ISA/TMG/IAG/UAG what is the difference!

Lot of people are confused about the difference between ISA/TMG/IAG/UAG, so I thought it would be a good idea to share this information hopping it will clear up this confusion.

Microsoft has lately released the “Forefront Threat Management Gateway (TMG)” formerly known by “Internet Security and Acceleration Server (ISA)”.
Microsoft has also released the “Forefront Unified Access Gateway (UAG)” formerly known by “Internet Access Gateway (IAG)”. By the way both products are run on 64bits only

So this means that TMG is the new version of ISA and UAG is the new version of IAG, mmm pretty simple right?

What is the Difference between TMG and UAG?

Forefront Threat Management Gateway “TMG” is now the recommended outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates.

One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site’s SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer downloads from the internet via HTTPS to bypass malware scanning.

Another pretty good feature is that you can configure ISP redundancy to distribute outbound traffic between two ISP connections using failover between a primary and backup link, load balancing, or a combination of both. More info

Forefront Unified Management Gateway “UAG” is now the recommended inbound access server for your corporate published resources, so it will act as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess, it has also enhanced capabilities for remote application publishing (TS Remote App).

Same as IAG which included ISA under the hood, UAG will also have the TMG engine lying beneath. So also in UAG you will not directly configure TMG. TMG is merely there to harden the UAG box and make it more secure, not to provide TMG functionalities for other applications. More on this topic here

The big change

I think by now you are asking yourself is this means that I can’t use TMG as a reverse proxy anymore in my organization?
Well the answer is that technically there are no restrictions to use it but it is not recommended by Microsoft anymore, like it was the case with ISA server.

TMG or UAG when to use it?

You only use TMG whenever you need to control internet access and protect your corporate internet users from web based malware.  You use UAG whenever you need access to your corporate published resources like OWA, Outlook anywhere, remote apps, etc. if you need both kinds of access you will have to install both products the TMG and UAG.

Finally it is good to know that Microsoft, not only supports, but it is also pushing forward virtualizing TMG and UAG on Hyper-v since it will provide more flexibility to scale out once you have high demand and you need to increase the number of servers.

For additional information check Microsoft road map for TMG and UAG.

Experienced Consultant Team Lead with a demonstrated history of working in the information technology and services industry. Skilled in Azure, Skype for Business, SQL Server, Iaas, Saas, PaaS, ITIL, Microsoft Solutions, and Servers. Strong information technology professional, technology passionate.

Posted in Security Tagged with: , , , , ,
3 comments on “ISA/TMG/IAG/UAG what is the difference!
  1. Abid_aliryk says:

    nice very good

  2. Dagudboi says:

    So if i want to provide Cloud-like services, UAG is the way to go then. 

Leave a Reply

Your email address will not be published. Required fields are marked *