG has its limitations, with poor NAT support being one of the most obvious. But it did its job and is a Microsoft product, which means that documentation is acceptable and support available. Combining TMG with Exchange provides a single throat to choke when things go wrong, which is always a nice thing to have.
It might be natural to suppose that Microsoft’s Unified Access Gateway (UAG) might replace TMG, but that’s not really the case. First, UAG is more expensive than TMG. Depending on Microsoft pricing in the country where you reside, UAG might be twice as expensive as TMG, so the sheer cost of a transition will be painful. Second, TMG works with some Microsoft products to cover common scenarios very well. Exchange is one of these applications, and there are some functionality gaps that UAG will have to cover before it can be considered to be an adequate replacement. For example, two-factor authentication for ActiveSync devices or certificate-based authentication for OWA.
So Microsoft’s move to delete TMG from their product catalog from December 1, 2012 is curious. Mainstream support for TMG lasts until April 14, 2015 and the lights won’t fully go out until April 14, 2020, so time is available to find a long-term replacement, probably from a third-party software vendor, who might just follow the line taken by some companies of building specialized appliances in the form of virtual machines. We’ll see.
The move to go “all-in-the-cloud” with FOPE is more understandable from an engineering and economic perspective. It’s much easier and cheaper for Microsoft to concentrate on a single platform. They have to protect Office 365 anyway and more companies are moving to embrace utility cloud services that are commonly protected by FPE (Exchange, SharePoint, and Lync) so it’s good for Microsoft to focus their anti-malware efforts on Office 365. Removing the need to ship FPE releases additional engineering resources (people) and budget that can be invested in other areas, most likely those deemed to be emerging technologies rather than the somewhat ho-hum (but vitally important) domain that anti-virus and anti-spam has become. It also makes support easier as fewer variants have to be considered – and because all the problems are now going to occur within Microsoft’s own very tightly controlled Office 365 infrastructure. Overall, I imagine that dropping FPE will save Microsoft a ton of money.
Savings will come at the expense of customer discomfort. Microsoft will point to the cloud alternative, their commitment to include an anti-malware engine in Exchange 2013 (no news yet about SharePoint and Lync), and the preservation of customer choice insofar as you can disable Exchange’s anti-malware feature and replace it with whatever layers of anti-malware defences you choose to erect. Companies who use or plan to use Office 365 won’t be bothered by the shift in strategy, but those who plan to stay on-premises have a few decisions to make over the few months.
We don’t have all of the necessary information to make informed decisions yet. Like all switches in strategy, it takes time to digest the initial announcement before asking questions that are pertinent and relevant to your own infrastructure and circumstances. I think quite a few Microsoft account managers will have the opportunity to debate Microsoft’s new security product strategy before 2012 comes to a close. It should be an interesting few months.
Follow Tony @12Knocksinna
Thoughtsofanidlemind's Blog 
You forgot to mention that current UAG runs on top of TMG!
And what about companies that dont want to make the move to Office365? At the moment im not aware of nay product that makes publishing of OWA/ACtiveSync/Outlook Anywhere as easy as TMG.
I think the decision opens up room for companies such as Kemp Technology to develop appliance-type devices specifically for Exchange publication. They are close enough already. Now it should just be a matter of some extra packaging and automation and you’ve got the complete solution.
TR
Keeping mind that Kemp does not provide true application level load balancing solution as F5, Citrix and Cisco does. This shouldn’t be a problem with Exchange 2013 anymore because all the CAS traffic is stateless.
Absolutely correct. However, I anticipate that companies like Kemp and F5 are monitoring the situation with Exchange 2013 very carefully indeed and will come out with some new offerings after Exchange 2013 reaches RTM.
TR
I have read and heard lots about the loss of reverse proxy capabilities but what about the basic forward proxy scenarios that these are just as likely to have been implemented for (given the progression from Proxy Server back in the day)?
Presumably everyone is expecting more appliance type solutions too, or edge firewalls with this feature included.
Hi Alex,
I think you’re right. Everyone is waiting to see what the appliance vendors do now. Next week (at MEC) should generate some interesting conversations.
TR
Hi Tony
Since you’re at MEC, i’d be interested to hear how any of those offline conversations went with regard to TMG alternatives upcoming. The fact is you cannot recommend a solution which has the death sentence on it. A ‘wait and see’ policy for those of us recommending solutions does not work either. Did you stop past the KEMP booth? What’s the consensus of other SAs there at MEC?
The consensus (to date) is: a) don’t throw TMG out with the bath water yet as it’s still got some useful lifetime left, b) give the third party vendors some time to respond in an intelligent way to last week’s announcements. Personally, I expect to see the other vendors respond after MEC – probably as the deadline for new TMG sales approaches in December – when they have had a chance to come up with a compelling value proposition for disappointed TMG customers.
TR
Hi Tony
What do you propose for those of us planning installs for next year as we are already in the design phases for projects due to be implemented next summer and TMG forms a big component of these due to the publishing options for SharePoint and Exchange services. We’ve been able to factor in Server 12 and Exchange 2013 into these builds but without TMG (and no obvious alternatives) we’re left hanging
TMG will be supported by Microsoft until April 2015 so you have quite a time until support ceases. I’d use TMG until then and search for a solution in the intervening period.
TR
Will TMG support exchange active-sync/OWA publishing for Exchange 2013 when it is released as from my understanding there will be no support for 2012/2013 products
Given the number of companies that use TMG, I bet you’ll see some movement on this point…
I still find it bizzare. TMG did a good job for what it was. Where too now… Cannot purchase it anymore. Funny enough, you can still buy licenses through SPLA.
I’ve just got Information that TMG is canceled in SPLA. What a disaster!
Not all of the companies we look after are even moved to Windows 7 or Server 2003 yet. Some non-profits you have take kicking and screaming into the past. Some have just moved to TMG. 2015 is only a heartbeat away for the slow movers. Until Internet uptime exceeds 72% in North America and legislation can provide peace of mind for Intellectual Property small to medium sized business owners are not as excited about cloud as the IT culture.
I cannot see how Microsoft’s CRM 2011 will use IFD without TMG. TMg does a very good job of publishing it securely.
TMG does a VERY good job of a lot of things; (imho) that’s why they’re getting rid of it!
Back in the day, discontinue meant “use it if you really want too, but we can’t help you” but now where Service Providers are concerned it means “you and your customers must stop using it or be in breach of your contract” effectively forcing them to another product – this time they’re not just stopping support/development, they’re actually taking away freedom of choice somewhat with this.
Interesting they should do this with a product that’s had a decade to mature too… (Proxy 2>ISA 2000, 2004, 2006, TMG 2010) … a great product that enables publishing public facing and secure cloud services … at this particular point in (o365) time.
Tony,
We are going to move from Exchange 2007 (with Forefront Security for Exchange Server 2007)
to Exchange 2013. What is an alternative antivirus for Exchange server 2013, any suggestion Plz?
I’d consider Exchange Online Protection. Have you looked into that? It makes a lot of sense to offload message hygiene to a cloud service.
TR
Thanks for your kindly reply, as Forefront Security for Exchange will be discontinuing for Exchange Server 2013, if possible we are searching a third-party Antivirus Solution. We are not going to use cloud Service. Moreover i am working in banking sectors and security very tightening.
Then go and talk to your friendly Symantec or TrendMicro sales reps…