Microsoft just announced some Further details and guidance regarding discontinuation of TMG Web Protection Services, and it contains some potentially alarming information for those continuing to use Forefront TMG as their network’s web protection system.

As you no doubt know, Microsoft announced Forefront TMG’s end of life in September 2012, and that Microsoft’s Reputation Services (MRS) will be ‘turned off’ on the 31st of December 2015.

It was well understood that Forefront TMG at this point would be become a very ineffective secure web gateway, as it would no longer receive signature or categorization updates.

But perhaps what was not well understood is that the URL Filtering feature will stop working entirely.

That means that any rules configured to block categories such as Pornography or Malicious web sites will no longer work, making it open season on your network for dangerous sites that were previously blocked at the gateway.

Remember that default web access rule called Block Web Destinations that prevents the following categories of sites from being accessed?:

  • Anonymizers
  • Botnet
  • Criminal Activities
  • Gambling
  • Hate/Discrimination
  • Illegal Drugs
  • Malicious
  • Offensive/Tasteless
  • Phishing
  • Pornography
  • Spyware/Adware
  • Violence

Imagine the headaches you’ll encounter as a system admin once these categories of websites start sailing straight through your firewall after the 31st of December 2015!

Forefront TMG URL Filtering After 31 Decemeber 2015

Further more, any rules you have configured to allow certain web categories, will start blocking those categories!

So it is very important that you follow Microsoft’s steps on how to disable URL filtering, and review any category based rules to avoid these headaches.

When Microsoft announced MRS will be turned off, it was well publicized that Forefront TMG would no longer receive updates. However, in their latest announcement, Microsoft says:

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

In other words, URL Filtering will not work after at all 31st of December 2015. They also say:

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

Fair enough – this point has been clear from the start.

So there you have it. If you’re using Microsoft Forefront TMG’s URL Filtering feature like many are thanks to the default rule to block malicious and dangerous categories, you may have some security nightmares in the new year unless you can quickly implement an alternative (see below).

Affects on Logging and Reporting

Unfortunately, your network’s security is not the only issue.

Disabling the URL Filtering feature also means that categories will no longer be logged in Microsoft Forefront TMG’s log files, which means the productivity sections in Fastvue TMG Reporter will be blank, and alerts based on Categories or Productivity will no longer function. You will still be able to report and alert on web sites, users, file types and anything other than categories or productivity.

Forefront TMG Alternatives

Hopefully you have already replaced Forefront TMG’s secure web gateway functionality, or at least have a plan to do so well underway. If not, here’s a list of the main alternatives we see our customers switching to.

Sophos UTM

Sophos UTM has the best feature-for-feature match with Forefront TMG in a single solution. Watch the web cast on replacing Forefront TMG with Sophos UTM to find out more (note, this web cast is a little dated, and many features have improved, including Publishing Exchange/OWA). And don’t worry about reporting as we have you covered with Fastvue Sophos Reporter.

Sophos Web Appliance

As URL Filtering is the main feature that you need to urgently replace, you may like to look at a secure web gateway instead of a full UTM. Sophos have a solution here as well with their Sophos Web Appliance. And again, we have you covered from a reporting perspective with Fastvue Reporter for Sophos Web Appliance.

Barracuda Web Filter

No, we’re not just pushing Sophos gear. We’re also seeing many customers switch to Barracuda Web Filter, as well as their NG Firewall. For reporting, we already have you covered with Fastvue Reporter for Barracuda Web Filter, with support for the NG Firewall coming in 2016.

ContentKeeper

Again, if you’re not after a full UTM, but need great web protection, you might like to take a look at ContentKeeper’s Secure Internet Gateway. And again, we have reporting covered with Fastvue Reporter for ContentKeeper.

Other Forefront TMG Replacements

One of the more hidden features of the solutions above is that they all record Referrer URL in their log files. This is extremely important for identifying the ‘actual’ website someone is visiting, and is one of the major inputs to Fastvue’s Site Clean algorithm. As important as it is, most web security solutions fail to include this field in their log files, and provide only a ‘top domains’ report at best, which these days is almost useless in determining what people are actually doing online.

McAfee Web GatewayCisco Web Security Appliance (previously IronPort), Palo Alto Networks also include the ability to enable Referrer URLs. Other Forefront TMG replacement options include Dell SonicWall, Fortinet and Watchguard but at the time of writing, they do not include a way to log referrer URLs.

We may have Fastvue Reporter solutions for these other products in the future, however they are already well supported in our other ‘sister’ product WebSpy Vantage Ultimate. Vantage Ultimate is a generic log reporting framework, guaranteed to provide the reports you need for almost any log file format.

Fastvue Migration Pricing

If you have an existing subscription to Fastvue TMG Reporter, Fastvue have special migration pricing to move to another Fastvue or WebSpy product. Simply contact [email protected] to find out more. We also work with many distributors and resellers, as well as the vendors of the above TMG replacement options, so get in touch if you’d like some assistance or advice.

Other Resources:

Our good friend Richard Hicks also has a great post on the bad things that will happen if you continue using Forefront TMG as a secure web gateway after the 31st of December 2015, including a couple of additional replacement options for URL Filtering.

If reporting is a major requirement for you, please take a look at our non-TMG reporting solutions here: