I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the biggest admirer of Forefront Product lines.
Death of TMG? by Deb Shinder
What will happen with TMG?
The demise of Threat Management Gateway: Is Microsoft backing away from the edge?
I would like to voice my own opinion on this matter. I am sure I will find lots of similar minded techie out there who would love to share same opinion as me. I would like to send an open request to Microsoft Corp and MVPs to pursue for an advanced version of TMG that incorporate cloud security and address modern day security challenges.
I decided to write on a different perspective of TMG 2010 what I would like to see next service pack of Forefront Threat Management Gateway or in a future version if there is one. This is not an official account of Microsoft Corp. This is just my wish list. I hope and cross my finger that Microsoft will listen to those who are on the field working for a better and even bigger Microsoft community.
FF TMG 2010: Here is details of evolution of today’s TMG
TMG 2010 can be more advanced in terms Firewall Policy, Publishing Rules and Cloud Security. TMG 2010 may be available in Downloadable virtual Appliance build on Windows Server “Code name 8” and physical appliance through the Microsoft partners program. Microsoft declared TMG 2010 is in sustainable mode and will not invest on TMG for further development so my dream to administer TMG administration console via internet explorer and Silverlight will be just a dream. I would like to see TMG service pack as separate installed and TMG 2010+SP3 integrated together in a installer for those who wants to refresh TMG and adopt as a new customer.
Topology and Installation Changes: I would like to see a Hyper-V network incorporated into TMG. As you all know when installing TMG, TMG installer prompt you for subnets of Local area network. The new version will prompt you to add your cloud networks in an installation window. The installer will secure the local area network and private cloud network using default configuration which you will be able to modify and align later on with your desired topology and network layout.
Incorporating Cloud Security:
clients and partners have serious concern over the years about Service provides who sells cloud solutions. For example, service provider selling Exchange cloud, SharePoint cloud, Anti-Spam and Security Cloud Solution. There are questions to be asked when you buying public cloud solutions. This is not just having a hypervisor and virtual center. what about application security, identity and governance. How would to address your client’s concern of internal threat and external threat. How client will trust a provider when they place their data in somewhere service provider’s cloud.
Microsoft can/should/must address these issues by providing Security as a service. Forefront TMG can play a key role if Microsoft is willing take a step ahead to the bottom line.
- Application security
- Legal issues
- Identity management
- Business Continuity and data recovery
- Data Security
Firewall Rules: New Publishing Tools in Tasks pan should include
- Publish FTP Servers
- Publish Lync Server
- Publish Streaming Media Server
- Secure Cloud Network
Configure IM and Social media policy: Web Access Policy Tasks Pan should include
- Configure IM Access (Allow/Deny Skype/Lync/MSN/Yahoo Messenger)
- Configure Social Media Access (Allow/Deny Social Media such as Twitter/FaceBook/Google+/Youtube)
Networks: Network rules incorporate a build-in cloud network and network rules establishing communication from LAN to Cloud network and External to Cloud network. During installation of TMG; allow rules to be configured automatically when selecting Hyper-V Server in DMZ.
Multicast NLB Configuration: NLB Properties should be added another check box to create firewall rule for Multicast NLB in a virtualized environment. That means Multicast NLB mac address can communicate within array members in a virtualized environment if there is strict security policy deployed through out the infrastructure.
List of New Protocol available: New Protocols includes following protocols and many more:
- Cloud Protocols
- Lync Protocol
- Hyper-v Protocols
Generate offline Certificate request: There should be an option to generate offline certificate request in Systems>Tasks pan.
Integrating Bing Search with TMG 2014 Cache: Search result cached in TMG from Bing Search Engine and presented to client.
Bandwidth Management: TMG should be able to manage bandwidth by single user, multiple users, AD Security groups, IP address, Computer Name, Department, Site, Branch.
Configure Branch or Site TMG Server: Option can be selected during installation of TMG 2010+SP3 (integrated installer) whether TMG is a primary site or branch site. Selecting Branch Site will auto configure site server with site to site VPN (if selected) and even replicate with primary sites firewall rules and policies (depending on topology). when installing a branch TMG branch TMG will automatically create branch cache depending on selection of topology .
Reporting: Following are the examples of the reports will be available in TMG 2010 SP3. there will be many more.
- User based report
- AD Security Group Based report
- Web Site Visited
- IP Address visited
- Web/Content Uses report
- Download reports by users/Group/Department
- Bandwidth Uses report
- Caching report
- Search Engine Visitor by Search Engine report
- Real Time/Custom Traffic report
- Traffic Trending report
- Top 20 Net users
- Top 20 Site Visited
- Default Monthly report
- Default Yearly report
- TMG Health report
Audit and Change Management: TMG will include complete change manage and recording of Tasks/Events generated by role based user and systems itself.
Role based TMG management: TMG Workgroup Deployment and Domain Member deployment should include RBAC management.
- Organization Administrator (member of this group manages cluster of Arrays )
- Backup operator (Commvault/Symantec Client/SCDPM client integrated)
- Auditor/User (view permission)
- Firewall Rules and Web Access Policy Operator
- Single or Multiple array administrator
Tool Box: Pre-installed BPA, Troubleshooting, Monitoring & Capturing Real Time Traffic.
Learn more about TMG here .