As most of us in the industry know: Microsoft is not longer going to be supporting TMG 2010... sort of. They will be continuing to supply security updates and definition updates until 2020 for current subscribers. Unfortunately they will no longer be selling it and supporting/taking on new customers. TMG is a really great UTM and works like a champ! It's rock solid for the most part but fails in a couple of areas:
1. Reporting - Yes you can get reports out of it, but they are hard to read and just plain a PITA to generate anything with specifics.
2. Malware / Antivirus Integration - Again, it's there and works... sort of. It's not the best engine for either and requires a subscription that will no longer be available.
3. ISP Fail-over / Load Balancing - If you have a DHCP or PPPoE connection this needs a bunch of scheduled power shell scripts to work properly. The problem I have with this is that our local ISP's assign our static IP addresses in a odd manner. You must be configured for DHCP and they take care of it by MAC Address on their end. Yup - PITA!
Now the areas where TMG really shines:
1. Firewall - It's a very good SPI firewall with NAT and it's rock solid. The rule ordering takes a minute to figure out, but after that it's cake!
2. Reverse Proxy - The built-in wizards do most of the work and handle web servers and Exchange with no problem at all. You can even do per domain forwarding.
Note: This function is native to Windows Server 2012 IIS now!
3. Per User Rules and Authentication - Single Sign-on and smooth sailing!
4. Proxy Client - The proxy client helps out non-proxy aware apps and routes them throught the TMG gateway with the user's auth information.
I'm not going to list the rest of the great features this product has but, it works like a champ and is still one of the best UTM's out there.
I've been doing a lot of work lately and I've trimmed the list down to (3) options. I had very specific criteria that I had to meet. It's my opinion that these options are 100% necessary anymore, but i'm sure that some people don't need the features.
Criteria:
1. Authenticate with our active directory forest
2. Have per user and per group policies
3. Be able to do content filtering per user / group
4. Be a very good SPI Firewall
5. SPEED!!!!!! (Our current TMG drops about 15 MBPS off our speed)
6. Integrated Anti-Virus and Malware Protection
7. Easy to use, read, & schedule reporting
8. Support multiple "Zones" (DMZ, WiFi, LAN, etc.)
9. Support UPS Shutdown / Startup
The Hardware We Will be Using:
1u Rackable Server
2 x Xeon Quad Core CPU's
8 GB DDR3 ECC RAM
1 x 120 GB O/S Drive
1 x 320 GB Log Drive
Dual Intel GB Server NIC's (Onboard)
1 x Intel Quad Server NIC (PCI-e x 8)
(Yes I know it's overkill but, you can snag them cheap!)
The TMG Alternatives:
1. PFSense - This UTM is very easy to install and a bear to configure. Plus, the update to 2.2 breaks a whole bunch of functionality. At this point if you stick to 2.1, read the forums, know Linux, & have the patience of Job; this will work for you. The Squid LDAP Authentication doesn't work properly without a lot of messing around so, you have to drop to the command prompt and install SAMBA & Heimdal for NTLM Authentication. There are a lot of great walk through's on their forum on how to accomplish this. LDAP does work in SquidGuard and PfSense itself and the VPN authenticates perfectly with it. Also, HAVP w/ ClamAV works but needs some tweaking. The overall speed is very good and the firewall works perfectly! Next I added SNORT & it works out of the box and has a great interface. For content filtering, I tested both SquidGuard & Dansguardian. Both packages worked properly and the customization / group policies worked fine. It's worth mentioning that the ISP fail-over worked like a champ.
Summary: I was able to get PfSense up and running, but it was painful. Only about 50% of the packages work out of the box. The rest (AKA the useful ones) need extensive tweaking / modification. After it was up and running, It worked perfectly and was rock solid. I ended up getting rid of it b/c the updates completely nerf the whole thing and I knew that at some point I would click the update button. That and i'm not a huge BSD fan. This firewall distro isn't for the faint of heart and it'll test both your skills and patience.
2. DIY Firewall / UTM based on Ubuntu or CEntOS - This was the second thing I tried after my PfSense frustration. The benefit to this system was that I could upgrade / update it fairly painlessly and It was in a more familiar environment. This setup fell short of what I was looking for. The speed was excellent, the compatibility was there, & installation was cake. What I didn't like was the lack of a good GUI (and don't webmin me - seriously just stop), the ISP fail-over requires a script scheduled with CRON (Just Like TMG), & it was a lot more resource heavy than the other options I tried.
Summary: Lots and lots of options, easy to install, great speed, & easy to upgrade. The bad: You have to manually do everything, lots of CRON jobs, scripting, & there's no real GUI.
3. Endian Community / Paid - This is my favorite UTM distro and what we're going to be running. First, i'll start with the bad. You MUST INSTALL FROM A CD!!! This is stupid. Most of the 1U servers don't have an optical drive and if I was starting from scratch with an Atom build I wouldn't add one. Luckily I had an old USB DVD laying around and after I got that all taken care of (which I should have done in the first place instead of wasting an hour screwing around with thumb drives) installation was cake and very smooth. The GUI config package setup is a cake walk. The ISP redundancy was simple and menu driven, NTLM authentication worked perfectly the first time (I almost fainted!), & the firewall rules are simple. It looks like they used Squid/SquidGuard/I-CAP/ClamAV for their proxying. Here's a huge difference in this vs ANY other package: You can have authenticated and transparent proxying on different interfaces!!!!!!! That's awesome. I can keep my LAN safe and logged & have my "Public" zone filtered and AV/Malware protected!
Summary: I love and am currently running this distro. The ease of administration / updating / expanding this system make it an excellent option IMO.
What I took away from this experience was this: If you are currently running TMG and you're happy with it - Leave it alone! There are a number of add-ons etc. for it and it just works. If you are looking at building a very inexpensive / light weight UTM, then Endian should be your next look.
