Microsoft Forefront Threat Management Gateway Replacement – Powered by F5 Networks

The problem

The recent discontinuation of Microsoft Forefront Threat Management Gateway (TMG) requires enterprises to find a new solution to secure employee access to the web. Combining comprehensive features and functionality with superior scalability and performance, F5 Secure Web Gateway Services are uniquely positioned to provide the best alternative for TMG replacement.

The TMG solution acts as a reverse proxy for publishing applications (mainly Exchange, Lync, SharePoint, etc.) to remote users. TMG has two components: One, a very basic traffic manager to balance HTTP and HTTPS and two, an authentication client to consult with different user directories (LDAP, Radius, Kerberos, etc.)

For businesses, having a product in a production environment without a guarantee of continuity and support is a critical problem, so it is necessary to consider its replacement.

Alternatives

Continuing to use the Microsoft TMG solution is not a viable alternative. Using computers without direct support from the manufacturer poses a serious security risk to applications published through the Forefront TMG platform and ultimately to the client’s network
infrastructure.

The solution “Secure Web Gateway”

Powered by F5 Networks

F5’s Secure Web Gateway (SWG) is a great alternative to gateway security devices like TMG. The solution combines granular access control, robust compliance reporting, and a comprehensive categorization database to provide the single point of control enterprises need to ensure safe and appropriate web access.

• Forward Web Proxy
F5 SWG provides full, forward web proxy functionality, including the ability to evaluate and proxy encrypted, SSL-based traffic. The solution can be configured to secure web access for a variety of clients, both internal and remote.

• URL and Content Filtering
The threat intelligence behind SWG analyzes more than 5 billion web requests every day to produce a comprehensive categorization database of 40 million website URLs. SWG uses BIG-IP Access Policy Manager (APM) to give administrators the flexibility to evaluate and assign policy at an extremely granular level. For example, an administrator might apply a specific set of URL filters to a particular user within a certain Active Directory group for a specific period of time.

• Compliance
Ensuring acceptable and secure web access is more than just good business; more often than not, it’s corporate policy— with the potential for very real consequences if not appropriately managed. Secure Web Gateway Services provide IT administrators and HR professionals with the tools they need to ensure acceptable use policies are both effective and appropriate. The solution includes several dynamically generated and exportable reports that provide a clear picture of the enterprise’s web activity. Additionally, the F5 solution can be integrated with many remote central logging systems.

• Feature comparison
The following is a list of Microsoft TMG features comparable to those available in the F5 modules used in this guide:

Configuration example

In its traditional role, the BIG-IP system is a reverse proxy. The system is placed in the network between the clients and the servers. Incoming requests are handled by the system, which interacts on behalf of the client with the desired server or service on the server. This allows the BIG-IP system to provide scalability, availability, server offload, and much more, all completely transparent to the client.

The system can also be deployed as a forward proxy. In this guide, we configure the F5 Secure Web Gateway as an explicit forward proxy, which adds access control, based on URL categorization, to forward proxy. For more information on Secure Web Gateway, see https://f5.com/solutions/architectures/secure-web-gateway

REFERENCE ARCHITECTURE | MICROSOFT FOREFRONT TMG REPLACEMENT SOLUTION