Replacing Microsoft's TMG with FortiWeb for Application ... · PDF fileSolution Brief: Replacing Microsoft’s TMG with FortiWeb for Application Publishing 2 The following table...

www.fortinet.com 1

Solution Brief

Replacing Microsoft’s TMG with FortiWeb for Application Publishing How to use a FortiWeb Web Application Firewall to replace the application publishing functionality of Microsoft’s discontinued Forefront Threat Management Gateway for Exchange, SharePoint, Lync and other Microsoft applications

Overview

Microsoft’s 2012 product discontinuation announcement for the Forefront Threat Management Gateway (TMG) presents challenges for their existing customers as the support deadline approaches in April 2015. Although TMG offered comprehensive security services such as firewall, IPS, and VPN, most customers used it to easily publish Microsoft applications using its included authentication services and single sign-on capabilities.

For users that are seeking to replace this functionality, Fortinet’s FortiWeb Web Application Firewalls (WAFs) are a proven and cost effective way to publish Exchange, SharePoint, Lync and OWA, along with any other web application. In addition to the basics of publishing these applications, FortiWeb also provides advanced security and web application firewall protection for these and any other web-based applications that aren’t available in Microsoft’s discontinued TMG product.

Replacing Your Forefront Threat Management Gateway

Microsoft’s Forefront TMG provided a host of services that in many ways offered the functionality of a Next Generation Firewall (NGFW) or Unified Threat Management (UTM) platform that included network routing, firewall, IPS, antivirus, antimalware and VPN. TMG was an acceptable security product when it was first introduced, however most organizations quickly outgrew its capabilities. Although it wasn’t a great fit for today’s high volume data center environments, its integrated authentication services to Exchange, SharePoint, Lync and other Microsoft applications provided a simple and inexpensive way to provide single sign-on to these various platforms.

If you were using TMG as a full-fledged firewall and IPS, Fortinet offers its award-winning lineup of FortiGate UTM and NFGW products to provide comprehensive security that is much better than the TMG platform. If you’re simply looking to replace TMG’s load balancing and authentication services, a FortiWeb WAF is an easy way to do this while adding the benefits of a WAF to your data center.

Please note that this solution brief only presents a replacement for the Microsoft Forefront TMG application publishing functionality. If you require a complete replacement for all TMG features, Fortinet recommends you look to a complete UTM or NGFW firewall solution such as our FortiGate line of firewall products.

Solution Brief: Replacing Microsoft’s TMG with FortiWeb for Application Publishing

www.fortinet.com 2

The following table compares the features of the Forefront TMG and FortiWeb:

TMG FortiWeb

Application Delivery

Reverse proxy deployment Yes Yes

SSL Offload (Software/Hardware) SW HW and SW*

SSL inspection Yes Yes

L7 load balancing Yes Yes

Caching/Compression Yes Yes

Authentication portal Yes Yes

Authentication delegation Yes Yes**

Single sign-on (SSO) Yes Yes

Security

Layer 3/4 firewall Yes No

Protection for known server vulnerabilities Yes Yes

Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)

No Yes

Antivirus/Antimalware Yes Yes

HTTP RFC conformance Yes Yes

Automatic layer 7 anomaly-based application baselining and threat detection

No Yes

Data Leak Prevention (CC, SSN, server/application leakage) No Yes

IP Reputation No Yes

* Hardware SSL option is device/model dependent. ** Delegation using HTTP basic only.

Using a FortiWeb WAF to Publish MS Applications

The two main elements that made publishing Microsoft applications so easy with TMG were its layer 7 load balancing and authentication management. Just like TMG, FortiWeb offers these two features and makes it just as easy to set up these applications as TMG.

Solution Brief: Replacing Microsoft’s TMG with FortiWeb for Application Publishing

www.fortinet.com 3

Every application, including Microsoft Applications are both protected and published using a server policy configuration. Using “pre-authentication”, any application can be set up to allow for single sign-on using with any LDAP, including Microsoft Active Directory and RADIUS.

FortiWeb offers the features you need to publish your MS Applications:

• Authentication Portal and Delegation • Single Sign-On • Layer 7 Load Balancing • Software or Hardware-based SSL Offloading

Advanced WAF Protection

Besides an easy way to publish your Microsoft applications, FortiWeb provides the advanced protection of an award-winning Web Application Firewall for your Microsoft and any other web-based applications.

FortiWeb web application firewalls secure your web-based applications and internet-facing data from attack and data loss. Using advanced techniques to provide bidirectional protection against malicious sources, application layer DoS attacks and sophisticated threats like SQL injection and Cross-site scripting. FortiWeb offers:

• A Vulnerability Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6.

• Protection against the OWASP Top 10 web application vulnerabilities. • Centralized Management and Administrative Domains (ADOMs) provide the abilities to manage

multiple FortiWeb gateways from a single console and provide administration rights to designated domain owners to manage their own applications separately from others on the same FortiWeb device.

• FortiGuard IP Reputation Service helps protect against automated web attacks by identifying access from botnets and malicious sources.

• Bot dashboard analyzes traffic from malicious robots, crawlers, scanners and search engines. • Automatically and dynamically profiles user activity to create a baseline of allowed usage. • Network and application layer DoS/DDoS protection. • SSL encryption co-processing accelerates transaction times, offloads encryption functions,

reduces web server processing requirements. • Layer 7 load balancing and content-based routing increases application speeds, improves

server resource utilization and stabilizes applications.

Summary

The discontinuation of Microsoft’s Forefront Threat Management Gateway has created a gap for many customers that needs to be filled. Depending on the level of TMG services deployed, these customers will need to look for other options to provide continuity for their users. Although TMG offered many security services including network routing, firewall, IPS and VPN for internal clients, most organizations retained TMG for its ability to publish Exchange, SharePoint, Lync and OWA for secure external access. Its ability to provide single sign-on to these applications made it an easy choice to maintain even though many of these organizations added other products for firewall, IPS and VPN.

Solution Brief: Replacing Microsoft’s TMG with FortiWeb for Application Publishing

www.fortinet.com 4

For customers that need to replace TMG’s Microsoft application publishing capability, a FortiWeb Web Application Firewall can easily handle the task with the same simplicity and features as TMG. If you need a complete security solution to replace all the TMG features, a FortiGate UTM or NGFW should be looked at to provide services such as firewall, IPS and VPN.

To learn more about replacing your existing Microsoft Forefront TMG with FortiWeb Web Application Firewalls or other Fortinet products, please contact us or your Fortinet Reseller Partner.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700Fax: +1.408.235.7737www.fortinet.com/sales

EMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis, FranceTel: +33.4.8987.0510Fax: +33.4.8987.0501

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730Fax: +65.6223.6784

LATIN AMERICA SALES OFFICEProl. Paseo de la Reforma 115 Int. 702Col. Lomas de Santa Fe,C.P. 01219 Del. Alvaro ObregónMéxico D.F.Tel: 011-52-(55) 5524-8480

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s *HQHUDO�&RXQVHO��ZLWK�D�SXUFKDVHU�WKDW�H[SUHVVO\�ZDUUDQWV�WKDW�WKH�LGHQWL¿HG�SURGXFW�ZLOO�SHUIRUP�DFFRUGLQJ�WR�FHUWDLQ�H[SUHVVO\�LGHQWL¿HG�SHUIRUPDQFH�PHWULFV�DQG��LQ�VXFK�HYHQW��RQO\�WKH�VSHFL¿F�SHUIRUPDQFH�PHWULFV�H[SUHVVO\�LGHQWL¿HG�LQ�VXFK�ELQGLQJ�ZULWWHQ�FRQWUDFW�VKDOO�EH�ELQGLQJ�RQ�)RUWLQHW��)RU�DEVROXWH�FODULW\��DQ\�VXFK�ZDUUDQW\�ZLOO�EH�OLPLWHG�WR�SHUIRUPDQFH�LQ�WKH�VDPH�LGHDO�FRQGLWLRQV�DV�LQ�)RUWLQHW¶V�LQWHUQDO�lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.