none
UAG/TMG Confusion RRS feed

  • General discussion

  • This is really a question but it's also meant to begin a discussion.

    Can someone explain to me, specifically, what the difference is between UAG and TMG?

    So far as I can currently decipher, UAG is ubiquitous with remote access, whereas TMG is ubiquitous with protected access.  They both, however, facilitate access so, I'm extremely confused as to why we have two separate products instead of just one.  It seems to me it would be much less confusing if there were only one product, perhaps aptly named CAG (Complete Access Gateway).

    Seriously, though, the following are links to a couple of articles I ran across during my research that caused some considerable confusion.

    First, the following link is to a blog posting by the Forefront Threat Management Gateway Product Team that describes how to install TMG on a DirectAccess server.  The important point is that a Registry hack is used to facilitate the passing of IPv6 traffic by TMG since DirectAccess requires IPv6 (TMG doesn't support IPv6).

    http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

    Second, the following is a link to documentation describing UAG.  It notes that the full TMG product (I'm guessing the above hack is incorporated into the installation routine) is installed but is purposefully gimped (gutted) when UAG is installed.
    http://technet.microsoft.com/en-us/library/ee522953.aspx

    To compound the confusion, under the supported publishing scenarios, only Exchange POP3, Exchange IMAP, and OCS reverse proxy publishing are allowed.  Well, assuming for a moment a customer isn't going to use DirectAccess - which would negate the necessity of those Exchange publishing scenarios - the lack of support for publishing Exchange SMTP means that POP3 or IMAP clients could read mail but not send it.  Or, is Exchange SMTP really supported, only it wasn't added to the list of scenarios?

    It just seems to me that the attempt to separate types of access into separate products is completely counter-productive when so much overlaps.  If that single product (CAG) was developed, there would be a lot less confusion and absolutely no need to attempt to separate access on any level.  That would mean absolutely no confusion among customers trying to determine which solution they need.

    Thoughts?

    Thursday, December 3, 2009 11:08 PM

All replies

  • Hi Jerry,
    TMG is a the current incarnation of Microsoft's Firewall product, previousely known as ISA Server. TMG has many features beyond those of "just" a firewall, such as multiple VPN scenarios, URL Filtering, high level of integration with Microsoft' leading products Exchange and Sharepoint and much more.

    UAG is the current incarnation of Microsoft's Reverse Proxy and SSL-VPN product, previousely known as IAG Server. IAG actually includes TMG as it's firewall mechanism, but adds several functions beyond TMG. The primary one is reverse proxy, which allows the organization to publish internal applications to partners or remote-users in a way that's more secure than the common "server publishing" employed by many firewalls. Another ability is to let remote users access internal corporate resources using SSL VPN tunneling. UAG has many new features, but this is not the place to pitch a marketing speech.

    In short, you would choose TMG if you wanted to secure your network from outside intrusion, and UAG if you want to publish internal resources in the  most secure manner possible. You might use UAG as a firewall, as it includes TMG, but because of the one-way relationship between the two products (UAG uses TMG, and automatically configures it), using TMG alone would give you some more flexibility with its configuration, and especially so if you plan on using an array of firewalls.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    Monday, December 21, 2009 6:36 PM
  • On top of Ben's answer, I would like to add few more thoughts to clarify the confusion.

    Looking forward, we see UAG continues to evolve in enhncing and extending Remote Access solutions - ability to access corporate resources from outside. TMG, in turn, is primarily focusing on protecting employees from internet threats when accessing internet from the office. While combining these roles is possible, we found that most enterprise customers actually prefer to have them separate.

    While having this focus, TMG still maintains the existing (and much loved) feature set of ISA. This includes being a firewall (and TMG/ISA is an excellent firewall).  In fact, TMG can be used to improve security of the DirectAccess server, although the primary method to deploy DirectAccess is UAG.
    TMG also includes remote access and secure web publishing capabilities. This indeed creates some confusion as some capabilities (e.g. publishing Exchange) can be achieved with both products, UAG and TMG. Still, if your interest in remote access, you should strongly consider UAG.

    To the point of TMG embedded in UAG... UAG uses TMG as its underlying infrastructure. For example, UAG uses TMG firewall capabilities to protect UAG boxes (inlcuding DirectAccess scenarios). Also, UAG uses some infrastructure components from TMG, to enable features like array management, SQL logging and others. Still, while full TMG version is installed, UAG does not support TMG scenario usage outside of UAG context. For example, you shoudl not configure TMG forward proxy functionality when using it "under UAG".

    We are planning to issue some additional blogs / marketing posts soon to clarify this more

    Hope this helps

    Friday, December 25, 2009 6:51 PM
  • One addition: with regards to your SMTP comment - this was missing (bug) in the documentation in RC0. It is mentioned/allowed/supported and is mentioned is such in the RTM docs, soon available on the web
    Sunday, December 27, 2009 1:05 PM
  • One addition: with regards to your SMTP comment - this was missing (bug) in the documentation in RC0. It is mentioned/allowed/supported and is mentioned is such in the RTM docs, soon available on the web

    Thanks for the clarification.

    Still, I'd be curious to know as to under what scenarios Microsoft believes would require the publishing of these protocols through UAG when UAG is ubiquitous with Remote Access.

    But that may be cleared up with answer to another question regarding a statement in the previous post.
    Tuesday, December 29, 2009 1:39 PM
  • Looking forward, we see UAG continues to evolve in enhncing and extending Remote Access solutions - ability to access corporate resources from outside. TMG, in turn, is primarily focusing on protecting employees from internet threats when accessing internet from the office.

    Umm... does the statement regarding TMG mean that Microsoft is considering making the TMG line a web proxy server only?
    Tuesday, December 29, 2009 1:43 PM
  • Jerry,

    Its very clear that the TMG firewall be a network firewall primarily while the UAG will be the unified remote access gateway solution. While Web proxy is a small piece of the TMG firewall solution, as you know, there's a lot more to firewalls than forward proxy.

    HTH,
    Tom

    Microsoft ISDUA
    Monday, January 4, 2010 1:20 PM
    Moderator
  • Tom,

    Thanks.

    An unconfirmed rumor in another community indicated that Microsoft will eventually merge the products.  While I expect no official confirmation or denial of that rumor at this time, the logic behind it seems sound so I will deal with the split personality of UAG/TMG for now. :)

    I'm sure there are other, less publically vocal customers out there that see things the way I do and will impress upon Microsoft our desire to consolidate all types of access into a single product. :)
    Monday, January 4, 2010 3:54 PM
  • Hi Jerry,

    I can't comment on rumors, but what's important is that customers should let MS know what they want!

    As things are positioned now, UAG is designed to be an enterprise solution for remote access, providing the highest level of security for inbound connections into the corporate network, and without any outbound access capabilities.

    TMG is designed as both an inbound and outbound access control/remote access solution for SMBs. While very secure and powerful, it solve other problems and is at a price point that fits more with SMB budgets than UAG.

    Thanks!
    Tom
    MS ISUDA
    Friday, January 8, 2010 2:55 PM
    Moderator
  • Could someone please comment on regarding the new “SMTP Protection” feature of TMG? I mean that one that uses Exchange Edge role and ForeFront Protection for Exchange. I have two questions here.
    • Will this work in case of when TMG and Exchange Edge are installed on separate boxes or the same box is required? Say a customer already has an Exchange Edge box deployed behind of an existing ISA arrary. And now he's going to upgrade from ISA to TMG and is interested in SMTP Protection feature. Should he now move his Exchange Edge box into the new TMG array or what?
    • Will this work in case of UAG instead of TMG? As far as I understand, UAG is the solution for incoming connections, and publishing SMTP means incoming connections, right?
    Thanks in advance.
    Saturday, January 16, 2010 5:16 PM
  • @ Pronichkin

    Intresting Question, but till now NO answer, that is sad.....

    Regards Timo


    MCSE / MCSA on Windwos 2000 / 2003
    Wednesday, May 18, 2011 7:43 AM
  • Could someone please comment on regarding the new “SMTP Protection” feature of TMG? I mean that one that uses Exchange Edge role and ForeFront Protection for Exchange. I have two questions here.
    • Will this work in case of when TMG and Exchange Edge are installed on separate boxes or the same box is required? Say a customer already has an Exchange Edge box deployed behind of an existing ISA arrary. And now he's going to upgrade from ISA to TMG and is interested in SMTP Protection feature. Should he now move his Exchange Edge box into the new TMG array or what?
    • Will this work in case of UAG instead of TMG? As far as I understand, UAG is the solution for incoming connections, and publishing SMTP means incoming connections, right?
    Thanks in advance.


    A1: No, the edge needs to be installed on TMG. The new edge role on TMG will replace an existing Edge deployment.

    A2: No, only specific elements of TMG are supported on the UAG platform as discussed here: http://technet.microsoft.com/en-us/library/ee522953.aspx SMTP server publishing is supported, but this is used when you are using TMG to provide access to an SMTP server located on another server (not TMG itself).


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 18, 2011 10:31 AM
    Moderator
  • @ Pronichkin

    Intresting Question, but till now NO answer, that is sad.....

    Regards Timo


    MCSE / MCSA on Windwos 2000 / 2003

    Answered ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, May 18, 2011 11:15 AM
    Moderator
  • Answered :-)

    Regards Timo


    MCSE / MCSA on Windwos 2000 / 2003
    Wednesday, May 18, 2011 11:25 AM