Forefront TMG 2010 Firewall Replacement

Posted on 2013-10-07
Medium Priority
Last Modified: 2014-04-28
Hello, Experts!

We're currently using Forefront TMG 2010 for the 'Firewall Policy' feature only. I'd like to move to something that's going to be developed on (Microsoft announced they are mothballing Forefront).

I wanted to provide an explanation of what we use it for perhaps someone can guide us to a better solution.

1. We have limited external (public) IP addresses, but many internal resources that need to be made available externally.

2. On GoDaddy DNS, we've created DNS entries for our systems -- all tied to one external IP address.

3. On our Cisco Meraki firewall, we've created a 1:1 NAT rule that any traffic on selected ports (generally port 80) directed towards that external IP address assigned to our network should get routed to 10.0.0.XXX on our internal network.

4. At the 10.0.0.XXX address internally, we've installed Forefront that then routes traffic to/from different systems. e.g.:
sandbox1.domain.com is
sandbox2.domain.com is
sandbox3.domain.com is

That way, if some externally requests sandbox1.domain.com, the site is up and available.

I'm looking for a new way of solving #4 above.

Question by:workforceinsight
  • 2
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 39555390
if replacement is from MS Forefront suite, it likely be Forefront UAG. The latter is a Application Layer Gateway and is the solution for incoming access to internal resources from the Internet. Actually, Forefront TMG is installed during a Forefront UAG installation.

@ http://technet.microsoft.com/en-us/library/ee522953.aspx
@ http://blogs.technet.com/b/tomshinder/archive/2011/04/19/choosing-between-forefront-tmg-or-forefront-uag-for-publishing-scenarios.aspx

- Forefront UAG can be used to publish internal servers via Web portal or directly (similar to Forefront TMG). For website and VPN replacement use Direct Access, but do note that Direct Access is not a replacement of VPN in few scenarios, e.g. VPN for external workers who shouldn't access all services as company's workers. Of course we can implement several Direct Access implementations in one company, but external workers are enforced to have desktops in company's domain.

However, I see application delivery controller (ADC) will be way forward since you already going to consider replacement and I foresee such req as shared need more granularity and HA also...catch the below candidates - they can drill to web apps and have rule to customise outbound and inbound for that matter - but this really will be good to get principle advice before making decision...


F5 Networks

Author Comment

ID: 39787178
Thanks, breadtan!

It's been a few months - does anyone know of any evolving technologies that would satisfy this need?
LVL 66

Expert Comment

ID: 39787227
I wss thinking of SDN but probably too complicated to worth exploration.  I saw F5 route domain using smae ip but still treated as different domain. Another is different ports but it is not new and can be constraint with port exhaustion etc

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question