Forefront Threat Management Gateway 2010 (TMG)

Features
Learn about the features and benefits of Microsoft Forefront Threat Management Gateway 2010 (TMG), which is designed to
provide a comprehensive, secure Web gateway that helps, protect employees from Web-based threats.  Highlight: HTTPS

HTTPS Inspection, an innovative feature, enables Forefront TMG to inspect inside users’ SSL-encrypted Web traffic.

By inspecting within these encrypted sessions, Forefront TMG can both detect possible malware as well as limit employee Web
usage to approved sites. Sensitive sites, such as banking sites, can be excluded from inspection.

 Compare TMG with ISA Server 2006 and TMG MBE

New Features

Feature Description

URL Filtering Destination URLs are examined for compliance with corporate policy and for
malicious potential of destination Web site. Forefront TMG uses Microsoft
Reputation Services for URL filtering, combining multiple sources to increase
coverage of URLs and categorization.

Web antivirus/anti- Inbound and outbound Web traffic is inspected for viruses and malware,
malware protection including archived folders. Encrypted folders can be blocked. For large files,
users are trickled the file to assure them the file is being downloaded.

E-mail security Forefront TMG provides central management for Exchange and Forefront
Protection 2010 for Exchange when located on the same server. Forefront TMG
does not include either Exchange or Forefront Protection 2010 for Exchange.
 Both must be purchased and installed separately.

HTTPS inspection HTTPS-encrypted sessions can be inspected for malware or exploits. Specific
groups of sites—such as banking sites—can be excluded from inspection for
privacy reasons. Users of the TMG Firewall Client can be notified of the
inspection.

Network Inspection System Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on
(NIS) protocol analysis, NIS enables blocking of classes of attacks while minimizing
false positives. Protections can be updated as needed.

Enhanced Network Address Forefront TMG now enables you to specify individual e-mail servers that can be
Translation (NAT) published on a 1-to-1 NAT basis.

Enhanced Voice over IP Forefront TMG includes SIP traversal, enabling simpler deployment of Voice
support over IP within the network.

Windows Server 64-bit Forefront TMG is installed on Windows Server 2008 with 64-bit support.
support

Firewall Protections

Feature Description

Multi-layer firewall Forefront TMG provides access control and protection on three layers: packet
filtering, stateful inspection, and application layer filtering.

Application layer filtering Forefront TMG provides deep content filtering through built-in application
filters.

Granular HTTP controls Forefront TMG delivers customizable, granular controls to HTTP traffic,
including:

 - File download controls

 - Signature-based blocking

 - HTTP method controls

 Forefront TMG provides strong controls over Web-based threats.

DoS protections Forefront TMG provides resiliency against flood attacks and re-allocates
resources to provide higher security inspection.

Extensive protocol support Forefront TMG delivers out-of-the-box support for many protocols. New
protocols can be defined.

Highly Secure Application Publishing

Feature Description

Highly secure e-mail access Remote users can access Exchange Server using the full Outlook MAPI client
from Outlook Client over the Internet without establishing a VPN connection. The connection is
encrypted for security.

Simple Outlook Web Access Simple wizards allow quick configuration of remote access for both Outlook
and Microsoft Office Web Access and SharePoint servers. Outlook Web Access users can be
SharePoint Server publishing authenticated at the Forefront TMG server, preventing attacks by
unauthenticated users.

Highly secure publishing of Remote users can access internal resources or Web servers more securely.
Web servers, internal servers, Link translation is provided.
and Terminal Services

Single sign on Forefront TMG allow users to access a group of published Web sites
without being required to authenticate with each Web site.

Delegation of basic Forefront TMG helps protect published Web sites from unauthenticated
authentication access by requiring the Forefront TMG firewall to authenticate the user
before the connection is forwarded to the published Web site. This
prevents exploits from unauthenticated users from reaching the published
Web server.

Link translation to internal Forefront TMG includes a link translation feature that you can use to create
servers a dictionary of definitions for internal computer names that map to publicly
known names.
 Implements link translation automatically during Web publishing.

SSL bridging support To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL
protected packets to be decrypted by Forefront TMG, inspected, and re-
encrypted.

Virtual Private Networks

Feature Description

Site-to-site VPN Forefront TMG enables quick connectivity between sites via wizard-based
approach. Also can be configured for tunnel-mode IPSec for support of third
party devices.

Remote access VPN Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions,
using the native Windows VPN services.

Inspection of VPN traffic VPN traffic terminated on the Forefront TMG server is inspected according to
the appropriate security policy.

VPN quarantine Forefront TMG provides deep VPN client inspection and integration of your
firewall policy.

SecureNAT for VPN clients Forefront TMG helps ensure remote users connected to the network can gain
Internet access while maintaining a strong security policy for the corporate
network.

Publish VPN servers Forefront TMG can be used to publish internal Windows Servers as VPN
servers.

Management

Feature Description

Enterprise policy Policy can be assigned to gateways, arrays, or enterprise-wide.

 Easy-to-use wizards Forefront TMG simplifies configuration with multiple wizards for features
such as Web publishing, Web access, and array configuration.

Real-time monitoring and Logs may be viewed real-time or historically – including active sessions.
reporting

Query building With a built-in query tool, historical data can be found quickly. Complex
queries can be built.

Report creation and Reports can be designed for specific needs and then published locally or to a
publishing network file share.

External logging Logs may be sent to a Microsoft SQL Server located on the internal network.

Delegated permissions Admin roles can be delegated to users or groups.

Networking and Performance

Feature Description

Network load balancing Forefront TMG leverages network load balancing to provide fail over and
scaling of performance.

Network-based You may configure one or more networks, each with distinct relationships to
configuration other networks. Access policies are defined relative to the networks and not
necessarily relative to a specific internal network. Forefront TMG extends the
firewall and security features to apply to traffic between any networks or
network objects.

Caching Forefront TMG provides caching to improve user experience and reduce
bandwidth costs. With the centralized cache rule mechanism of Forefront
TMG, you can configure how objects stored in the cache are retrieved and
served from the cache.

Background Intelligent Forefront TMG provides the caching mechanism for data received through
Transfer Service (BITS) BITS. Any cache rule that you create can be enabled to cache BITS data.
caching

HTTP compression You can reduce file size by using algorithms to eliminate redundant data during
transmission of HTTP packets.
 Diffserv (Quality of Service) Forefront TMG includes packet prioritization functionality (provided by the
Diffserv Web filter), which scans the URL or domain and assigns a packet
priority using Diffserv bits.

Compare TMG with ISA Server 2006 and TMG MBE

ISA 2006 TMG MBE TMG

Firewall √ √ √

VPN (site-to-site and remote access) √ √ √

Web proxy √ √ √

Caching √ √ √

Arrays for load balancing and failover √ √

Non-domain joined gateway √ √

Windows Server 2008 64-bit support √ √

Web anti-malware √ √

HTTPS inspection √

E-mail security  √

Network Inspection System √

ISP redundancy √

Centrally manage Standard and Enterprise Edition gateways √

together (requires Enterprise Edition gateway)