Microsoft Forefront TMG and UAG – A feature comparison

by [Published on 1 Nov. 2011 / Last Updated on 20 May 2013]

In this article the author goes through the differences between Forefront TMG and Forefront UAG, the supported and unsupported configurations of TMG and UAG, and the operational areas of each product.

Let’s begin

First of all let’s have a brief description about Forefront TMG and Forefront UAG.

Forefront TMG

Forefront Threat Management Gateway 2010 (TMG) is the successor of ISA Server 2006. For a detailed comparison between ISA Server 2006 and Forefront TMG read the following article. Forefront TMG is a Multilayer Enterprise Firewall with several features:

  • Stateful Packet filtering
  • Application Layer Firewalling
  • HTTP Filter
  • HTTPS Inspection
  • URL Filtering
  • Malware Inspection
  • VPN Server (Client VPN and Site to Site VPN)
  • Web proxy and Web caching Server
  • Forward- and reverse Proxy
  • E-Mail Protection Gateway
  • Intrusion Prevention (IPS) and Intrusion Detection (IDS) system

Forefront TMG is available in two versions: Standard and Enterprise. For an overview about the Forefront TMG editions read the following article.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

System requirements for Forefront TMG:

Component

Minimum requirements

CPU

64-bit, 1.86 GHz, 2 core (1 CPU x dual core) processor

Memory

2 GB, 1 GHz RAM

Hard Disk

2.5 GB available space. This is exclusive of the hard disk space required for caching or for temporarily storing files during malware inspection. One local hard disk partition that is formatted with the NTFS file system

Network adapters

One network adapter that is compatible with the computer's operating system, for communication with the Internal network

Operating system

Windows Server 2008Version: SP2 or R2
Edition: Standard, Enterprise or Datacenter

Windows Roles and Features

These Roles and Features are installed by the Forefront TMG Preparation Tool:
Network Policy Server

Routing and Remote Access Services

Active Directory Lightweight Directory Services Tools

Network Load Balancing Tools

Windows PowerShell

Other software

Microsoft .NET Framework 3.5 SP1

Windows Web Services API

Windows Update

Microsoft Windows Installer 4.5

Table 1

Forefront UAG

Forefront Unified Access Gateway 2010 (UAG) is the successor of Microsoft IAG (Intelligent Application Gateway) and is designed to control inbound access to corporate resources from several client types such as, Windows, Linux, and Macintosh clients, including mobile devices. One of the major strengths of Forefront UAG is the so called Endpoint access policy which can be used to give clients access to internal resources only when a predefined set of rules, defined by UAG administrators are satisfied. You can think about Forefront UAG Endpoint access Policies as an enhanced version of NAP (Network Access Protection). Forefront UAG enhances the basic Webserver publishing options found in Forefront TMG by integrating a deep understanding of the applications published, the state of health of devices being used to gain access, and the user's identity.

Forefront UAG provides portal support for gaining access to internal resources. A portal is a website where users can gain access to different published applications like OWA, Remote Desktop connections, SSL VPN, Microsoft CRM, SharePoint and many others.

Forefront UAG supports several authentication providers like Active Directory, Netscape, LDAP, RADIUS, OTP and many more. Another primary development goal of Forefront UAG is remote access via SSL VPN and a technique called DirectAccess.

System requirements for Forefront UAG:

Component

Minimum requirements

CPU

2.66 gigahertz (GHz) or faster processor. Dual core CPU

Memory

4 GB

Hard Disk

2.5 gigabyte (GB) (in addition to Windows requirements)

Network adapters

Two network adapters that are compatible with the computer operating system. These network adapters are used for communication with the internal corporate network, and the external network (Internet). Note that deploying Forefront UAG with a single network adapter is not supported

Operating system

Forefront UAG can be installed on computers running the Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise 64-bit operating systems. Forefront UAG must be a domain member

Windows Roles and Features

Network Policy Server

Routing and Remote Access Services

Active Directory Lightweight Directory Services Tools

Message Queuing Services

Web Server (IIS) Tools

Network Load Balancing Tools

Windows PowerShell

Other software

Microsoft .NET Framework 3.5 SP1

Windows Web Services API

Windows Update

Microsoft Windows Installer 4.5

SQL Server Express 2005

Forefront TMG is installed as a firewall during Forefront UAG setup. Following setup, Forefront TMG is configured to protect the Forefront UAG server.

The Windows Server 2008 R2 DirectAccess component is automatically installed

Table 2

Comparing Forefront TMG and Forefront UAG

During my work as a Consultant and Trainer for Forefront products, I noticed that many customers were not completely aware of the main differences between Forefront TMG and UAG and were uncertain which product best fits a given scenario.

I will try to give a short description of each product that helps you take the right decision:

Forefront TMG is the Enterprise Edge Firewall that protects the internal network from the Internet and that provides protected access from internal resources to the Internet. Forefront TMG has powerful publishing features to publish internal services to the Internet such as, Outlook Web Access, Exchange Active Sync and a whole slew of other services, but it is limited in intelligent publishing. It only allows limited control on client devices which should access the internal published resources. In fact, Forefront TMG acts as a Firewall for incoming and outgoing requests.

Forefront UAG is used to extend and enhance the basic publishing features of Forefront UAG, and comes with extended features like portals, SSL VPN (note: Forefront TMG supports SSL VPN in form of SSTP), DirectAccess and powerful Endpoint Access Policies to control the client devices, accessing the Forefront UAG server. During a Forefront UAG installation, Forefront TMG will also be installed but only to protect the Forefront UAG Server. In fact, Forefront UAG acts as an Application Layer Gateway and is the solution for incoming access to internal resources from the Internet.

The following screenshot gives a clear explanation about Forefront TMG and Forefront UAG usage scenarios:


Figure 1: Forefront TMG and Forefront UAG comparison (Source: Microsoft)

Forefront TMG unsupported configurations

As with every solution there are supported and unsupported configurations. The unsupported configurations with Forefront TMG are:

  • Forefront TMG is not supported on a 32-bit operating system
    - Forefront TMG can only be installed on a 64 Bit Operating system (2008 SP2 and 2008 R2)
  • Forefront TMG is not supported on Windows Server 2003
  • Forefront TMG is not supported on all editions of Windows Server 2008
    - Installation of Forefront TMG is only supported in Standard, Enterprise and Datacenter Edition and is not supported on Windows Server Core!
  • Installing EMS on a Forefront TMG computer is not supported
    - EMS is the Enterprise Management Server (formerly known as CSS)
  • In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported
    - You have to export the ISA Server configuration and to import this configuration on a fresh TMG installation
  • In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported
    - Forefront TMG does not support upgrading to Windows 2008 R2 while Forefront TMG is installed.
  • Forefront TMG installed on a domain controller is not supported, except with Forefront TMG SP1 where the installation of TMG is allowed on a Read Only Domain Controller (RODC)
  • Forefront TMG Client is not supported on Windows 2000
  • Forefront TMG does not support Firewall Client 2000
  • Workgroup deployment limitations
    - user group authentication only with the use of LDAP (for publishing scenarios) or RADIUS (for in and outgoing access)
    - Client certificates cannot be used as primary authentication
    - User mapping is not supported (except for PAP and SPAP)
    - Group policy deployment of certificates for HTTPS inspection is not available
    - Automatic Web proxy detection using Active Directory Auto Discover is not possible.
  • Multiple firewalls products
    - Installing other firewall products (such as a personal firewall) on a Forefront TMG Server is not supported

Forefront UAG support boundaries

Forefront UAG has some supported and unsupported configurations. The support boundaries are:

Forefront UAG and Forefront UAG DirectAccess

Forefront UAG can be used to publish internal servers via Web portal or directly (similar to Forefront TMG).

Forefront UAG can be used as a DirectAccess Server to extend the DirectAccess functionality which comes with Windows Server 2008 R2. Please, note the following:

  • Forefront UAG can be configured as a publishing Server and as a DirectAccess Server on the same machine.
  • Servers in a Forefront UAG Array can be configured to provide remote access to published servers and as a DirectAcccess server at the same time.
  • It is not possible to use the Network Connector application (a form of VPN) when Forefront UAG is configured as a DirectAccess server.

IPv6 support

In order to support DirectAccess which is IPv6-based, Forefront UAG allows the following IPv6 traffic:

  • Inbound authenticated IPv6 traffic (using IPsec).
  • Native IPv6 traffic from and to the Forefront UAG DirectAccess server.
  • Inbound and outbound IPv6 transition technologies (6to4, Teredo, IP-HTTPS and ISATAP).

No other IPv6 traffic is supported by Forefront UAG.

Forefront TMG running on Forefront UAG

A frequent misunderstanding is the role of Forefront TMG with Forefront UAG. I have spoken with many customers in the past, who wanted to replace their Forefront TMG servers with Forefront UAG to benefit from the Forefront UAG features. But Microsoft has clear statements about supported and unsupported configurations, which are:

  • Forefront TMG is installed during a Forefront UAG installation.
  • Forefront TMG is installed as a complete product, and is not modified to run on a Forefront UAG server.
  • Forefront UAG uses Forefront TMG, as follows:
  • Forefront TMG acts as a firewall, protecting only the Forefront UAG server.
  • Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios.
  • Changes made through the Forefront UAG console are pushed to the Forefront TMG configuration and only in this way!

It is possible to configure some parts of Forefront TMG through the Forefront TMG Management console (MMC), but the following is not supported:

  • Forefront TMG will be automatically installed during a Forefront UAG installation, a manual Forefront TMG installation is not supported.
  • Forefront UAG must be installed on a clean Windows Server 2008 SP2/R2 machine without Forefront TMG installed.
  • Forefront TMG will be removed if you remove Forefront UAG.
  • A manual uninstallation of Forefront TMG is not supported.
  • Forefront TMG as a forward proxy for outbound Internet access.
  • Forefront TMG as a site-to-site VPN server.
  • Forefront TMG as an intrusion protection system.
  • Publishing Forefront TMG via Forefront UAG.

Supported Forefront TMG configurations

You can use the Forefront TMG Management console (MMC) for the following configurations:

  • Creating access rules to limit access for users, groups, and networks for VPN remote access. These access rules must be placed under the automatically created Firewall policies from Forefront UAG.
  • Monitoring, logging and reporting.
  • Modifying Forefront TMG system policies to enable access from Forefront TMG to internal Servers and to give access from internal Servers to Forefront TMG.
  • Publish Exchange SMTP/SMTPS.
  • Publish Exchange IMAP/IMAPS.
  • Publish Exchange POP3/POP3S.
  • Publish Office Communications Server (OCS) (with the exception of the OCS web access which should be published with Forefront UAG).

Forefront UAG placement

Because of the several limitations you must plan where to implement the Forefront UAG in your network environment. Possible placements are:

  • Forefront UAG in a DMZ (Perimeter) scenario with a Front- and Back firewall in place.
  • Forefront UAG as a parallel placement with your existing Firewall.

You might need to open several Firewall ports for correct communications with Forefront UAG. You will find more information about these deployments here.

Conclusion

In this article, I went through a detailed comparison between Forefront TMG and Forefront UAG features, and discussed the support boundaries of Forefront UAG and unsupported configurations of Forefront TMG. I hope that this article helps you to decide which version is the right one for your deployment.

Related links:

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Advertisement

Featured Links