[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Recommandations for firewall virtual appliance?

Posted on 2010-11-12
Medium Priority
Last Modified: 2012-05-10
We'd like to move away from our Sonicwall, and get in to something that can be virtualized to eliminate the hardware appliance.  Does anyone have a recommendation in this regard?

It will be a VM with 3 NICs - 2x WAN (redundant, but not load balanced) and 1x LAN.

Checkpoint is out of our price range, so we are left with:

Forefront TMG (donated because we are nonprofit)

The general populous seems to think having an MS box connected directly to the internet is a horrible idea, but I have yet to see any recorded evidence of ISA/TMG being problematic.  Anybody else?
Question by:sbumpas

Accepted Solution

Mohamed Khairy earned 600 total points
ID: 34124701
I recommend Microsoft Forefront TMG (Threat Management Gateway) because it has has a lot of new exciting features as follow:

- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)

As for the Hardware SW and HW prerequisites:

The One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit.

- Other changes include:

2 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
One network adapter that is compatible with the computer's operating system, for communication with the internal network.
An additional network adapter for each network connected to the Forefront TMG server.
One local hard disk partition that is formatted with the NTFS file system.
Also, Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.

Definition of Malware (Source: wikipedia.org):

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

But, for sure you have to install a second line of defense on the users computers like Microsoft Forefront Client Security to protect your internal network too.

You can take a look at the below links:





Author Comment

ID: 34124729
Do the features you've listed require that the machine be a part of a domain?  I'm hesitant to put a domain member out on the internet.

Expert Comment

by:Mohamed Khairy
ID: 34124788
If you will not in need to set or create any rules to be applied on a specific users using thier domain user credintials so you are not in need to join it as follow:

1-  if you have a group of computers joined to the domain and used by your users and want to deny the internet or specific websites on some users and enable it for others, in this case you should join the TMG to your domain or  just allowing ldap to your domain controller to get user data.

2- If  yu have a group of computers joined to the domain or member on a workgroup and used by your users and you want to set a rules for internet or any other feature but your TMG is not joined to the domain so you can use the address range  the computers to restrict or grant access and in this case you will not in need of users data just the computers IP.
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Author Comment

ID: 34124850
Thanks for that - Forefront is currently in the lead, but I wanted to get other opinions before I made a decision.  Anyone else?

Expert Comment

by:Mohamed Khairy
ID: 34124871
LVL 49

Assisted Solution

Akhater earned 200 total points
ID: 34126414
>> The general populous seems to think having an MS box connected directly to the internet is a horrible idea,

honestly I like these statements, I have been using ISA and TMG as permieter and backend firewall for years and never, not once, had a security issue related to the software itself, you can call me lucky if you want but having deployed and maintained it at customers raging from just a handful till > 3000+ employees and not having any security issue means the product can be used for most business.

just my grain of salt to the conversation :o)
LVL 10

Assisted Solution

simonlimon earned 200 total points
ID: 34139642
My recommendation is that you should use two firewall solution from different vendors, even MS recommends that. Using one solution as an edge solution and the other solution as a backend solution. One appliance you did not include is also Pfsense.

I would definitely go with ISA /TMG as in my opinion no other vendor provide some features that plays with Active Directory MS infrastructure really well. Especially in publishing of web servers.

If you will only use one firewall and you also have a lot of Microsoft servers or services, get TMG.

Also in my opinion, even the most securely designed application can have insecure implementation. Follow MS recommendations for deployment. Security incidents are also caused mostly from the inside of an environment and not the outside.

In this regard TMG also helps with applications such as the proxy server, which can filter malware where users surf, HTTPS inspection that can weed out insecure and fraudulent web sites.

Author Closing Comment

ID: 34145702
I have examined that possibility, but I do not feel our situation warrants the added complexity.  We are a small library, with about 60 concurrent users running 6x12.  I, literally, am the IT department.

Thanks for everyone's input!  We will give TMG a fair shot.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 7 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question