It was generally known on the Internet that something was up; Forefront Threat Management Gateway (TMG) was considered by many (on forums and blogs) as walking dead. People knew it was just a matter of time that an announcement would come. And so it did yesterday, but I did not expect the actual breadth of the announcement. The following products will no longer be available after December 1st, 2012:
User Access Gateway continues; it’s been used by people who have deployed W2008 R2 Direct Access so that they don’t have to deploy IPv6 on the LAN. It’s only a matter of time, because that functionality has been put in WS2012 Direct Access, meaning that UAG won’t be required for current version DA deployments.
Forefront Identity Manager apparently has a roadmap and will “continue to be actively developed”.
The produce formerly known as Forefront Endpoint Protection (the client and server file system/memory AV scanner) was moved to System Center with the release of SysCtr 2012 because of the reliance on Configuration Manager as the management console (also can use Intune). The definition updates are common across versions so updates will continue.
What about anti-malware protection for Exchange? Here’s what Microsoft had to say:
As part of this effort, the next release of Forefront Online Protection for Exchange, which has long been part of the Office 365 solution, will be named Exchange Online Protection.
In response to customer demand, we are adding basic antimalware protection to Exchange Server 2013. This protection can be easily turned off, replaced, or paired with other services (like Exchange Online Protection) to provide a layered defense.
Forefront Online Protection is the cloud based product; think Postini or MessageLabs, but run by Microsoft for Exchange. Anyone planning on running Exchange 2010 or older will not have an on-premises defence for Exchange after December 1st (see FPE in the above table). If you want on-site Exchange protection, you’ll have to look at 3rd party Exchange security solutions, otherwise upgrade to Exchange 2013 for “basic antimalware protection”. I’ve been recommending online and onsite protection – onsite protection defends against “internal” threats such as roaming or remote workers.
The question is how do you publish (reverse proxy) Microsoft web-based services?
Microsoft abuses the HTTP standard for RPC over HTTP and NTLM, so whilst *most* MS web services are OK published by any hardware firewall/application publishing appliance, RPC over HTTP and NTLM are more picky and difficult. The affects Outlook Anywhere (deprecated by Outlook 2013 supporting OWA) and Remote Desktop Gateway.
ISA/TMG is the only supported method for publishing these services. UMG will work, but Aidan, you think it’s on borrowed time too. Otherwise the only working option is Squid. And Squid’s “support” is, well, tempermental.
There is a solution called Application Request Routing (ARR) for IIS that has been around for some time. Don’t know too much about it but it might be worth looking at:
http://www.iis.net/downloads/microsoft/application-request-routing
“IIS Application Request Routing (ARR) 2.5 enables Web server administrators, hosting providers, and Content Delivery Networks (CDNs) to increase Web application scalability and reliability through rule-based routing, client and host name affinity, load balancing of HTTP server requests, and distributed disk caching. With ARR, administrators can optimize resource utilization for application servers to reduce management costs for Web server farms and shared hosting environments”.
I was going to suggest ARR too. I was thinking of trying out Forefront UAG again here in our small shop (we’re an ISV partner but I like to keep up to date with all things Windows & server-related – I don’t want to be one of those software guys who just says “it’s your server’s fault, just call your IT guy” without at least having the knowledge to back it up).
Anyway, I was reading the deployment guide for Windows Server Essentials 2012 and what people should do if they wish to have Exchange 2010 rather than Office 365 alongside it. MS say that Exchange is NOT supported on the Essentials server (unlike what they used to do with SBS) and, to publish Exchange but still keep remote deskop publishing, etc to use IIS ARR. There’s a good guide on how to set it up at http://technet.microsoft.com/en-us/library/jj200172.aspx in the section “Configure a reverse proxy”. I’m going to try it later on my regular server 2012 installation and look at publishing CRM, SharePoint, Lync & Exchange… Probably a bit ambitious but good fun and great learning 🙂
I agree with the Exchange piece. I originally purchased it a few years ago and it came with the Online Protection free for two years. So I used the online, which included Anti-Spam, and never even bothered installing it locally.
I wish Endpoint Protection would have been a separate Server Component rather than integrate it with SCCM. The Integration is great for medium to large businesses, but not a realistic expense for a Small Businesses.
With regard to UAG, their support for the new suite of products (Win 8, SharePoint 2013, Exchange 2013, etc) is highly lacking. In fact, Microsoft has stated that Exchange 2013 will not be supported in UAG until Exchange 2013 SP1…
I’m not sure what Microsoft is doing here, but they are creating a huge gap in product compatiblities with no real clear consolidated edge / reverse proxy solution.