Link to home
Start Free TrialLog in
Avatar of lanermc
lanermc

asked on

Best solution for hosting activesync and owa

We are currently working to host our internal CAS servers publicly for ActiveSync and external OWA access.  From what I have been reading and based on past experience, Forefront TMG is the best option for hosting these technologies.  My colleagues here have some concerns about using a Microsoft product as an internet facing device.  I have researched this a bit and it seems that it is best to setup TMG with two network cards, one public internet facing and one private facing.  TMG was designed to be used in this fashion and it seems to complicate the setup to configure it any other way.  TMG blogs frown on the idea of running the it behind a DMZ firewall because it is unnecessary and duplicates technologies, and they definitely frown on the idea of running it in HORK mode, which uses only one network card.  Added to these concerns, it appears that TMG is EOL and will only have support (including extended) for 10 years.  We do have a Checkpoint DMZ firewall.  What is the best and most secure option for hosting these technologies?  Let me know if you need any more info about our setup.
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

TMG is the best product on the market - your colleagues' concerns are not valid in this respect.

You are correct in some of your comments but not in others. The best practice for TMG is to have it joined to the domain as this leverages all of its functionality in the way it was designed to present them. There is NO issue what so ever about having TMG behind a front firewall and is often seen as a better solution if you adhere to the security-in-depth concept which most of of us in this sphere would promote. HORK - only any use in a proxy-only deployment.

TMG is NOT end of life until 2015 - and will be supported in extended support till 2020. However, you will not be able to buy additional licenses/copies of the product so - despite being the strongest advocate for the Forefront products you will likely ever find - I would not recommend this approach to you.

The new Cisco ASA units are the closest I am awate of as an alternative although the OWA functions etc would be fronted by the ASA rather than hosted up on it.

PS I have added this question to the Microsoft Forefront topic group.

Keith
Avatar of lanermc
lanermc

ASKER

Keith,

Thanks for the info!  Will the TMG functionality get rolled into UAG in the future?  Should we possibly consider using UAG instead since there is no planned EOL?  I apologize if my question seems irrelevant as I don't have much experience with networking or software firewalls.  I mainly work in the server/exchange admin sphere.  I believe the Cisco ASA's will be out of budget for us.      

Thanks,

Jason
Not a problem. - ask away, it is what I am here for.

No - TMG's true role  is to protect the inside people/services when they access external services. UAG is there to allow authorised people to get inside and keep the bad people out. UAG actually HAS TMG bvuilt-in to protect the UAG server itself but you cannot use this like a normal TMG service.

The Cisco is comparable cost wise. Bear in mind for TMG you also need a per-user license to get the updates for whitelist/blacklist etc.

UAG will be great in regards to publishing services that are web based so activesync etc is fine but it will NOT provide the proxy services that TMG will do.

I would suggest that you look at the overall security profile you need against the service profile you want to present. For example, Server 2012 brings a host of new capabilities however, a new Microsoft solution is in the wings that will be the successor to TMG's capabilities. Unfortunately, for now, it is covered by non-disclosure agreements, so I cannot discuss that further at this time.
Avatar of lanermc

ASKER

Hmmm, I thought TMG 2010 cost was processor only.  We are running it on a server that has two processors, and we are using it for OWA and Activesync only at this time.  Do we still need to purchase an additional license per user?
Our proposed setup for the TMG server is to use two network cards.  One connection will be hooked to our DMZ switch and will be assigned an external IP.  The other network connection will also hook to the DMZ switch and be assigned an IP.  This IP will have access only to the ports that TMG needs to access internally.  Given that scenario, is there a list of ports that TMG uses internally (inluding domain member ports)?  The whole point of this setup is to give three layers of protection:  One at the DMZ entrance, the second through the TMG, and the third at the second connection blocked ports.
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lanermc

ASKER

We are going to put both interfaces on the DMZ but they will be mapped to IP addresses on different VLANs.  Thanks for you help!