Which product replace TMG functionality?


  • Hi,

    I have several customers that wanted to deploy TMG Server as a web proxy/firewall back-end, but we all know that TMG is dieing? Which product offers exactly the same functionalities?

    Cristian L Ruiz

    Thursday, November 8, 2012 7:57 PM


All replies

  • Exactly the same is a big ask and I assume you are focusing here on outbound web proxy and firewall only?

    A lot of the solutions from Juniper, Palo Alto, Fortinet amongst others provide firewall products that also include outbound proxy features. It is just a matter of reviewing which one best meets you exact needs.

    I have heard good things about Palo Alto and Fortinet from "ex-TMGers" and I also have some experience with the Juniper SSG appliances which provide good firewall/VPN features and also proxy-type security functionality (HTTP AV scanning, IPS, URL filtering etc.)



    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: and

    Friday, November 9, 2012 10:47 AM
  • Hi,

    Thank you for the post.

    For publishing scenario, you may consider UAG:


    Nick Gu - MSFT

    Monday, November 12, 2012 9:21 AM
  • And for website and VPN replacement use Direct Access, I have recently set this up and it works well as a VPN replacement.


    Monday, November 12, 2012 9:47 AM
  • Direct Access is not a replacement of VPN in few scenarios, e.g. VPN for external workers who shouldn't access all services as company's workers. Of course we can implement several Direct Access implementations in one company, but external workers are enforced to have desktops in company's domain.

    Abandon of ISA/TMG line is completely stupid Microsoft's step. In our case, every Exchange migration/implementation is equal to implementation of ISA/TMG. They don't want to use other types of software - because just mail admins can control how smtp or other types of traffic behaves. Now, some "network guys" will be responsible how it will work.

    I don't know other error-less software from Microsoft that just works. And Microsoft wants to abandon it.

    I know company with ISA 2006 array performing tasks as:
    - VPN concentrator;
    - LAN/WAN router with 5 connected networks and virtually 3 next connected by dialup lines;
    - web proxy for internal users;
    - publishing for external users.

    Completely stupid step.

    Monday, November 12, 2012 11:28 AM
  • Hi E-micra

    Everyones setup is different, im not sure i understand your point about VPN, if they have a user account on the domain say domain\smithj then there access is controlled by the domain, it dont matter if they sit on a PC in the office or a laptop/desktop at home they still hav ethe same access, if at home its provided by direct access.

    I also agree Microsoft dropping TMG is a big deal lots of people use it., shame really.

    Monday, November 12, 2012 11:40 AM
  • Hi Duncan320,

    I know that every installation is completely different, but ISA/TMG with some lacks of functionality (IPv6 or publishing of Lync arrays) are good tools for many, many tasks. What is strange - we have two companies which want to implement TMG arrays in the next year - they know, that Microsoft abandons ISA/TMG, one of them have UAG array, but they still want to implement completely new TMG or migrate from ISA 2006. 

    In many companies where main proxy gateway is not on ISA/TMG but on some type of hardware - they very often use ISA/TMG used only for publishing also as an emergency exit.  

    Monday, November 12, 2012 11:52 AM
  • Hi E-micra

    Everyones setup is different, im not sure i understand your point about VPN, if they have a user account on the domain say domain\smithj then there access is controlled by the domain, it dont matter if they sit on a PC in the office or a laptop/desktop at home they still hav ethe same access, if at home its provided by direct access.

    I also agree Microsoft dropping TMG is a big deal lots of people use it., shame really.

    Direct Access is only supported on Domain Joined machines?  GPOs required? 

    TMG is awesome, UAG is not suitable as it costs so much more because of more comprehensive functionality.  Maybe this is why TMG being dropped, in favour of license hikes for those that need continued support?

    Ash Cox

    Monday, November 12, 2012 2:01 PM
  • Hi,

    Thank you for the post.

    DirectAccess servers and clients must be memebers of an AD DS domain.


    Nick Gu - MSFT

    Tuesday, November 13, 2012 2:23 AM
  • People,

    thanks for all replies that I will be analyze.

    But! When I ask for a TMG replacement, I am looking for just one product the could replace the same, I repeat, "the same" functionalities of TMG/ISA.

    As an IT professional with 14 years experience I learned and taught ISA Server (MCT), I am very sad with the decision of Microsoft.

    Cristian L Ruiz

    Tuesday, November 13, 2012 2:50 AM
  • Cristian,

    the answer is very simple - it's impossible. This is the problem and Microsoft persuades us, that it's possible.

    Semi-official answer: changes in tcp/ip stack in Windows 2012 are bigger and TMG is not prepared for it. Cute.

    Question: how long will we wait for UAG (without TMG) for Windows 2012?


    Tuesday, November 13, 2012 8:00 AM
  • Does anybody test or use the firewalls from McAffe (McAfee Firewall Enterprise) or Checkpoint (Check Point VPN-1 UTM)?

    Cristian L Ruiz

    Monday, December 17, 2012 6:50 PM
  • I am looking at F5's virtual network appliance for Hyper-V and I expect that it will be the best alternative to using Microsoft Forefront TMG and UAG.

    If F5 delivers on this I will say goodbye to Microsoft for edge security and just fold it in as a part of my System Center 2012 SP1 private cloud for 2013. This does appear to be Microsoft's direction on this manner I just wish they would of said it sooner and make it clear to consumers.

    Nathan Storms | The Architect Evangelist

    Monday, December 17, 2012 8:56 PM
  • Cristian,

    the answer is very simple - it's impossible. This is the problem and Microsoft persuades us, that it's possible.

    Semi-official answer: changes in tcp/ip stack in Windows 2012 are bigger and TMG is not prepared for it. Cute.

    Question: how long will we wait for UAG (without TMG) for Windows 2012?



    It is understandable, that IP stack is growing. But why Microsoft is dropping the Forward Proxy Functionality? The whole ISAPI filter system is so advanced and so many products is using this...



    Thursday, March 21, 2013 11:58 AM
  • We purchased two tird-party TMG appliances last year and haven't implemented them yet.

    Much to our surprise we cannot even purchase the HTTP anti-v or content filtering subscription as of 12/31/12.

    What are we supposed to do now!

    Monday, April 8, 2013 3:47 PM
  • I just have learned recently of TMG's demise and am very sad about it, too.

    An important point many people seem to forget/miss is user authentication and, how I'd call it, transparent proxying/firewalling (Firewall Client). There is a lot of "crap" LOB software out there which doesn't play with NTLM/Kerberos authenticating proxies; either you go for an IP rule nightmare, which is neither flexible nor secure, or you use a TMG approach incorporating Firewall Client. And if needed just drop a proxy exclusion using Group Policy to the users based on Group Membership and you are good to go.

    In my view some organizations seem to be a bit too IP-centric; what we have been practising for years and I regard the "real MS AD way" is to base the majority of user permissions on group memberships ("roles"); so the user is an independent entity - no matter what PC, no matter the network segment the user logs in - the permissions follow. We have a lot of this, users using PCs from their colleagues, moves of people between departments, stuff like that. And it might also be a legal issue "who did xy".

    So if someone can recommend a firewalling/proxying solution that can transparently handle "stubborn applications" in a way TMG did then please let me know. Reverse proxying of RD Web Access, Exchange ActiveSync, web servers as well as PPTP (PEAP) are also important for us. I don't know if there is one appliance/software that fits all or if different pieces of equipment are required in our situation.



    Tuesday, May 7, 2013 8:16 AM
  • Hello Christian,

    We've conducted an in-depth case study of all available TMG replacement products some time ago (at the beginning of 2013) and made a write-up about our experiences here:

    Among the tested products were big names like Cisco, F5, Citrix and many others, but we ended up picking Sophos UTM as our replacement of choice due to their flexibility, price/performance and almost perfect match feature wise.

    If you want to discuss this further, shoot me a tweet @JornLutters, or reply on our blog :)

    • Edited by JornLutters Tuesday, July 16, 2013 2:15 PM Link added
    Tuesday, July 16, 2013 1:59 PM
  • Wow Jorn, thanks for that blog post. We too are in the same boat (need to replace TMG at some point) and that writeup is great!

    Tuesday, October 1, 2013 6:32 PM
  • Customers of ISA / TMG who still want to use TMG, can do so until about 2020, until MS ends support. There are many vendors still actually selling TMG as a solution.

    GFI WebMonitor also has a URL filtering / web security plugin which allows users who want to replace the URL filtering functionality.

    SharePoint Customization Tips:

    Tuesday, November 5, 2013 1:35 PM
  • Louis,

    Is this the Citrix Virtual appliance VPX version ?

    /* Server Support Specialist */

    Thursday, November 7, 2013 6:44 AM
  • Hey Jorn,

    You mentioned that TMG supports client certificate auth in forward proxy scenario (last bullet point below):

    • Foward proxy
      • URL filtering with URLCategories
      • Content scanning
      • Malware filtering
      • HTTPS inspection
      • User authentication
        • Active Directory Integration
        • Or using Basic or NTLM authentication
        • With two-factor support using client certificates

    Can you please help me how to achieve that. i want my clients to pass a certificate that proxy will validate.

    Thursday, January 16, 2014 11:35 PM
  • Hi Vijetra,

    from what I see in the TMG 2010 GUI SSL auth is only supported in:

    1. Forward proxy: Only if the TMG is an upstream server then downstream servers can authenticate using a certificate. This does not seem to be a valid/working scenario for end users. At least that's what the message box tells me.
    2. Reverse proxy: Web listeners can be configured to require a client certificate. If you combine that with Kerberos Constrained Delegation (KCD) you can even drive client cert auth for web sites that do not support certificate auth per se.

    I guess in the VPN part there might also be certificates in the play, but I haven't looked there and it was not the point of the question.

    Hope that helps,


    Monday, January 20, 2014 7:48 AM
  • My vision that many Microsoft users are only IT people and don't know the differences in types of firewalls. Proxy is just one of type of corporate firewall. The way to solve the request from your customers - to educate them that there are other types of firewall which are not based of proxy technologies.

    I see that people installed HTTP proxy many years ago and in reality missed all other protocols security. What about threats (for example viruses or vulnerabilities) in RDP, POP3, SMB, OSPF and other protocols they have and use in their networks?

    Nowadays people should controls traffic of all application they use - not only HTTP. That is why the class of products who inspects only HTTP - is dying. Therefore (I guess) Microsoft decided to stop this product as this was designed to control only HTTP and webmail.

    Many companies start to use normal firewalls which controls all other applications in their networks. Besides such firewalls work for internal people transparently together with more deep protection when they visit some website categories, with blocking malware in downloads and uploads, intrusions by hackers, inspection threats inside SSL or SSH file transfers and so on.

    The market now looks at UTM and NGFW devices and my vision that every company should see on this. NGFW appliances are designed on specialised network hardware platform in comparison to UTM appliances which are software based components installed on usual HP or IBM servers. UTM is cheaper and NGFW is more reliable. UTM = Unified Threat Management, NGFW = Next Generation Firewall.

    So my solution: you can google for NGFW and buy any NGFW device you need. This will increase your security and provide real good network device with all routing an switching functions.

    If you ask me what I prefer then my answer: Palo Alto Networks. For example here you can see how many applications you can control by Next Generation Firewall:


    Microsoft MVP Enterprise Security 2008-2014

    Saturday, December 27, 2014 12:11 PM
  • @Denis: You make some very good points here which I agree to - yet there are some specialities of TMG that have to be taken into account:

    In our corporation TMG has filled other gaps than that of a traditional proxy only (we have separate content filter systems for regular web and e-mail traffic):

    1. A useful helper to cope with the "stubborn" apps. Although .NET is finally improving things a bit yet still there are so many little and bigger developer studios with specialized LOB applications that just aren't able to properly cope with an NTLM proxy. And even in .NET it is not a given that people use the DefaultNetworkCredentials of the CredentialCache. I strongly believe in role-based concepts and sticking permissions to users, not IPs and have people and part-time workers moving around; so the TMG Client enables those problematic applications to still get online even as they do not support NTLM proxy servers.

    2. Publishing. TMG has become the enabler of a kind of enterprise portal with several web sites/applications published for employees and specific partners. This includes EAS, RDWeb, OWA and several IIS sites. I should also mention that most of them are "full-featured" - using Kerberos Constrained Delegation to cope eg. with double hop problems to the SQL backends and to ensure that the best security protocol in use. Exchange for example is mapped to different hostnames to enable testing/transitioning from account-based EAS to certificate-based EAS.

    3. The VPN functionality (using PEAP) has solved many remote access needs for certain managers and partners where stuff like our Cisco VPN Client just was to clumsy and maintenance-intensive on uncontrolled/unknown PCs. It's a pity what happened to PPP and that people don't differentiate between PAP/CHAP and PEAP/EAP-TLS yet I agree, something has to be done here in the near future.

    Point 3 is quite obvious and I have no doubt that almost any NGFW or whatever product can solve this. What we regrettably lose is a comfort/"out-of-the-box" experience - VPN clients can be a challenge of their own, especially when multiple products reside on the same machine (as with partners that have to support multiple customers with different VPN systems). And the clients need to be NAT-safe (UDP encapsulated or HTTPS).

    But I'm a bit doubtful/hesitant about 1 and 2:

    Point 1 needs some kind of client software provided by the NGFW manufacturer to force WinSOCK API calls over the NGFW proxy instead of trying to go directly. It seems Barracuda has something like this but I haven't tested it yet/haven't checked to what degree. This can certainly be solved in other but clumsy and maintenance-intensive ways like establishing a proxy service on a different port with only Basic Auth and requiring to configure all of these LOB apps manually.

    Point 2 is probably the most difficult to solve. I'm not sure which of the manufactures provide proper KCD support, multiple listeners with different auth schemes for different scenarios and mapping single hosts in different ways. And if such a product exists can we afford it on our tight budget?

    We are currently in progress migrating our Cisco PIX to Barracuda NG but still struggle with our partner to get the simple stuff (firewall rules) right so it remains to be seen what Barracuda can do for us on the TMG side. It may take some months or a year but I could let you know how we fared then.

    It just makes me a little bit nervous when people like KEMP have a TMG deprecation webcast about 2 months ago yet can't show their security module with Kerberos support which was at that time "under development" :-) Technical realities and requirements often collide with marketing brochures ...



    Monday, December 29, 2014 9:10 AM
  • In my searching for a proxy web server replacement I've really liked CCproxy.

    CCProxy is a light weight software package that can be used to make any internet facing Windows machine into a proxy server.  I discovered it through Google searching and reading forums while looking for a replacement for Microsoft Threat Management Gateway 2010.

    The thing that most impressed me with CCProxy is how utterly simple it is.  You download a small executable from their site, install it in about 20 seconds or less on an internet facing Windows OS, and you have the framework in place.  That's it.  Depending on how strict your monitoring/user based access/web filtering needs are and how familiar you are with the product you are seriously just a few minutes to a couple of hours from download to a fully functional, in use proxy service.

    Compare that to TMG 2010 or ISA 2004. Those products take hours to get set up and running to be a proxy server, and that's if you know what you are doing.  The difference really being that the Microsoft proxy products include a huge mountain of more advanced features beyond just proxy web servicing.  If you need your proxy server to also be a firewall, router, malware detector, traffic inspector/snooper then they have their place.  But for basic proxy web service they are overkill.

    CCproxy has everything most places would need in a proxy.  User/group based access with a windows domain can be configured.  Traffic types allowed and ports are customizable.  Live monitoring of web use and which IPs using it.  Text file based, customizable, long term logging that is simple, clean and efficient.  It can use the openDNS platform for intelligent web filtering.  Text file based white and black list ability.  Time restricted access.  Mail proxy for SMTP and POP3 ability.  Web page Caching.  Using another proxy server for the internet access (they call that Cascading proxy).

    Anyhow, I haven't used it for long.  But I was able to figure it all out to get it running exactly how I wanted it within about 2 hours and I've been greatly impressed.  The licensing prices aren't bad either.  As of this writing it was around between 4-7 dollars per client that connects to it (depending on how many you buy, it gets cheaper per seat).

    Here is the link to the Youngzsoft site:

    Sunday, April 5, 2015 2:50 AM
  • For simple forward scenarios certainly nice but I guess there are a myriad of products including firewalls for that part :-) The tricky part is doing reverse proxying rightusing different auth schemes (Kerberos, NTLM, passthrough, ...) and hostname/path mappings and URL rewrites.

    If it does the job for you, great!

    Tuesday, April 7, 2015 7:27 AM
  • Just as a little update, in case you missed it: For reverse scenarios we now have at least a little glimpse of hope in the Windows Server 2012 R2 product. There is a new Web Application Proxy role to install. Web Application Proxy is meant to combine Federation Proxy Services and Reverse Proxying capabilities. One important prerequisite is that you need at least one AD FS server based on 2012 R2 (don't now if lower AD FS versions will work) even if you are just trying to reverse proxy. It goes without saying that you also need Certificate Services but I can hardly imagine an AD forest doing without nowadays.

    There is one or another caveat regarding auth capabilities yet you can already do Kerberos or pass-through auth. For Kerberos you get the nice Federation Services login form (you need to publish the AD FS server, too).

    For more info see: (great webcast comparing IIS ARR and the new Web Application Proxy role) (from TechEd, haven't had time to fully watch on my own)

    MS at least claims that the Web Application Proxy capabilities/auth schemes will be expanded in the upcoming server OS releases (not so funny regarding licensing, however, except you have an EA).

    Regards, Markus

    Tuesday, April 7, 2015 7:42 AM
  • As a follow-up, Citrix seems to have stepped-up their game pretty much, the NetScaler series now claim to be a full and feature-complete TMG replacement - you can find the documents here:

    Regrettably I did not have time to take a look at a demo/trial yet but just the mention and samples of KCD and forms-based among other technologies makes me optimistic that this may finally be the product that goes full-circle.

    - Markus

    Friday, February 16, 2018 10:03 AM