RRAS vs ISA Server vs Forefront Threat Management Gateway

Question

I was hoping someone could explain to me the differences between RRAS, ISA Server and Forefront Threat Management Gateway. As far as I can tell they all sort of do exactly the same thing?

1. RRAS allows Routing and VPN on Windows Server 2008.

2. ISA Server 2006 (although not compatible with Windows Server 2008) and Forefront TMG 2010 provides Routing, VPN and Firewall...

But seeing as Windows Server 2008 comes with its own Firewall, why would anyone need to use ISA or TMG? Is it just for convenience/easier management?

I was pretty annoyed to discover that ISA Server isn't compatible with Windows Server 2008 (and that TMG isn't included in any MS subscriptions), but then I discovered RRAS and it made them both seem rather pointless.

Is it true? Thanks for any help in understanding this.

Answer 1

Massimo pretty much answered this question in another post:

You can use RRAS for firewalling, NAT and VPN, so, yes, you can give a single public IP address to your Windows Server 2008 firewall and have it route traffic for all your internal network and forward specific ports (f.e. 80) to your internal servers, and you can also have it act like a VPN server (PPTP and/or L2TP). RRAS has been around since Windows 2000, and it does its job quite nicely for simple setups.

It isn't a full firewall/proxy solution, though; you can't define fine-grained policies, it doesn't do any web proxying (be it straight or reverse), it can't filter traffic at the application level and it doesn't log network traffic for further analysis.

In short: yes, RRAS can do anything you need, simply and somewhat crudely; but it isn't a full-blown network access and security solution like ISA or TMG.

Good stuff. Closing.