Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Key improvements between Microsoft's ISA Server and its replacement Forefront TMG 2010

Keith AlabasterEnterprise Architect
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has been EAL 4+ accredited through its duration, the highest non-miltary security accreditation achievable. It is aslo notable in that it acheived this status long before anything comparable from Cisco or other manufacturers, except for the Sidewinder from Secure Computing. The last incarnation of ISA, ISA 2006 SP1, goes end of mainstream support at the beginning of 2012.

In the last few years of ISA Server Microsoft invented the brand name of Forefront and this umbrella term covers a fair number of component products. One of these is the Forefront Threat Management Gateway - known as FTMG or just TMG. In short, FTMG fulfils all the capabilities that ISA 2006 SP1 couild deliver plus a fair bit more.

The purpose of this article is to highlight the improvements and to provide some context around them.

ISA Server 2006 - 32-bit but Forefront TMG - 64-bit
ISA Sever 2006 was only available in a 32-bit version and could only be used on Windows 2003 x86 whereas FTMG is 64-bit and only operable on Windows 2008 SP2 or Windows 2008 R2. Both ISA 2006 and FTMG are fully supported on virtualised environments as per the MS supported hardware list.

AntiVirus and Malware Detection
FTMG 2010 has the ability to monitor for viruses and malware that is passed through its interfaces. This service is subscription orientated and can be applied either globally across all policy rules or can be applied at the rule level with different settings/controls for each.

The malware detection service can be a little awkward when first seen. Tt operates by downloading requested content and scanning it prior to it being presented or saved by the user. From a user's perspective they can get a feeling that there is a performance issue as the progress/status bar hardly moves. In reality, the FTMG is controlling this and 'trickles' the status to the user as a form of session keepalive but actually it is downloading the whole file, checking it and the delivering the complete file to the user.

URL and Content Checking
FTMG creates a default web policy with a very large number of URL and content categories to which it denies access. Administrators can control this list either adding or removing urls or whole domains. The obvious categories are all there and the ability is also present to enter a URL and be told the category that it belongs to. A nice touch is that you have an option to allow a user to override a blocked site if they choose to but if they do then the action is logged for later audit if necessary.

Email Antispam and Malware Protection
On a server that has had the Exchange Edge role installed, FTMG can be deployed and FTMG will interact with the Exchange service. Instead of using the tradition 'publish a mail server' wizard, an email policy configuration within FTMG can be run and this will set the policy aligned to the protection set for the Exchange server farm.

Network Intrusion Service
NIS is a standard service for FTMG and is NOT subscription based. This service scans network traffic for particular 'signatures' that are associated with known attacks.

ISP Load-balancing and ISP Failover (ISP-R)
This is an extremely welcome new service and is exactly what it suggests. Even with a single FTMG server, it allows for two network interface cards to be set as External, with each being connected to a separate ISP.

With ISP-r load Balancing, both ISP connections are active at the same time and the administrator can select how much bandwidth is allowed over each connection or they can be equally 50-50. In the event of an ISP connection then all the traffic would continue over the remaining link.

With ISP-R failover then ALL traffic will go over the single active connection. In the event of failure then the second link will be brought up and all traffic would move to the second link. This is the option normally used when a site has a good internet connection but only a small failover/standby circuit such as a broadband. i.e. It is only used in an emergency until the main link is restored.

Graphical User Interface (GUI)
The GUI has been revamped and many of the options moved around the menu structure making it - in my view - much more intuitive. The addition of a good number of trouble-shooting tools was overdue but they have been delivered now.

In summary, the FTMG 2010 is still not a product for those who want a 'just run the setup' solution. It is a professional product and requires the user to know their topic in addition to knowing what they want to achieve.

Microsoft Forefront MVP
Keith AlabasterEnterprise Architect

Comments (1)

Mohamed KhairyEnterprise Solutions Architect

Thank you for your effort.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.