[This article originally appeared in the "Closer to the Edge" blog at: http://blog.msedge.org.uk/2010/08/should-i-place-forefront-tmg-at-edge-of.html]

Is Forefront TMG Trustworthy?

Given that TMG is now an EAL4+ certified firewall like its predecessor ISA Server 2006; combine a decade long history of a firewall that has never been the focus of a successful, documented attack and I'd say you're in good shape for putting TMG at the network edge from a security perspective.

Is it All About Security?

However, as good as TMG is (and secure too) there are still some limitations with regard to Network Address Translation (NAT) functionality that are often bettered by traditional network firewall vendors. There are some good improvements with Enhanced NAT in TMG, but you may be left wanting when it comes to full NAT control. Some of the changes in selection of source IP address introduced in Windows Server 2008 don't help either, as covered in the following article: http://support.microsoft.com/kb/969029/en-us which may not provide expected or wanted results. Consequently, there may be some advantage of placing another network device (border router or firewall) at the network edge, in front of TMG.

I always believed in placing ISA/TMG closest to the assets you want to protect, so its role as a back-end application firewall is often the most useful. Some folks are comfortable with a single-tier application level firewall (e.g. TMG at the edge) but many aren't and look for at least a two-tier firewall topology. Is this better? Not sure that is fully quantifiable, but they often feel they have "covered themselves" anyhow by following a more defence in depth approach. 

The other element to consider is that people don't hack firewalls anymore; they hack applications. Consequently, good firewall protection is about protecting at the application level. A front-end "network" firewall can be handy for noise reduction and enhanced network functionality (like more advanced NAT perhaps) but often the application firewall behind it is actually doing most of the heavy lifting. Many times, the front-end firewall only ever sees encrypted incoming connections (SSL/TLS) to which it has no understanding, and hence provides pretty low security value. If you combine UAG or DirectAccess into the mix, the front-end firewall becomes even more clueless, as all the clever stuff happens behind it... 

With the advent of UAG DirectAccess and the need for public IPv4 addresses on the UAG external interface, I think many more people will (perhaps not always knowingly) put TMG on the edge (by placing UAG at the edge) as they have limited options with regard to meeting the DA public addressing requirements. This should consequently build confidence that Microsoft have a product which "they the customer" believe can be trusted in that role/location.

Is an Appliance Version of Forefront TMG More Secure at the Edge?

Finally, the use of a hardware platform (like the Celestix MSA range perhaps) shouldn't really change the overall risk and edge placement assessment, as this is a platform choice, not a security choice, and you should go that route for other reasons than improved security protection. Well, unless you believe that a "hardware device" is any different or better than a "software firewall" that is…

Conclusion

I also not sure there is a right or wrong answer here, as peoples acceptance of risk varies greatly. However, assuming you are happy with the native network level feature set provided by TMG (and the potential limitations) I see no reason not to place it at the network edge, but as is often the case, your mileage may vary!

This article was originally written by:

Jason Jones, Forefront MVP
Principal Security Consultant
Silversands Limited
--------
My Forefront Edge Blog: http://blog.msedge.org.uk/
My ISA Server Blog: http://blog.msfirewall.org.uk/
MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones
Twitter: http://twitter.com/jjatsilversands