Security Advisor

Goodbye ISA, Hello TMG

Microsoft's upcoming Forefront Threat Management Gateway brings a host of security possibilities to the table.

• By Joern Wettern
• 08/01/2009

Microsoft is slated to release its Forefront Threat Management Gateway (TMG) before the end of the year. A number of significant improvements make this a product an appealing all-around solution for protecting a network from Internet-based threats.

Despite the new name, TMG is really a significant upgrade of Microsoft's Internet Security and Acceleration (ISA) Server. Microsoft last updated ISA in 2006, and even that release wasn't really much more than a glorified Service Pack for the previous version. TMG, on the other hand, adds so much new functionality that I can only hit the high points in a single column.

Safer Browsing
The most noticeable new feature improves the security of client connections to the Internet. With ISA Server, administrators could block access to dangerous or unwanted Web sites, but they had to determine which content to block and create a list of banned Web sites themselves. With TMG, Microsoft does that work; integrated malware inspection blocks Web sites containing viruses and spyware. TMG can also block access to Web sites that fall into one or more of 90 pre-determined categories, including pornography and gambling. TMG constantly updates those site categories. The new offering lets admins block unwanted Web access right at the Internet gateway. TMG can even extend this protection to SSL connections by applying the same rules to encrypted traffic.

ISA Server contains some rudimentary intrusion-detection capability, but it only blocks a few types of attacks, and it doesn't ensure that HTML and SMTP traffic complies with standards. TMG, on the other hand, contains a full-featured Network Inspection System (NIS), which compares all network traffic to a long list of signatures of known exploits. TMG constantly updates this list and can protect servers against new attacks even before admins have patched those servers.

E-Mail Hygiene
Network administrators are constantly worried about blocking malware in e-mail and making sure that mail servers don't get flooded by spam. Microsoft's Forefront for Exchange, as well as third-party solutions, can remove dangerous messages and junk, but wouldn't it be better if an Internet gateway could block threatening traffic before delivering it to the mail server? TMG lets admins do some basic filtering of e-mail traffic, but Exchange Edge Server and Forefront for Exchange, when both installed on the TMG Server itself, make TMG a truly effective e-mail gateway.

In this configuration, TMG controls the other two products and performs e-mail hygiene right at the network edge. This integration also allows admins to configure the system in the TMG administration console. Performing e-mail hygiene tasks on the Internet gateway is especially appealing for small and midsize businesses that don't want to run a separate Edge Server for Exchange. Combined with Edge Server and Forefront for Exchange, TMG uses multiple anti-virus engines to scan all e-mail for viruses. When a remote computer tries to establish a connection, a new, reputation-based blacklist feature can block incoming spam before any data is sent to the e-mail server. TMG compares incoming messages against a frequently updated list of spam signatures.

TMG also includes a large a number of smaller improvements and new features. These include support for Internet telephony, more efficient connections to branch offices, the ability to centrally manage standalone TMG Servers in an enterprise environment, and improved Network Access Protection integration for VPN clients. After several years of doing relatively little with ISA Server, Microsoft is taking a huge leap with TMG. Admins who are currently using ISA Server or are looking at a new, full-featured Internet security gateway should familiarize themselves with the TMG beta so that they'll be ready for the final product when Microsoft releases it later this year.