Recommandations for firewall virtual appliance?

Posted on 2010-11-12
Medium Priority
Last Modified: 2012-05-10
We'd like to move away from our Sonicwall, and get in to something that can be virtualized to eliminate the hardware appliance.  Does anyone have a recommendation in this regard?

It will be a VM with 3 NICs - 2x WAN (redundant, but not load balanced) and 1x LAN.

Checkpoint is out of our price range, so we are left with:

Forefront TMG (donated because we are nonprofit)

The general populous seems to think having an MS box connected directly to the internet is a horrible idea, but I have yet to see any recorded evidence of ISA/TMG being problematic.  Anybody else?
Question by:sbumpas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

Mohamed Khairy earned 600 total points
ID: 34124701
I recommend Microsoft Forefront TMG (Threat Management Gateway) because it has has a lot of new exciting features as follow:

- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)

As for the Hardware SW and HW prerequisites:

The One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit.

- Other changes include:

2 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
One network adapter that is compatible with the computer's operating system, for communication with the internal network.
An additional network adapter for each network connected to the Forefront TMG server.
One local hard disk partition that is formatted with the NTFS file system.
Also, Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.

Definition of Malware (Source: wikipedia.org):

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

But, for sure you have to install a second line of defense on the users computers like Microsoft Forefront Client Security to protect your internal network too.

You can take a look at the below links:





Author Comment

ID: 34124729
Do the features you've listed require that the machine be a part of a domain?  I'm hesitant to put a domain member out on the internet.

Expert Comment

by:Mohamed Khairy
ID: 34124788
If you will not in need to set or create any rules to be applied on a specific users using thier domain user credintials so you are not in need to join it as follow:

1-  if you have a group of computers joined to the domain and used by your users and want to deny the internet or specific websites on some users and enable it for others, in this case you should join the TMG to your domain or  just allowing ldap to your domain controller to get user data.

2- If  yu have a group of computers joined to the domain or member on a workgroup and used by your users and you want to set a rules for internet or any other feature but your TMG is not joined to the domain so you can use the address range  the computers to restrict or grant access and in this case you will not in need of users data just the computers IP.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 34124850
Thanks for that - Forefront is currently in the lead, but I wanted to get other opinions before I made a decision.  Anyone else?

Expert Comment

by:Mohamed Khairy
ID: 34124871
LVL 49

Assisted Solution

Akhater earned 200 total points
ID: 34126414
>> The general populous seems to think having an MS box connected directly to the internet is a horrible idea,

honestly I like these statements, I have been using ISA and TMG as permieter and backend firewall for years and never, not once, had a security issue related to the software itself, you can call me lucky if you want but having deployed and maintained it at customers raging from just a handful till > 3000+ employees and not having any security issue means the product can be used for most business.

just my grain of salt to the conversation :o)
LVL 10

Assisted Solution

simonlimon earned 200 total points
ID: 34139642
My recommendation is that you should use two firewall solution from different vendors, even MS recommends that. Using one solution as an edge solution and the other solution as a backend solution. One appliance you did not include is also Pfsense.

I would definitely go with ISA /TMG as in my opinion no other vendor provide some features that plays with Active Directory MS infrastructure really well. Especially in publishing of web servers.

If you will only use one firewall and you also have a lot of Microsoft servers or services, get TMG.

Also in my opinion, even the most securely designed application can have insecure implementation. Follow MS recommendations for deployment. Security incidents are also caused mostly from the inside of an environment and not the outside.

In this regard TMG also helps with applications such as the proxy server, which can filter malware where users surf, HTTPS inspection that can weed out insecure and fraudulent web sites.

Author Closing Comment

ID: 34145702
I have examined that possibility, but I do not feel our situation warrants the added complexity.  We are a small library, with about 60 concurrent users running 6x12.  I, literally, am the IT department.

Thanks for everyone's input!  We will give TMG a fair shot.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question