Recommandations for firewall virtual appliance?

We'd like to move away from our Sonicwall, and get in to something that can be virtualized to eliminate the hardware appliance.  Does anyone have a recommendation in this regard?

It will be a VM with 3 NICs - 2x WAN (redundant, but not load balanced) and 1x LAN.

Checkpoint is out of our price range, so we are left with:

Forefront TMG (donated because we are nonprofit)

The general populous seems to think having an MS box connected directly to the internet is a horrible idea, but I have yet to see any recorded evidence of ISA/TMG being problematic.  Anybody else?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Mohamed KhairyConnect With a Mentor Enterprise Solutions ArchitectCommented:
I recommend Microsoft Forefront TMG (Threat Management Gateway) because it has has a lot of new exciting features as follow:

- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)

As for the Hardware SW and HW prerequisites:

The One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit.

- Other changes include:

2 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
One network adapter that is compatible with the computer's operating system, for communication with the internal network.
An additional network adapter for each network connected to the Forefront TMG server.
One local hard disk partition that is formatted with the NTFS file system.
Also, Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.

Definition of Malware (Source:

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

But, for sure you have to install a second line of defense on the users computers like Microsoft Forefront Client Security to protect your internal network too.

You can take a look at the below links:


sbumpasAuthor Commented:
Do the features you've listed require that the machine be a part of a domain?  I'm hesitant to put a domain member out on the internet.
Mohamed KhairyEnterprise Solutions ArchitectCommented:
If you will not in need to set or create any rules to be applied on a specific users using thier domain user credintials so you are not in need to join it as follow:

1-  if you have a group of computers joined to the domain and used by your users and want to deny the internet or specific websites on some users and enable it for others, in this case you should join the TMG to your domain or  just allowing ldap to your domain controller to get user data.

2- If  yu have a group of computers joined to the domain or member on a workgroup and used by your users and you want to set a rules for internet or any other feature but your TMG is not joined to the domain so you can use the address range  the computers to restrict or grant access and in this case you will not in need of users data just the computers IP.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

sbumpasAuthor Commented:
Thanks for that - Forefront is currently in the lead, but I wanted to get other opinions before I made a decision.  Anyone else?
Mohamed KhairyEnterprise Solutions ArchitectCommented:
AkhaterConnect With a Mentor Commented:
>> The general populous seems to think having an MS box connected directly to the internet is a horrible idea,

honestly I like these statements, I have been using ISA and TMG as permieter and backend firewall for years and never, not once, had a security issue related to the software itself, you can call me lucky if you want but having deployed and maintained it at customers raging from just a handful till > 3000+ employees and not having any security issue means the product can be used for most business.

just my grain of salt to the conversation :o)
simonlimonConnect With a Mentor Commented:
My recommendation is that you should use two firewall solution from different vendors, even MS recommends that. Using one solution as an edge solution and the other solution as a backend solution. One appliance you did not include is also Pfsense.

I would definitely go with ISA /TMG as in my opinion no other vendor provide some features that plays with Active Directory MS infrastructure really well. Especially in publishing of web servers.

If you will only use one firewall and you also have a lot of Microsoft servers or services, get TMG.

Also in my opinion, even the most securely designed application can have insecure implementation. Follow MS recommendations for deployment. Security incidents are also caused mostly from the inside of an environment and not the outside.

In this regard TMG also helps with applications such as the proxy server, which can filter malware where users surf, HTTPS inspection that can weed out insecure and fraudulent web sites.
sbumpasAuthor Commented:
I have examined that possibility, but I do not feel our situation warrants the added complexity.  We are a small library, with about 60 concurrent users running 6x12.  I, literally, am the IT department.

Thanks for everyone's input!  We will give TMG a fair shot.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.