Microsoft Axing Forefront TMG Due to Exchange Security Improvements
- By Kurt Mackie
- July 17, 2013
Microsoft is phasing out its Forefront Threat Management Gateway (TMG) product in part because it's no longer needed to secure newer versions of Exchange and Exchange Online.
Newer Exchange messaging solutions are now so secure that it's less necessary to check for unauthorized users, said Microsoft's Greg Taylor, principal program manager lead for the Exchange customer adoption team, in a blog post on Wednesday. The products are now built with more secure code, so routing traffic to carry out user pre-authentications is no longer a necessity, according to Taylor.
Along those lines, Taylor explained why Microsoft decided to stop selling its Threat Management Gateway (TMG) solution product, which provides for such pre-authentication support when used with Exchange. Microsoft announced it would stop selling TMG 2010 in December as part of a series of Forefront product changes. Essentially, TMG isn't needed anymore to protect Exchange networks these days because it just gets in the way and adds unnecessary network complexity, without adding much security protection, Taylor argued.
TMG was needed back in the days when Exchange ran on Windows 2000, according to Taylor. However, Microsoft's Trustworthy Computing security efforts, along with its Secure Windows Initiative and the imposition of its security development lifecycle coding approach have made such pre-authentication security approaches optional, at best, to protect Exchange, he explained.
Not only is TMG unnecessary, but it's just a firewall, and so are the various load balancers used with Exchange, Taylor suggested. They just add complexity to network security. However, Taylor didn't altogether dismiss using load balancers with Exchange. He just suggested that using pre-authentication with them adds little in the way of security.
"If you hang one leg of your load balancer on the Internet, and one leg on your LAN, and you operate a secure and well managed Windows/Exchange Server -- you have a more secure environment than you think," Taylor wrote. "Adding pre-authentication and layers of networking complexity in front of that buys you very little extra, if anything."
Taylor didn't explain which versions of Exchange on which Windows Server versions would not need such pre-authentication support. Pre-authentication isn't required for Exchange Online and Microsoft doesn't use it for any of its own messaging deployments, he indicated.
Alternative Microsoft Technologies
One alternative to the use of pre-authentication of Exchange traffic is to use Application Request Routing (ARR) in Internet Information Services. ARR can provide a reverse-proxy approach that supports linking to non-domain-joined machines, according to Taylor.
Another option is to use a Windows Server 2012 R2 feature called "Web Application Proxy" (WAP). WAP is a remote access role that can support a browser- and device-based authentication scheme and works with Active Directory Federation Services. Taylor stated that WAP is where Microsoft's Windows team is currently concentrating its efforts. However, he added that WAP currently just supports pre-authentication for Outlook Web App users, but not for users of Microsoft's Outlook Anywhere or Exchange ActiveSync protocols.
Taylor didn't mention Microsoft's Forefront Unified Access Gateway (UAG) product, which is billed as a replacement for TMG, although it's considered more expensive. Service Pack 3 for UAG 2010 added publishing support for Exchange 2013 and SharePoint 2013.
Companies engaged in the business of providing load balancers or application delivery controllers (ADCs) and partnering with Microsoft, such as Kemp Technologies and F5 Networks, were familiar with Taylor's arguments as he had outlined them at the 2012 Microsoft Exchange Conference in Orlando, Fla. They had mixed reactions about doing away with pre-authentication, though.
Bhargav Shukla, director of product research and innovation at Kemp Technologies, made the argument that pre-authentication is still needed to protect Exchange deployments, particularly to avoid distributed denial-of-service (DDOS) attacks and reduce server workloads. Kemp specifically addressed the needs of Microsoft's TMG customers in May when it rolled out its Edge Security Pack addition to its LoadMaster product line, which adds pre-authorization and single sign-on controls for Exchange environments.
"The OS layer of security of Exchange itself might be secure, but that doesn't mean you can't optimize the network," Shukla said in a phone interview. "That's the idea: security is never a single layer, it's always multiple layers. So as the traffic's coming in, and if it's unauthenticated, is it OK to pass it on completely to Exchange and let Exchange and the operating system it is running on do its job? Or is better to have yet another layer of security that is going to do its work and reduce the workload? On Exchange, for example, if you have unauthenticated traffic coming in, whether it's an attack or not, if it is not trusted traffic and you pass it on to Exchange, and Exchange is going to do the work on authenticating the traffic, that definitely puts some stress on the authentication infrastructure. If you're doing that work at a different layer, during or before it gets to Exchange, you're definitely going to reduce that work. Exchange is only going to get the traffic that actually needs to get authenticated."
Shukla acknowledged that there are pros and cons to using pre-authentication, as it adds to troubleshooting and management tasks. However, the complexity isn't so important if the customer wants pre-authentication support, he argued.
"While Microsoft says that this [pre-authentication] might be adding complexity, customers are willing to take that complexity head on to address their security needs," he said. "Whether it's warranted or not is always argued." He added that customers "aren't giving up the idea that pre-authentication is always needed."
F5 Networks provides ADC products that support Exchange, specifically its BIG-IP Local Traffic Manager appliance solution, which enables pre-authentication via an Access Policy Manager module. According to Jeff Bellamy, senior director of ISV and technology alliances at F5 Networks, pre-authentication is still an important part of securing Exchange.
"We do believe that pre-authentication is very important for customers," Bellamy said in a phone call. "Without that pre-authentication, customers are really exposing domain-joined servers directly to the Internet, which we believe is a risk customers can and should avoid."
Even load balancing is needed for Exchange, which Microsoft has been acknowledging in recent years, according to Bellamy.
"With [Exchange] 2013, they [Microsoft] have been really explicit how the load balancer is a required component," he said. "But in application delivery controllers, we do much more than just the load balancing functionality."
Bellamy also argued for the firewall protection aspects of ADCs used with Exchange.
"We look at it from Layer 3 through Layer 7," he said. "Being able to prevent Web application attacks, such as DDOS attacks for example, we believe is very important in an Exchange environment and should be protected."
Microsoft has suggested that it is providing such protections with its Exchange Online Office 365 service, but F5 supports those customers as well. For instance, F5's BIG-IP and the Access Policy Manager products are being used to ensure secure single sign-on access to Office 365 accounts, Bellamy explained. In addition, F5 is working alongside Microsoft with Active Directory Federation Services by enabling high availability support, he said.