We help IT Professionals succeed at work.

ISA 2004 and ForeFront TMG

Hi all,

I was wondering if someone can point me in the direction of some pro's and con's in regards to upgrading from ISA 2004 to ForeFront TMG.

We currently have ISA 2004 installed on a single server as a internet management box. We are looking at what FF TMG will give us more and how hard it would be upgrade.

Watch Question

About TMG:
1. It will publish your internal servers (mail, www, portals etc) in much better way
2. It will inspect internet traffic for malware
3. It can categorize visited URLs and deny or grant access based on categories
4. It will work on Windows Server 2008 and 2008 R2

Upgrade can be hard. This means installing new TMG and re-creating your rules from scratch.
Import does not always work as you expected.
Enterprise Architect
Top Expert 2008
There is no direct upgrade. ISA Server is a 32-bit application and needs anequivalent operating system - 32-bit

FTMG is 64-bit only and can run on 2008 SP2 or 2008 R2.
Whilst you can export/import the ISA config, personally I find it better to start from scratch. Not only does this give the ability to clean up the rules that traditionally have got messed up over the time, it means you go through all the options and consider them again.

FTMG does a lot that ISA 2004/2006 could not do.
FTMG uses the Microsoft MRS service so now caters (based on a per-user subscription) for categorised URL allow/deny scenarios out of the box. It also provides (free) NIS protection out of the box which is a big step forward.
FTMG's support for hosting a copy of the exchange edge connection is another plus for the system giving good mail protection as well.
HTTPS inspection has been added which is slightly contentious. Enabling https inspection allows FTMG to break the connection thereby allowing inspection of traffic that the user assumes is encrypted and protected - including things like home banking etc. Sounds great but has significant legal ramifications as well. In addition, many sites will fail to operate if they are subject to the https inspection. Microsoft's own sites such as the windows update site will not operate when https inspection is enabled. To get round this, most MS sites are already added to the 'exemption' group.

Reporting is still light on FTMG and remains an area that needs to be addressed.
FTMG is streets ahead of ISA but is still not the cheapest on the market.
FTMG, like ISA, is not a 'just run the setup.exe from the CD'. It assumes you have read the manuals or been trained accordingly.

MS Forefront MVP