Microsoft has stopped selling Forefront Threat Management Gateway, and will stop selling Forefront Unified Access Gateway later this year. With these products going away, a very common question I am hearing from customers these days is “What do I do to secure my Exchange deployment now?” As a consultant I love this question because it gives me a chance to give my favorite answer; “It depends”.
Before we start to answer the question at hand, let’s examine why Microsoft is deprecating these security products.
The first part of the answer to why Microsoft has decided to deprecate TMG and UAG might seem a little self-evident. Microsoft is a software company, and as a software company Microsoft wants to sell you new software. Microsoft’s strategy for selling you new software is centered around producing better versions of their products and thusly making it worthwhile for you, as their customer, to upgrade to new versions of their software. I know this can sound a little obvious, but the heart of the answer to the original question is that Exchange 2013 running on Server 2012 is a much better product than Exchange 2003 running on server 2003 so you no longer need to put a TMG server in front of your Exchange servers.
In recent years Microsoft has made considerable investments in Trustworthy Computing and Managed Code, which has resulted in higher quality and more secure products. The result is that many of Microsoft’s products in general, and Exchange specifically, is much more secure. This more secure product can give you a lower Total Cost of Ownership by reducing and or eliminating the need for you to deploy additional security measure like TMG or UAG.
As an aside, it’s important to note that Microsoft is keenly interested in reducing the TCO of Exchange. Exchange Online offers no-cost mailboxes to likely millions of students and relatively inexpensive mailboxes to North of one hundred million customers, so you can bet that Microsoft is driven to make every Exchange Online mailbox as inexpensive as possible. If they can safely remove a TMG server, that makes Exchange Online less expensive for them to run.
All this is fine and good, but I am well aware that there are companies out there who will not expose their Exchange servers directly to the internet no matter what I say. What so does Microsoft expect these customers to do? Fear not, citizen. Windows Server 2012 R2 can replace both the pre-authentication and the reverse proxy functionality of TMG/UAG. Web Application Proxy and Application Request Routing are features that are available within Windows Server 2012 R2 that replace the pre-authentication and reverse proxy functionality of TMG/UAG. WAP and ARR are considerably less complicated, easier to maintain, and more reliable than TM/UAG ever were. While it’s hard for me to tally the outages I have seen prevented by TMG/UAG, it’s pretty easy for me to recount the numerous outages I have seen caused by misconfigured TMG/UAG servers. Not only that, but there is no additional licensing cost beyond the license for Windows Server, so these solutions are considerably less expensive too. Exchange Online Protection and the Edge role in Exchange 2013 SP1 (not yet available at the time of this writing) round out the Exchange security offerings directly from Microsoft.
If all that is not enough for you, many Hardware Load balancers (you are using a HLB in front of your Exchange servers, right?) now offer security add-ons as well. I am a big fan of Kemp’s Edge Security Pack as it is easy to deploy and fairly inexpensive. I believe Cisco, F5, and Citrix hardware load balancers all offer similar security solutions as well.
So to sum up, Exchange 2013 (and other current generation Microsoft products) are safe to publish directly to the internet. If your company requirements are such that is not an option, then there are a number of easier to deploy and maintain first and third party options you can put in front of your Exchange servers.
Question? Comments? Let me know below…