Lot of people are confused about the difference between ISA/TMG/IAG/UAG, so I thought it would be a good idea to share this information hopping it will clear up this confusion.
Microsoft has lately released the “Forefront Threat Management Gateway (TMG)” formerly known by “Internet Security and Acceleration Server (ISA)”.
Microsoft has also released the “Forefront Unified Access Gateway (UAG)” formerly known by “Internet Access Gateway (IAG)”. By the way both products are run on 64bits only
So this means that TMG is the new version of ISA and UAG is the new version of IAG, mmm pretty simple right?
What is the Difference between TMG and UAG?
Forefront Threat Management Gateway “TMG” is now the recommended outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates.
One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site’s SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer downloads from the internet via HTTPS to bypass malware scanning.
Another pretty good feature is that you can configure ISP redundancy to distribute outbound traffic between two ISP connections using failover between a primary and backup link, load balancing, or a combination of both. More info
Forefront Unified Management Gateway “UAG” is now the recommended inbound access server for your corporate published resources, so it will act as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess, it has also enhanced capabilities for remote application publishing (TS Remote App).
Same as IAG which included ISA under the hood, UAG will also have the TMG engine lying beneath. So also in UAG you will not directly configure TMG. TMG is merely there to harden the UAG box and make it more secure, not to provide TMG functionalities for other applications. More on this topic here
The big change
I think by now you are asking yourself is this means that I can’t use TMG as a reverse proxy anymore in my organization?
Well the answer is that technically there are no restrictions to use it but it is not recommended by Microsoft anymore, like it was the case with ISA server.
TMG or UAG when to use it?
You only use TMG whenever you need to control internet access and protect your corporate internet users from web based malware. You use UAG whenever you need access to your corporate published resources like OWA, Outlook anywhere, remote apps, etc. if you need both kinds of access you will have to install both products the TMG and UAG.
Finally it is good to know that Microsoft, not only supports, but it is also pushing forward virtualizing TMG and UAG on Hyper-v since it will provide more flexibility to scale out once you have high demand and you need to increase the number of servers.