O
O
Oronro2013-09-05 17:54:04
Microsoft
Oronro, 2013-09-05 17:54:04

Microsoft Forefront TMG: pros and cons?

Here, at work, a persistent proposal was sent down from above to get rid of the current firewall (cisco + linux, iptables, squid) to a beautiful solution in quotation marks based on Forefront TMG (Linux is cut out, and ciscos work like routers). Question to the connoisseurs, what are its advantages (besides the obvious tight integration with the Windows network) and disadvantages?
The network is large: 2000 users. two internet providers. 6 independent chains with their own zoo. The networks are heterogeneous: there are extensive AD forests (yes, there are more than one of them), there are Linux servers, there is a separate MacOS domain that lives its own life. A lot of VLANs by departments, file balls both for the intranet and available from the outside, VPNs, mail, intranet portals and other joys of a large company.
Interested in:
- the ability to conveniently manage all this zoo from the TMG console
- keeping a record of traffic, shaping and quoting by users
- auditing the rules used in order to drop what is not really used
- dynamic rules based on network activity (ala fail2ban)
- and indeed some or automation of work with it. in Linux, I can hang up logging on the right rule and then hang up a script for distributing bans / gingerbreads through tail -f. is it possible here?
- is there a possibility of selective logging - from the examples, I understand that TMG writes logs for everything. with our traffic, this is terabytes per day of logs alone.
- and what is the performance of this whole thing in comparison with Linux solutions
All this is now perfectly managed by ciscos, Linux and bash / perl scripts, but for management it is not "enterprise". I would be grateful both for personal experience and just for links, preferably not to marketing success stories, but to the harsh truth of life. Thank you.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
alprin, 2013-09-05
@Oronro

It hasn't been on sale since January.
Link to ms blog about changes in ff: blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

V
Vladimir Dubrovin, 2013-09-05
@z3apa3a

Yes, unfortunately TMG ordered to live a long time, it makes no sense to do a new installation.
But in fairness, from what you want:
1. Traffic accounting is not supported (something can be heaped up through the reporting system, but you can’t call it real traffic accounting), shaping and quoting. But: there are inexpensive third-party products that support everything you need.
2. There are ready-made "dynamic rules", mainly to protect against flooding. But where there are no people ready to create their own, it is problematic.
The rest is there, including selective logging, and is implemented conveniently.
It's hard to compare with Linux solutions, because there is no ready-made solution for Linux of this level, what can be piled up from iptables and squid will have very approximately similar functionality with a very curly configuration and depend heavily on it. The performance of TMG is also highly dependent on the rules used, the use of VPNs and encryption. If, for example, you are not interested in content processing at all and you can turn off web filters, then the processor load on a 100-megabit external stream is not high. With web filters and anti-virus checking, you can hit the ceiling on 40-50 megabits of external traffic to the server.

I
ikormachev, 2013-09-05
@ikormachev

In my experience, TMG has one advantage - it is the ability to separate Internet access by user and application without being tied to IP. Those. TMG is useful when you need to be able to take into account and restrict Internet access (by protocols) for users working on a terminal server or block Internet access from a certain type of application.
This is where the benefits of the product end. Of your requirements, TMG does not know how to do this:
- shaping and quoting traffic by users, and its basic reporting is, to put it mildly, so-so,
- dynamic rules based on network activity (ala fail2ban)
- only logs everything in a row (and this is a disaster when your channel is over 10 Mbps)
Further from real complaints about TMG, based on my experience with it:
1) Where PPTP worked stably on a simple RRAS, after installing TMG, PPTP may simply not work after loading the server - you need to additionally restart the TMG service (restarting RRAS does not help).
2) For IPSEC, there are no means of controlling its operation / loading, not to mention at least some minimal diagnostic tools. Those. you simply cannot even see what uptime your tunnel has. With some hardware routers, IPSEC with TMG simply does not install.
3) Yes, configuration changes are often applied on the fly, without interrupting current sessions, but if the server is loaded, then the rules can be applied for several minutes, without understanding at all when they will actually be applied - during this time there is already a desire to do it all over again "to correct".
4) The abundance of all sorts of filters, add-ons, etc., included by default, explode the brain when solving another simple network problem. Disabling them often leads to completely unexpected results. The opacity of the functioning of this mechanism as a whole in seemingly fairly simple tasks gives rise to a bunch of conjectures that make you seriously doubt your knowledge of network technologies.

N
noonesshadow, 2013-09-05
@noonesshadow

What will happen between TMG and the Internet?

K
Konstantin, 2014-10-20
@fallen8rwtf

look towards Kerio

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question