Forefront Threat Management Gateway 2010 (TMG


Learn about the features and benefits of Microsoft Forefront Threat Management Gateway 2010 (TMG), which is designed to provide a comprehensive, secure Web gateway that helps, protect employees from Web-based threats.

Highlight: HTTPS

HTTPS Inspection, an innovative feature, enables Forefront TMG to inspect inside users SSL -encrypted Web traffic. By inspecting within these encrypted sessions, Forefront TMG can both detect possible malware as well as limit employee Web usage to approved sites. Sensitive sites, such as banking sites, can be excluded from inspection.


Compare TMG with ISA Server 2006 and TMG MBE

New Features



URL Filtering

Destination URLs are examined for compliance with corporate policy and for malicious potential of destination Web site. Forefront TMG uses Microsoft Reputation Services for URL filtering, combining multiple sources to increase coverage of URLs and categorization.

Web antivirus/antimalware protection

Inbound and outbound Web traffic is inspected for viruses and malware, including archived folders. Encrypted folders can be blocked. For large files, users are trickled the file to assure them the file is being downloaded.

E-mail security

Forefront TMG provides central management for Exchange and Forefront Protection 2010 for Exchange when located on the same server. Forefront TMG does not include either Exchange or Forefront Protection 2010 for Exchange.

HTTP method controls . HTTPS inspection HTTPS-encrypted sessions can be inspected for malware or exploits. Based on protocol analysis.File download controls . stateful inspection.Signature-based blocking . enabling simpler deployment of Voice over IP within the network. Granular HTTP controls Forefront TMG delivers customizable. Forefront TMG includes SIP traversal. Firewall Protections Feature Description Multi-layer firewall Forefront TMG provides access control and protection on three layers: packet filtering. NIS enables blocking of classes of attacks while minimizing false positives. granular controls to HTTP traffic. Enhanced Network Address Translation (NAT) Enhanced Voice over IP support Windows Server 64-bit support Forefront TMG now enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis. including: . Application layer filtering Forefront TMG provides deep content filtering through built-in application filters. Network Inspection System (NIS) Traffic can be inspected for exploits of Microsoft vulnerabilities. Protections canbeupdated as needed. Specific groups of sites such as banking sites can be excluded from inspection for privacy reasons. Users of the TMG Firewall Client can be notified of the inspection. Forefront TMG is installed on Windows Server 2008 with 64-bit support.Both must bepurchased and installedseparately. and application layer filtering.

internal servers. The connectionisencrypted for security. Highly secure publishing of Web servers. This prevents exploits from unauthenticated users from reaching the published Web server. Outlook Web Access users can be authenticated at the Forefront TMG server. Link translation isprovided. and Terminal Services Single sign on Remote users can access internal resources or Web servers more securely. New protocolscanbedefined. . Extensive protocol support Forefront TMG delivers out-of-the-box support for many protocols. Highly Secure Application Publishing Feature Description Highly secure e-mail access from Outlook Client Remote users can access Exchange Server using the full Outlook MAPI client over the Internet without establishing a VPN connection. preventing attacks by unauthenticated users. Forefront TMG allow users to access a group of published Web sites without being required to authenticate with each Web site. Delegation of basic authentication Forefront TMG helps protect published Web sites from unauthenticated access by requiring the Forefront TMG firewall to authenticate the user before the connection is forwarded to the published Web site. DoS protections Forefront TMG provides resiliency against flood attacks and re-allocates resources to provide higher security inspection. Link translation to internal servers Forefront TMG includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. Simple Outlook Web Access and Microsoft Office SharePoint Server publishing Simple wizards allow quick configuration of remote access for both Outlook Web Access and SharePoint servers.Forefront TMG provides strong controls over Web-based threats.

SSL bridging allows SSL protected packets to be decrypted by Forefront TMG. Inspection of VPN traffic VPN traffic terminated on the Forefront TMG server is inspected according to the appropriate security policy. SSL bridging support To guard against embedded attacks in HTTP traffic. arrays. SecureNAT for VPN clients Forefront TMG helps ensure remote users connected to the network can gain Internet access while maintaining a strong security policy for the corporate network. Virtual Private Networks Feature Description Site-to-site VPN Forefront TMG enables quick connectivity between sites via wizard-based approach.Implementslink translation automaticallyduring Web publishing. . Remoteaccess VPN Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions. using the native Windows VPN services. or enterprise-wide. Publish VPN servers Forefront TMG can be used to publish internal Windows Servers as VPN servers. Management Feature Description Enterprise policy Policy can be assigned to gateways. VPN quarantine Forefront TMG provides deep VPN client inspection and integration of your firewall policy. and reencrypted. Also can be configured for tunnel-mode IPSec for support of third party devices. inspected.

Background Intelligent Transfer Service (BITS) caching HTTP compression Forefront TMG provides the caching mechanism for data received through BITS. Complexqueriescanbebuilt. You can reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets. Real-time monitoring and reporting Query building Logs may be viewed real-time or historically including active sessions. Report creation and publishing Externallogging Delegated permissions Reports can be designed for specific needs and then published locally or to a network file share. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. Any cache rule that you create can be enabled to cache BITS data. With the centralized cache rule mechanism of Forefront TMG. historical data can be found quickly. and array configuration. Admin roles can be delegated to users or groups. Networking and Performance Feature Description Network loadbalancing Forefront TMG leverages network load balancing to provide fail over and scaling of performance. Web access. each with distinct relationships to other networks.Easy-to-usewizards Forefront TMG simplifies configuration with multiple wizards for features such as Web publishing. Forefront TMG extends the firewall and security features to apply to traffic between any networks or network objects. Network-based configuration You may configure one or more networks. Caching Forefront TMG provides caching to improve user experience and reduce bandwidth costs. With a built-in query tool. . Logs may be sent to a Microsoft SQL Server located on the internal network. you can configure how objects stored in the cache are retrieved and served from the cache.

Compare TMG with ISA Server 2006 and TMG MBE ISA 2006 Firewall VPN (site-to-site and remote access) Web proxy Caching Arrays for load balancing and failover Non-domainjoinedgateway Windows Server 2008 64-bit support Web anti-malware HTTPS inspection E-mail security Network Inspection System ISP redundancy Centrally manage Standard and Enterprise Edition gateways together (requires Enterprise Edition gateway) TMG MBE TMG .Diffserv (Quality of Service) Forefront TMG includes packet prioritization functionality (provided by the Diffserv Web filter). which scans the URL or domain and assigns a packet priority using Diffserv bits.

Sign up to vote on this title
UsefulNot useful