Why the Forefront TMG is a Cornerstone of Essential Business Server (EBS) Network Security
If you have not had a chance to check out the Microsoft Essential Business Server (EBS) product, you should carve out some time from your busy schedule to take a look at it. Take a look at the public preview software for EBS.
EBS is a three server solution designed for small or mid-sized businesses with up to 300 PCs. The EBS solution includes three servers, which can be run as physical or virtual machines. There is the Management Server, which is a domain controller and file server that also runs System Center Essentials. There is the Messaging Server, which is also a domain controller, and runs Exchange 2007. And finally there is the Security Server, which runs the Threat Management Gateway (TMG) Medium Business Edition. TMG is the next version of the ISA firewall. In addition to running TMG, the Security Server also runs Exchange Edge Server for anti-spam protection.
From what I have heard, there are a number of people who want the EBS solution, but would like to deploy it without the Security Server. The reason most of these people give for not wanting the Security Server is that they already have a “firewall” and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise “simple” network security configuration.
At first blush you might think “sure, that is a valid request. If the customer already has a firewall, why introduce a second firewall into the mix?” The problem with this thinking is that the EBS team put a great deal of work thinking about the EBS threat models and how to make sure that all components of the solution have adequate defenses against the enumerated threats.
The TMG in the EBS solution allows remote access to a number of services on the EBS network. Some examples of the services to which users can gain remote access to include OWA, RPC/HTTP, Exchange ActiveSync, Terminal Services and Terminal Services Gateway, and SMTP. And these are the default settings. In a production network, you’ll likely see the TMG allow inbound access to POP3S, IMAP4S, DNS and other protocols.
Given all the remote access traffic that the EBS solution supports, you need to be assured that the connections from the external clients can be trusted. The problem the EBS team has, and you as a potential EBS customer, is that how can you define the threat model and the response to the established EBS threat model if you can’t control the nature of the defenses against those threats.
The type of “firewall” that small and midsized businesses might already have in place can vary widely. In most cases, the “firewall” they are currently using is little more than a NAT device that also provides some NAT editors and the ability to perform reverse NAT or “port forwarding” for UDP and TCP ports. Some of them might even include a rudimentary remote access VPN server or even support site to site VPN connections. Other “firewalls” the customer might have in place might include some degree of content filtering or even anti-malware capabilities.
The thing is, the EBS team does not know what kind of “firewall” you already have in place. But they do know what security features and capabilities the TMG has. The TMG provides an exceptionally high level of security for remote access connections by providing pre-authentication for inbound connections to Web servers, a firewall generated log on page, protections against anonymous attacks, an HTTP Security Filter to ensure HTTP protocol stream compliance and security, an SMTP filter to block SMTP exploits, an Edge Exchange Server prevent spam and its attendant malware and phishing attacks from entering the network over the SMTP protocol channel, strong outbound access control on a per user, per group, per protocol, per site basis, network flood protection, stateful packet and application layer inspection for all communications through and to the TMG firewall (including remote access VPN connections), and many more security capabilities.
Thus, the threat and response model for the EBS solution is based on a relatively sophisticated set of network security tools that are available with the TMG. Yes, it is possible that a small or midsized business has paid thousands of dollars for another firewall solution that can provide some of the features included in the TMG feature set, but it is unlikely that a non-TMG firewall could provide all the features that are used to provide the strong inbound and outbound access controls and connection scrubbing that the TMG firewall can provide.
So, rather than thinking of the TMG as a potential burden to your network, think of it as a unique opportunity to increase your network’s security posture to a level that your network has not seen before. This is not to say that you need to get rid of your current network firewall. Two heads are better than one, and two firewalls are better than one. The EBS team has done a great job at making it easy to drop in the TMG firewall behind your existing firewall. After the TMG firewall is installed, all you need to do on your existing firewall is configure some port forwarding rules for HTTP, HTTPS, SMTP, RDP and other protocols, so that they are redirected to the external IP address on the TMG firewall.
While at first glance it might seem that the TMG adds needless complexity to the EBS network configuration, the fact is that the EBS installer does most of the heavy lifting for you, so you do not really need to understand the internals of the TMG installation and configuration during the initial setup. The only thing you need to do is configure old firewall with port forwarding rules. You do not even need to renumber your network or change the default gateway settings on the machine on your network.
The bottom line is that the TMG firewall allows you to roll out a secure EBS networking solutions using a known, standard security model that is common to all EBS network scenarios. Sure, you can go in and break the EBS TMG security model by creating unsecure rules, but out of the box, the settings insure a well-defined baseline for network security, something you can’t say if you stayed with the old “firewall” or NAT device and had not introduced the TMG firewall into the design.
I would like to hear what you think about the TMG as part of the EBS solution. Send me note at tshinder@isaserver.org and I’ll discuss your opinions in the next newsletter.
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Don Adams Says:
September 2nd, 2008 at 5:04 pm
Hi Tom;
EBS could be a good solution to build into a hardware appliance based on Windows 2008 Server Core running Hyper V. The EBS servers would run as two or three separate virtual machines (TMG by itself) on top of Hyper V.
This would violate your “don’t mix zones” philosophy but plays into an “ISA/TMG on every Virtual Host” philosophy.
What do you think?
Don Adams
USEast Technologies
The Essential Business Server Team Blog : Tom Shinder speaks on Threat Management Gateway and EBS Says:
September 8th, 2008 at 1:34 pm
[…] I’m sure many of you have at some point spent time on Dr Tom Shinder’s web site www.isaserver.org. Recently I caught a blog post from Dr Tom which really captured why we did in fact include Forefront Threat Management Gateway. […]
Not Buying It Says:
October 3rd, 2008 at 2:12 pm
“The reason most of these people give for not wanting the Security Server is that they already have a “firewall” and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise “simple” network security configuration.”
Yes, or how about putting it another way: We already have documented, reliable, working, solutions that we would rather not replace just because the new solution says we “must”.
Why must we replace them, well “”The thing is, the EBS team does not know what kind of “firewall” you already have in place.”
Yep, that makes sense. If they knew we had a Cisco, Watchguard or Sonicwall then “the EBS team” could work around it. If they knew we used the cloud for anti-spam because it’s cheap, reliable, saves bandwidth and covers multiple sites and servers then the EBS team would be fine with it. Sure of course, which means TMG is completely optional, MS just doesn’t want to make work that way.
We have invested capital and years of training in devices and platforms that work very reliably: no spinning disks, low cost, very little patching, small foot prints, extremely high uptimes with extremely low maintenance requirements, etc. Not to mention these devices frequently connect multiple branch offices. The only way to convince us to replace existing systems is for improved features, lower costs, increased reliability, etc. The MS trick of forced bundling is old news. MS needs to provide the better mousetrap instead of selling “we don’t know what firewall you already have.”
“Two heads are better than one, and two firewalls are better than one.”
Respectfully but firmly, that is ridiculous. Every network device requires configuration, maintenance, occasionally trouble shooting and frequently licensing. Additional devices add complexity, increase costs, increase troubleshooting time and provide another point of failure. If two are better than 1 then why not 3 or 4?
There may be some reasons why TMG is a compelling product, particularly in new installations, and I would look forward to seeing an article that honestly describes the trade offs: costs, hardware, management, training, etc involved in using TMG vs other options. This isn’t it.
Thomas Shinder Says:
October 3rd, 2008 at 4:49 pm
Dear Anonymous Poster (perhaps Cisco or Sonicwall reseller?)
“Yes, or how about putting it another way: We already have documented, reliable, working, solutions that we would rather not replace just because the new solution says we “must”.
TOM: You don’t need to replace your solution. As I said, there’s no reason to bolster the questionable security of your current device by using a TMG firewall solution in addition to it.
“Yep, that makes sense. If they knew we had a Cisco, Watchguard or Sonicwall then “the EBS team” could work around it. If they knew we used the cloud for anti-spam because it’s cheap, reliable, saves bandwidth and covers multiple sites and servers then the EBS team would be fine with it. Sure of course, which means TMG is completely optional, MS just doesn’t want to make work that way.”
TOM: The EBS team has no idea how you’ve configured your 3rd party solution. That was the entire point of the article. They want to provide a pre-defined level of network security. Not sure what anti-spam has to do with this conversation. TMG isn’t an anti-spam solution. It a highly secure network firewall.
“We have invested capital and years of training in devices and platforms that work very reliably: no spinning disks, low cost, very little patching, small foot prints, extremely high uptimes with extremely low maintenance requirements, etc. Not to mention these devices frequently connect multiple branch offices. The only way to convince us to replace existing systems is for improved features, lower costs, increased reliability, etc. The MS trick of forced bundling is old news. MS needs to provide the better mousetrap instead of selling “we don’t know what firewall you already have.”
TOM: Please, not the “hardware firewall” exegesis. That argument swings both ways, and it’s not something worth arguing here — both sides have sunk emotional costs in their arguments. But I’ll tell you one thing — the “hardware” firewall is going away faster than you might think. There no reason to think that these devices will be immune from virtualization. But again, that’s another story. The “spinning disk, low mainteance, etc. canards are old chestnuts that never seem to die. I have dozens of ISA firewalls that I look at once a month, if that often. If you do things right, you never have to look at them if you don’t want to — and EBS will let you know if there are issues.
TOM: Bottom line — if you don’t like EBS, don’t get it. It’s a great solution for shops that need the level of security and reliability out of the box that EBS can provide. Sounds like you have the “mad skillz” to configure things yourself, without the tight integration and automation — so use those to put together a server solution that meets your needs.
HTH,
Tom
Jim Harrison Says:
October 4th, 2008 at 8:17 am
To
If you honestly belive that “hardware” (laughable, these days; no such animal with any real functionality) is automatically any better than “software”, then you need to catch up to the rest of the 21st-century firewall deployments. THere is not a single firewall that operates above L4 that is NOT made up of some form of PC running a modified OS of some form. Your argument in this context is specious at best.
While I will agree that complexity for its own sake is a potentially bad thing (you wouldn’t believe some of the deployments I’ve had to untangle), I would remind you that the vast majority of “firewalls” in use at SMB are of the $50-$100 CompAmWe variety that can barely hold their own at Layer-4; much less anything higher.
It’s in these same SMB deployments where these devices are deployed where you’ll find Small Business Server; owned and operated by the very same people that enjoy the addition of an application-layer firewall (ISA Server). It’s also these same people that made quite a lot of noise in Microsoft’s direction about the a mid-range system for Windows Server 2008 that included a firewall of ISA caliber. The company was growing and SBS just wasn’t meeting their needs for the future.
The answer to numerous specific customer requests is Essential Business Server, which includes TMG by default. Serious thought was given to whether ot not a “trimmed” version of EBS should be offered and Small Business Server 2008 was the answer. No forced firewall.
You may not agree with these decisions and that’s you’re privilige, but to assert that Microsoft made this decision from a “white tower” or worse; “big brother” perspective is ignorant at best.
Jim
Thomas Shinder Says:
October 4th, 2008 at 8:25 am
Hi Jim,
Thanks! That was a clear and trenchant analysis!
I think it’s safe to say that any l33t hAx0Rz who can put together a “hardware” firewall solution can certainly figure out how to integrate the TMG into his current hardware firewall environment. The customer can only benefit from the inclusion of the TMG firewall, and to think otherwise is malpractice, IMHO.
Thanks!
Tom
Yuri Diogenes Says:
October 4th, 2008 at 9:45 am
Besides all that…
Hardware device (such as Cisco PIX) are controlled by software, so why this is better than software Firewall? Most of the hardware dedicated firewall also have security bulletins to fix vulnerabilities, patches and firmware update that need to be applied otherwise someone can exploit a vulnerability on that device. I don’t even remember when it was the last security bulletin for ISA Server, specific about vulnerability; I think it was on ISA 2000. Anyway, hardware dedicated firewall is not the point, both are controlled by a piece of software and that’s it.
I understand your point that more devices increases the maintenance cost and I’ve seem customers using ISA on a sandwich scenario with two other firewall in between. When we ask why he is doing this, they said: is the company security policy that requires that. So while I agree that increases the maintenance cost, I also agree that different companies have different needs and based on that it might justify for company A have two firewalls instead of only one choose by company B.
Last but not least, you said:
“There may be some reasons why TMG is a compelling product, particularly in new installations, and I would look forward to seeing an article that honestly describes the trade offs: costs, hardware, management, training, etc involved in using TMG vs other options. This isn’t it. “
Here are some strong points about TMG vs regular firewall (such as the ones that you use as example):
- Malware Inspection built it: while most of firewalls need a third party plug in to allow this functionality, TMG has this feature built in. So a Small/Medium company can take full advantage of a single solution that can mitigate this type of threat.
- Integration with NAP for VPN Access: that will allow security endpoint control by allowing only computers that satisfy company security policy to connect remotely.
- Hardware Management: TMG is fully supported in Hyper-V, that’s already a huge advantage for hardware maintenance.
But, at end as Tom said, is your choice to like EBS or not, the fact is that there are hundreds of Small/Medium business companies that needs those integrated features, easy to manage and with the high level of security that this solution offers.
Yuri Diogenes
Dan Nadon Says:
March 12th, 2009 at 8:54 pm
For the most part, I have to agree with Tom’s statements. I’ve been supporting networks and servers of all sizes for over 25 years now. I agree that for most SMB sites of 50 users or more, the EBS solution is perfect. I’m currently in the middle of just such a deployment. Prior to getting involved in the SMB market, I supported large networks with over 25,000 users. It was somewhat of a shock to start working in small networks and find that most had little or no security, primarily because the admins didn’t understand networking and security very well. Thus a wizard driven, pre-configured solution is ideal. Windows Server has become far to complex for your typical SMB LAN administrator to understand and configure effectively.
As for TMG, when I first offered EBS as a solution, I didn’t understand or trust TMG enough to be sure it would meet all my needs so I included a firewall/router device in the mix. The product I chose is a Fortinet threat management device which, under the covers does everything TMG does, if not more, for a lot lower cost. The advantage is that I can deploy another such device at my remote sites without requiring another Windows server and all the costs associated with building and managing it. Fortinet’s Fortigate router is faster, somewhat easier to configure and certainly easier to maintain.
In this situation I’ll be implementing a Fortigate firewall/router on the perimeter with TMG inside the Fortigate and my LAN inside TMG. I don’t see TMG as detrimental in the solution as it adds more security and there are some benefits to TMG. Easier setup of OWA and RWW, for example. It also offers better tools for monitoring and logging where the Fortigate would require purchasing an extra component to log and monitor traffic at the detailed level TMG can do it.
So, in summary, keeping the original firewall and adding TMG is a good thing. Experience has taught me that there are no security products that work perfectly so it doesn’t hurt to have the second firewall.
ISA 2006 vs. Windows Server 2008 - ISA - Forefront TMG - TechNet Klub Says:
August 12th, 2010 at 1:20 am
[…] Végül megemlítenék egy további fejleményt az TMG-vel kapcsolatban, bár kissé messziről kezdem
. A következő, azaz a 2008-as SBS platform két részre "szakadt", maradt a szimpla SBS2008, persze frissítve és jópár alapvető változással (pl. több gépre is szétválaszthatóak a komponensei), de létrejött egy "nagyobb lélegzetű", kiterjedtebb méretű környezetbe ajánlott megoldás, az EBS (Essential Business Server), amelyet 3 vagy 4 részre/szerverre is szedhetünk és kb. olyan 300 gépig ajánlott termék (small and medium size, persze nem nálunk 
). Ebben helyett kapott a Messaging és a Management Server összetevők mellett természetesen egy tűzfal is, méghozzá az eddig sokat emlegetett TMG egy speciális, ún. "Medium Business" változata is. Ennek előnyeit hamarosan megtapasztalhatjuk élesben is, hiszen az EBS már RTM állapotban van (az SBS 2008 meg főleg), és ugyan nem nézem naponta, de véleményem szerint hamarosan letölthető lesz a különböző MS szoftverelőfizetések használói számára (MSDN, TechNet, stb.). Így aztán ide passzol még egy link, ugyanis szintén Tom Shinder tollából olvashatunk, erről a speciális TMG változatról: Why the Forefront TMG is a Cornerstone of Essential Business Server (EBS) Network Security Posted aug. 12 2010, 09:20 de. by GalTamas © 2010 Technet | Klub // […]
Irena W Says:
October 29th, 2012 at 3:31 am
Portal do wyróżnienia. Interesujące nawiązanie do tej kwestii. Powodzenia w dalszej innych treści. Marudny Remigiusz.