Recommandations for firewall virtual appliance?

Posted on 2010-11-12
Medium Priority
Last Modified: 2012-05-10
We'd like to move away from our Sonicwall, and get in to something that can be virtualized to eliminate the hardware appliance.  Does anyone have a recommendation in this regard?

It will be a VM with 3 NICs - 2x WAN (redundant, but not load balanced) and 1x LAN.

Checkpoint is out of our price range, so we are left with:

Forefront TMG (donated because we are nonprofit)

The general populous seems to think having an MS box connected directly to the internet is a horrible idea, but I have yet to see any recorded evidence of ISA/TMG being problematic.  Anybody else?
Question by:sbumpas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

Mohamed Khairy earned 600 total points
ID: 34124701
I recommend Microsoft Forefront TMG (Threat Management Gateway) because it has has a lot of new exciting features as follow:

- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)

As for the Hardware SW and HW prerequisites:

The One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit.

- Other changes include:

2 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
One network adapter that is compatible with the computer's operating system, for communication with the internal network.
An additional network adapter for each network connected to the Forefront TMG server.
One local hard disk partition that is formatted with the NTFS file system.
Also, Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.

Definition of Malware (Source: wikipedia.org):

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

But, for sure you have to install a second line of defense on the users computers like Microsoft Forefront Client Security to protect your internal network too.

You can take a look at the below links:





Author Comment

ID: 34124729
Do the features you've listed require that the machine be a part of a domain?  I'm hesitant to put a domain member out on the internet.

Expert Comment

by:Mohamed Khairy
ID: 34124788
If you will not in need to set or create any rules to be applied on a specific users using thier domain user credintials so you are not in need to join it as follow:

1-  if you have a group of computers joined to the domain and used by your users and want to deny the internet or specific websites on some users and enable it for others, in this case you should join the TMG to your domain or  just allowing ldap to your domain controller to get user data.

2- If  yu have a group of computers joined to the domain or member on a workgroup and used by your users and you want to set a rules for internet or any other feature but your TMG is not joined to the domain so you can use the address range  the computers to restrict or grant access and in this case you will not in need of users data just the computers IP.

We will be discussing what Azure Stack is, how does it fit into the suit of offerings that Azure has currently, and where can it fit into your organizations technology stack. We will also be discussing limitations of the platform while covering various applicable scenarios.


Author Comment

ID: 34124850
Thanks for that - Forefront is currently in the lead, but I wanted to get other opinions before I made a decision.  Anyone else?

Expert Comment

by:Mohamed Khairy
ID: 34124871
LVL 49

Assisted Solution

Akhater earned 200 total points
ID: 34126414
>> The general populous seems to think having an MS box connected directly to the internet is a horrible idea,

honestly I like these statements, I have been using ISA and TMG as permieter and backend firewall for years and never, not once, had a security issue related to the software itself, you can call me lucky if you want but having deployed and maintained it at customers raging from just a handful till > 3000+ employees and not having any security issue means the product can be used for most business.

just my grain of salt to the conversation :o)
LVL 10

Assisted Solution

simonlimon earned 200 total points
ID: 34139642
My recommendation is that you should use two firewall solution from different vendors, even MS recommends that. Using one solution as an edge solution and the other solution as a backend solution. One appliance you did not include is also Pfsense.

I would definitely go with ISA /TMG as in my opinion no other vendor provide some features that plays with Active Directory MS infrastructure really well. Especially in publishing of web servers.

If you will only use one firewall and you also have a lot of Microsoft servers or services, get TMG.

Also in my opinion, even the most securely designed application can have insecure implementation. Follow MS recommendations for deployment. Security incidents are also caused mostly from the inside of an environment and not the outside.

In this regard TMG also helps with applications such as the proxy server, which can filter malware where users surf, HTTPS inspection that can weed out insecure and fraudulent web sites.

Author Closing Comment

ID: 34145702
I have examined that possibility, but I do not feel our situation warrants the added complexity.  We are a small library, with about 60 concurrent users running 6x12.  I, literally, am the IT department.

Thanks for everyone's input!  We will give TMG a fair shot.

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question