Of late, I have seen that a lot of customers and even partners are confused between the capabilities of Forefront Threat Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).
The most important difference is that TMG is an “inbound AND outbound” access gateway that includes a network level firewall with stateful packet inspection & application filtering, forward and reverse web proxy, VPN server (for users and site-to-site). TMG is more focused on keeping the bad guys out and to a certain extent, allowing good guys in. On the other hand, UAG is an “inbound-only” secure remote access gateway that enables you to allow "the good guys” in more securely.
I need TMG if:
- I need an inbound and outbound access gateway
- I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
- I need built-in IPS (Intrusion Prevention System) on that firewall
- I need a secure forward proxy for users on my network to access the internet
- I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
- I need to be able to monitor my user’s web activity and firewall logging.
- I need to be able to block unproductive websites and services (like IM, P2P, video sharing, etc)
- I need to protect my users from web-based threats (web antivirus, web antimalware, block malicious websites)
- I need Forward HTTPS inspection to protect users against web threats that are hidden inside HTTPS
- I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
- I need SSL bridging to protect my publish servers against threats embedded inside SSL
- I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
- I need site-to-site VPN
- I need a VPN server for my users in addition to all the above
I need UAG if:
- I need an ‘inbound only’ access gateway
- I need to enable my users to securely access internal resources remotely (while they are outside the company network)
- I need to enable Secure VPN access for users when they are outside my network
- I need to quickly and easily enable DirectAccess for my Windows 7 users
- I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
- I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
- I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
- I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
- I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
- I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
- I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
- I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.
As you can see, each product is specialized to deliver very focused capabilities. Hence it is quite possible that some organizations need both solutions while others need only one. For many smaller organizations which need a one-product solution to protect their network and provide reasonably secure remote access, TMG would be the answer. However, for designs that focus purely on inbound access, UAG needs to be considered. If an organization has separate TMG/ISA Server arrays – one for inbound access and another for outbound access – the solution is simple – use a UAG array instead for inbound access and continue using TMG for the outbound array.