• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1224
  • Last Modified:

Forefront TMG and CAS for Exchange 2010


It's widely held that we should publish OWA/ActiveSync/Outlook Anywhere (Exchange 2010) with Microsoft Forefront TMG 2010 as reverse proxy.

One of the rationale for doing so seems to be that incoming connections to OWA would be pre-authenticated at TMG rather than hitting directly at Client Access Server in order to ensure that only TMG validated sessions are passed onto the Client Access Server on Exchange 2010.

What are the other security threat vectors mitigated by inclusion of TMG in our exchange front end architecture design?
  • 4
  • 3
  • 3
  • +1
3 Solutions
Carol ChisholmCommented:
I would really hesitate to implement TMG as it is announced dead, I don't even think you can buy it any more. It does not support IPv6.
There is a Web App Proxy in Server 2012 R2 which I think is a replacement of some kind, it is advertised as a reverse proxy.

MS had to produce something to replace Forefront since many of their new products require a reverse proxy, it was just not named.

I have built the server to test Web App Proxy but not actually installed to role yet
Carol ChisholmCommented:
Here's what you get in 2012 R2 RTM. This is the way to go - not TMG...
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

fahimAuthor Commented:
Hi carolchi

I was aware of TMG being EoL but Microsoft says just becoz it's EoL doesn't stop users from deploying it for it's way off from being end of support and then there is time for extended support.

Advantages listed off TMG are many, e.g. URL categorization, time based blocking, HTTPS inspection, Offloading SSL processing from application servers, Detection of possible malware and enforcement of corporate policies etc.

Wonder if suggested Web App proxy will cover all this?
Simon Butler (Sembee)ConsultantCommented:
There isn't really a replacement for TMG yet.
This is the Exchange product team take on the IIS feature mentioned:


Personally I have no problem with exposing a CAS role directly to the internet, but it very much depends on what industry you are in. If you are in a highly regulated industry with more "network security" people than network administrators then you may well have a different opinion.

Carol ChisholmCommented:
Web access proxy in no way replaces TMG. Unfortunately I don't see a product that does.
And of course since IPv6 is implemented by default in 2012 R2 you are even less secure because as far as I can see the two NICs will communicate over IPv6 locallink and there is no way to stop it.

So you rely completely on your next generation firewall to do all the anti-malware and so on.
fahimAuthor Commented:
To Sembee:

You wrote that personally you do not have issues in exposing CAS services to internet directly.  Working in an industry which is not bound by any mandatory regulations, just good security practices, why do you this maintain that reverse proxying CAS doesn't count for certain risks mitigation?
Simon Butler (Sembee)ConsultantCommented:
What risks do you want to cover?
The combination of IIS and Exchange on a dedicated server (ie not doing anything else) has never been compromised. The compomises of IIS usualy come down to poor password security or a poor third party tool.

It also adds an additional layer of complexity, many of the problems I see with Exchange are caused by things outside of Exchange.

The biggest security risk on any network is the same for everyone - the users. Wetware. If you can enforce good password policies you will knock out 95% of the problems.
If you are being targetted then there is nothing you can do to stop someone determined to get in.

Bruno PACIIT ConsultantCommented:

I can't agree with SemBee2 !
"Protection" does not only means "avoid unwanted users to get in", it also means "keep the internal services working in case of a stupid DoS attack".

I agree that attackers that are skilled enough to log in a system from the external network and that are really motivated to succeed will be very hard to stop. But this is not a reason to make them the job easier !
The key word is "time" ! If it takes time for an attacker to get in your system it gives you time to detect and react.

SemBee2 said "If you are being targetted then there is nothing you can do to stop someone determined to get in"
OF COURSE YOU CAN DO something ! You can close the external link, at least temporarily !
You just need time to detect and react !!

If you expose your CAS servers directly to the Internet you might be exposed to a simple Deny of Service attack by any flooding request. And in that case your CAS goes down, adn if the CAS goes down the internal clients can not join their mailboxes.
If you expose your CAS behind a reverse proxy device (TMG or anything else) flooding attacks will probably take the reverse proxy down, but your CAS servers are still alive for your internal clients.

About TMG, you can no more buy a TMG licence to install it on your servers, but you can still buy TMG appliances.
Simon Butler (Sembee)ConsultantCommented:
If you are being targetted and you spot the attack, then they aren't very good. All that the other measures do is block the stupid attackers who are just after your bandwidth and resource and not the data. That is very easy to block - just simple measures will make them move on to someone else.

If you are being flooded with traffic due to a malicious attack, then nothing you can put in place will stop that - it will require the interaction of the ISP to drop the traffic. TMG and the like are still getting the traffic and have to process it to drop it, and there are much better ways of doing it.

Horses for courses in most cases - for the vast majority of end users the additional complexity is not required.

fahimAuthor Commented:
We found 2 MS technologies where we felt comfortable but both of them have some pros and cons.

1. Forefront TMG

Pros: Matured technology in publishing Exchange.

• Only authenticated traffic hits CAS – preauthentication for OWA
• Deep application inspection – IDS like features (logs goes to MSS)
• Prevention from “Account lockout DOS attacks” by doing the soft lockout on TMG before accounts are actually locked out in the domain

Cons: product is getting expired
• Support until April 2015,
• Extended support until 2020,  
• TMG is not supported on Windows 2012

2. Windows 2012 R2 – ARR Web Application Proxy

• provides TMG like features
• Reverse proxy capabilities
• ADFS proxy capabilities
• Multifactor Authentication

• New feature, to be tested, Not matured technology in publishing Exchange
• No packet inspection

Today, in Oct 2013, my take is to deploy TMG as a reverse proxy until  MS support is valid meanwhile to plan and test for the replacement of TMG before the end of next year 2014.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now