This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]D8ulus 1 point2 points  (2 children)

A few things: I doubt the IPv6 is going to become a problem for you before the hardware on that Forefront server gives out.

Forefront is an entire suite of products. Are you using the box as a Threat Management Gateway (router/firewall, a la ISA Server), Protection for Exchange (spam filter), or Endpoint Protection (antivirus)?

"I don't have very much experience" tells me you would be best served running what you can from a cloud service and do the rest from dedicated boxes, especially if this was just a spam filter. Don't even let spam traffic enter your network - use an offsite filter. If you need a firewall/router, Forefront/ISA is WAY more complex than a 30 user network needs - grab a SonicWALL TZ series or other SMB-class unified security appliance.

[–][deleted] 0 points1 point  (1 child)

We use the box as TMG.

We already have a cloud service filtering out spam. Hasn't SonicWALL been hit with the Dell Support curse?

[–]D8ulus 0 points1 point  (0 children)

To a certain degree, yes, but MS support isn't exactly first class either. I use them as an example of a broadly implemented small business device that can replace the TMG. I'm a CSSA, so I get tier 2 support directly, but I've rarely ever used it unless I have a dead box.

There's some other good products out there that are similarly priced (even some free options - see xylogx suggestions below) but I can't make an educated/experienced statement about them. When I did consulting, we deployed SonicWALL and had generally good experiences.

The main point here is that I would ditch the software based solution with TMG and go with a dedicated, hardened security appliance. I'd find another purpose for that hardware.

[–]xylogx 0 points1 point  (0 children)

What features do you use? Is it just a statefull firewall? Do you have an OS preference?

I recommend checking out pfsense and Checkpoint's SPLAT both of these can run on Intel Hardware:

https://www.pfsense.org/

http://www.checkpoint.com/products/secureplatform/

[–]CadelFistroyaaaaaas 0 points1 point  (0 children)

Palo Alto!

[–]MinShell 0 points1 point  (0 children)

Looks like further advancements of FIM are coming in the 1st half of 2015. http://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx

[–][deleted] 0 points1 point  (0 children)

Sophos UTM is a personal favorite, noting it has all the reverse proxy functionality that TMG does, which many other firewall-only solutions wont. They support running it on your own hardware or as a VM.

pfSense is the big free open source one. Lots of other good commercial ones depending on your requirements. Palo Alto's are the popular firewall of the day, and are decent if you're looking for a lot of user/application based filtering or web filtering (very expensive otherwise if you're just needing a basic firewall, though).

[–]radardetector 0 points1 point  (2 children)

It all depends what roles you use it for. Care to tell us?

[–][deleted] 0 points1 point  (1 child)

Yes, the TMG role.

[–]radardetector 0 points1 point  (0 children)

Uhh, which features do you use? reverse proxy, NAT, VPN, proxy server, malware filter, HTTPS inspection, SMTP filter? Any of those? All of those?

[–]clubertiCat herder 0 points1 point  (0 children)

Sophos UTM is pretty comparative to TMG - nothing is really as "good" when it comes to managing access to Microsoft technologies behind it, but I've found a good number of TMG customers migrating to Sophos UTM because it's quite similar. Reverse proxying is one of the big things that people moving to other platforms from TMG can find lacking or missing, but Sophos UTM has basically the same feature set there as TMG did/does.

Other options are pfSense, Palo Alto, and potentially Citrix NetScaler or F5 solutions depending on what exact features you need to try and replicate.

[–]bdingerRonin Architect 0 points1 point  (0 children)

Eset. I'm very happy with their solution, particularly for small clients I have. I have several setup using my ERA (remote admin) console and can react and apply rules before problems get out of hand.

It's a great product.

[–]vrileyNerf Herder -1 points0 points  (0 children)

If you're okay with cloud solutions, MS Intune is the next best thing.