Recommandations for firewall virtual appliance?

Posted on 2010-11-12
Last Modified: 2012-05-10
We'd like to move away from our Sonicwall, and get in to something that can be virtualized to eliminate the hardware appliance.  Does anyone have a recommendation in this regard?

It will be a VM with 3 NICs - 2x WAN (redundant, but not load balanced) and 1x LAN.

Checkpoint is out of our price range, so we are left with:

Forefront TMG (donated because we are nonprofit)

The general populous seems to think having an MS box connected directly to the internet is a horrible idea, but I have yet to see any recorded evidence of ISA/TMG being problematic.  Anybody else?
Question by:sbumpas

Accepted Solution

Mohamed Khairy earned 150 total points
Comment Utility
I recommend Microsoft Forefront TMG (Threat Management Gateway) because it has has a lot of new exciting features as follow:

- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)

As for the Hardware SW and HW prerequisites:

The One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit.

- Other changes include:

2 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
One network adapter that is compatible with the computer's operating system, for communication with the internal network.
An additional network adapter for each network connected to the Forefront TMG server.
One local hard disk partition that is formatted with the NTFS file system.
Also, Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.

Definition of Malware (Source:

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

But, for sure you have to install a second line of defense on the users computers like Microsoft Forefront Client Security to protect your internal network too.

You can take a look at the below links:



Author Comment

Comment Utility
Do the features you've listed require that the machine be a part of a domain?  I'm hesitant to put a domain member out on the internet.

Expert Comment

by:Mohamed Khairy
Comment Utility
If you will not in need to set or create any rules to be applied on a specific users using thier domain user credintials so you are not in need to join it as follow:

1-  if you have a group of computers joined to the domain and used by your users and want to deny the internet or specific websites on some users and enable it for others, in this case you should join the TMG to your domain or  just allowing ldap to your domain controller to get user data.

2- If  yu have a group of computers joined to the domain or member on a workgroup and used by your users and you want to set a rules for internet or any other feature but your TMG is not joined to the domain so you can use the address range  the computers to restrict or grant access and in this case you will not in need of users data just the computers IP.

Author Comment

Comment Utility
Thanks for that - Forefront is currently in the lead, but I wanted to get other opinions before I made a decision.  Anyone else?
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!


Expert Comment

by:Mohamed Khairy
Comment Utility
LVL 49

Assisted Solution

Akhater earned 50 total points
Comment Utility
>> The general populous seems to think having an MS box connected directly to the internet is a horrible idea,

honestly I like these statements, I have been using ISA and TMG as permieter and backend firewall for years and never, not once, had a security issue related to the software itself, you can call me lucky if you want but having deployed and maintained it at customers raging from just a handful till > 3000+ employees and not having any security issue means the product can be used for most business.

just my grain of salt to the conversation :o)
LVL 10

Assisted Solution

simonlimon earned 50 total points
Comment Utility
My recommendation is that you should use two firewall solution from different vendors, even MS recommends that. Using one solution as an edge solution and the other solution as a backend solution. One appliance you did not include is also Pfsense.

I would definitely go with ISA /TMG as in my opinion no other vendor provide some features that plays with Active Directory MS infrastructure really well. Especially in publishing of web servers.

If you will only use one firewall and you also have a lot of Microsoft servers or services, get TMG.

Also in my opinion, even the most securely designed application can have insecure implementation. Follow MS recommendations for deployment. Security incidents are also caused mostly from the inside of an environment and not the outside.

In this regard TMG also helps with applications such as the proxy server, which can filter malware where users surf, HTTPS inspection that can weed out insecure and fraudulent web sites.

Author Closing Comment

Comment Utility
I have examined that possibility, but I do not feel our situation warrants the added complexity.  We are a small library, with about 60 concurrent users running 6x12.  I, literally, am the IT department.

Thanks for everyone's input!  We will give TMG a fair shot.

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now