We used ISA Server 2006 as network firewall, router, and VPN server - and I loved ISA server, because it did exactly what it supposed to do, nothing less, nothing more (ok, someting more, e.g. caching). Then we migrated to Forefront TMG, which I ... didn't hate. Now I need to setup new small local network and I can't find/believe that MS doesn't have anything like ISA/TMG, I still think I simply can't find it - what I need is exactly what good old ISA Server (or TMG) did. I don't like to install and use already discontinued product (TMG), but it will probably end up this way. I've read several articles about either non-MS alternatives, or that the best alternative for TMG is ... TMG. Is there some replacement for ISA/TMG from Microsoft (another server product, or maybe feature in WS2012R2?) and I just can't find it, or does MS really abandon this field?
3 Answers
There is no Microsoft replacement for ISA Server, Forefront TMG or UAG but there is now an obvious "Microsoft supported" option for publishing websites to the Internet.
You should install the "Web Application Proxy" (WAP) role on a suitably hardened Windows 2016 server that's connected to the internet and use this to publish your Exchange, Sharepoint and other Microsoft-specific services. It is designed to integrate with ADFS to enable Single-Sign On for all sites published via the WAP, can redirect attempts to connect via HTTP to HTTPS painlessly (this was an issue with the Windows 2012R2 WAP IIRC, which is why I suggest the 2016 version).
We've managed to retire a UAG server that had a number of sites published by moving them all to be published via WAP.
- 31,664
- 6
- 58
- 86
-
Oh, great, at least something for Exchange! Thanks :) – Robert Goldwein Dec 30 '16 at 22:29
-
Revisiting this old question - we ended up keeping TMG until now, "don't fix it if it ain't broken." But now it's time to switch - we only need edge firewall, VPN (DirectAccess), and to publish Exchange / IIS / SQL that reside in internal netework - what's wrong with the idea that we'd just use a server with two NICs with reasonably hardened Windows Server 2019 with WAP as NAT router? It doesn't sound right, just to use Windows Server as edge firewall, etc., but that's not rational. Is there something I'm missing? Thank you! – Robert Goldwein Apr 25 '19 at 21:07
-
It very much depends on what you're trying to do @RobertGoldwein. If you're just talking about protecting clients then use a "traditional" firewall. As for publishing apps/services you have a few options - You can publish apps via Azure Application Proxy these days, you can still work with the WAP role on a local server which will work nicely for direct access btw and is close to your idea of a hardened Windows server with 2 nics, publish through firewall appliances, e.g. a palo alto. I guess you make your choice dependent on your needs. Not sure if its worth updating my answer with all this.. – Rob Moir Apr 25 '19 at 21:17
-
1Thanks for quick reply. There's no need to update your answer. Yes, we heavily depend on Azure and we publish all production there; this is basically just about connecting internal network to the internet, enabling VPN to internal network, and publishing few servers (IIS, TFS, Exchange, SQL). I know that I can achieve that by adding just some router to the rack, but I still prefer to use WS as a gateway, so I'm trying to come whether I'm just missing something, or WS2019 today is for that use as good as old WS2003 with ISA or WS2008 with TMG, if this makes sense. Again, thanks! – Robert Goldwein Apr 25 '19 at 21:34
you can use Sophos UTM 9 network firewall including web browsing protection, AntiSpam filter and antivirus protection.
Sophos UTM helps you consolidate your security without compromising its effectiveness. By combining multiple security layers, it’s simple to protect your users everywhere while making security easier to deploy and manage.
you can donwload trial Version from here
- 185
- 2
- 13
-
Thanks, I checked that website, it seems interesting, but when I see "Request a quote" instead of actual price (per user or per server, etc.), I usually close the browser and never come back to that site. – Robert Goldwein Dec 10 '15 at 10:53
Officially there is no Microsoft Solution to replace Forefront TMG.
If you need a reverse proxy, you can use products like BigIP by F5, Barracuda WAF, Citrix Netscaler, NGNIX... Microsoft Web App Proxy (available in Windows Server 2012 and >) is an option but has very limited features and can't be compare with specialized solutions.
Same answer for VPN site to site gateway or Point to site gateway : Windows Server includes these features but with less options than a specialized solution from Cisco, Juniper...
Regards.
Stanislas
- 614
- 3
- 4
-
Well, I'm looking for something like ISA 2006 - firewall/router/VPN - so e.g. I can publish Exchange, which is on internal network or DMZ, or other servers that are in DMZ or internal network, to publish rules that are applied to specific user groups, to have VPN server that authorizes against Domain Controller, application layer filtering, etc. I miss ISA Server, it was a great product. – Robert Goldwein Dec 10 '15 at 10:42
-
We all agree that ISA/TMG were good products. In your case, I would have a good look at F5 solutions for reverse proxy. They works closely to Microsoft team (Exchange, Office 365 & Azure) and they have good skills on those kind of web publishing. I saw them in many project on SharePoint and Exchange publishing. – Stanislas Quastana Pro Dec 10 '15 at 17:27