The end of the Threat Management Gateway

In 2009, Microsoft has released the successor to the ISA 2006 server, called the Threat Management Gateway (TMG). Despite the success of TMG, Microsoft in 2012 decided to stop TMG. This means that on 14-04-2015 general support for TMG ends. Concretely this means: no ‘non-security hotfix’, no warranty, no free technical support and no new features or other changes.

The extended support runs until 2020, but Microsoft requires that you close an additional support contract. If you have not done so, then there is no guarantee that you will receive help. Are you currently using TMG? And you wonder what you should do? This article by Martijn Bellaard helps you to get a clear picture.

What is Threat Management Gateway?

Before we can determine what software or appliance will replace the TMG, we must first clear what the TMG is and what it can do. To start with the first question, the TMG is (was) a Unified Threat Management. A UTM is the Swiss army knife of security. TMG is several security products merged into one piece of software. The functions performed by TMG, are:

TMG as a firewall
TMG is an application layer firewall. This means that network traffic up to the application layer is controlled by the TMG. It stops network attacks, such as a DOS attack and inspects incoming traffic for the presence of viruses. Here the TMG has the opportunity to look into encrypted traffic.

TMG as a proxy
Proxy functionality makes it possible to regulate Internet traffic through TMG. Based on a person’s Active Directory account, you can determine what website can be viewed at what moment. Each download is checked for the presence of viruses, which are retained by the TMG.

TMG as a reverse proxy
TMG is best known as a reverse proxy for Exchange, where the TMG server acts as FrontEnd server. After authenticating the user on the TMG, they get access to their mailbox. In particular, the possibility to let TMG control the user authentication is an important advantage. TMG can also publish SharePoint, Remote Desktop Services, websites and other services on the Internet. Many organizations have therefore chosen the TMG because of the reverse proxy functionality.

TMG as SMTP gateway
A lesser known TMG option is the SMTP gateway. Here, the TMG is used as an anti-spam solution. TMG includes some basic anti-spam security features. Exchange and ForeFront are installed on top of the TMG. This gives the possibility of interfacing the TMG to an internal Exchange environment. Here, the TMG acts as Exchange Edge server and thus stopping all spam.

TMG as a VPN server
TMG can also act as a VPN server. In the first place, as VPN servers for clients. Here a connection can be made via PPTP, LT2P and SSL. Installing a client is not needed because Windows contains the client by default. The VPN functionality of the TMG can also create site-to-site VPN. Then you can choose between a TMG-to-TMG VPN or a TMG-to-OtherRouter VPN.

In short, the TMG was and still is a very nice UTM solution for small and medium enterprises. However,… support for TMG stops in 2015 and the question for many organizations is: “What next?”

What next?

The question we have also asked ourselves at TriOpSys. The answer we can be very short: “Buy a different UTM”. Of course, this is where it initially comes down to, but there are some things to be considered.

What does the TMG do?
In the previous section, we have determined what features the TMG supports. The first question we have to ask is “Which of these functions are used within your organization?” Finding the answer to this question is not extremely difficult, but it requires knowledge of the TMG. It not only comes to the features used, but also how they are configured.

The location of the TMG
A second question that needs answered is what the location of the TMG is. This seems an obvious question, after all it is in the server room and probably virtual. Therefore, this is not what I mean. TMG is part of the network and thus has been given a logical place within that network. Where this logical place is, is very important. How do users access the TMG network wise, how does the TMG network wise reach the back end, the Internet, etc.?

Rules of the TMG
A third question is what rules are created within the TMG. Depending on the features that are used, often a basic set of rules is created, but most organizations adjust the rules to better fit with the needs. It is important to know which rules are ever created and why.

The use of SSL certificates in recent years increased considerably. Reading webmail, accessing an intranet or building a VPN is often associated with an SSL certificate. The TMG probably has one or more SSL certificates available. Some are still used and some not. You must decide what you will do with your certificates. Buy new certificates for the new firewall, or reuse the existing certificates?

Now, today
The TMG is probably in use for several years as it was released in 2010. The IT landscape looked very different then. The ICT requirements of an organization have greatly changed recent years. Cloud Computing, remote working, guest networking and BYOD became important themes for an ICT department. The question is whether the TMG still complies with the current configuration. Should there be one to one replacement or a more differentiated solution? Do you choose again for the Swiss Army Knife or go for multiple solutions that specialize in one sub-area? What new security challenges are there you now want to address? All questions you must answer in advance.


Step 1 when replacing the TMG is to get a clear idea of the functions at the moment and it’s placement in the infrastructure. This requires a study of the available functions.
Step 2 is to get the organizational needs clear. Is Cloud used more, is Social Media important to the organization, etc.? An organization changes and that needs to be included in the decisions.
Step 3 is the security policy. What does it say about security, which demands are formulated? A firewall is a security product; the security policy will thus affect the solution you choose.
Step 4 is to look at alternatives. Here step 1 to 3 are included as input. Then you examine what solutions are available and choose the optimal solution for your organization.

Need help?

At TriOpSys, we are happy to help you. Therefore, we have developed a special Quick Scan ‘The TMG replacement QuickScan’. This scan takes up one day and has a fixed price of € 500, -. Our specialist will visit you and explain the current security market, including your options and possibilities. He then discusses the needs of your organization. Finally, he looks at the configuration of the TMG and the location of the infrastructure. Within a week you will receive a handy report containing the findings, a possible alternative to the TMG and an additional recommendation.

Martijn Bellaard has been working for TriOpSys as a lead architect for 3 years. At the beginning of 2017, he has pursued his life-long dream and has become a teacher at the Hogeschool van Utrecht. This article has been published on 29-01-2015.