Pour protéger Exchange: TMG ou UAG, lequel choisir?

L’interface d’administration de UAG est effectivement très différente de celle de TMG. En revanche, TMG (Evolution de ISA) est installé afin de protéger UAG pendant son installation et sa configuration. Seule une petite partie des fonctionnalités est utilisable ensuite !!!

  • Pour comparer les produits, l’idée de base est que TMG est un service fait principalement pour gérer de les accès du réseau local vers Internet, et un peu dans l’autre sens.
  • UAG est uniquement fait pour gérer de nombreux accès depuis Internet vers le réseau local.

Voici un petit extrait de la page http://www.microsoftnow.com/page/2

I need TMG if:

  • I need an inbound and outbound access gateway
  • I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
  • I need built-in IPS (Intrusion Prevention System) on that firewall
  • I need a secure forward proxy for users on my network to access the internet
  • I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
  • I need to be able to monitor my user’s web activity and firewall logging.
  • I need to be able to block unproductive websites and services (like IM, P2P, video sharing, etc)
  • I need to protect my users from web-based threats (web antivirus, web antimalware, block malicious websites)
  • I need Forward HTTPS inspection to protect users against web threats that are hidden inside HTTPS
  • I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
  • I need SSL bridging to protect my publish servers against threats embedded inside SSL
  • I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
  • I need site-to-site VPN
  • I need a VPN server for my users in addition to all the above

I need UAG if:

  • I need an **‘inbound only’ **access gateway
  • I need to enable my users to securely access internal resources remotely (while they are outside the company network)
  • I need to enable Secure VPN access for users when they are outside my network
  • I need to quickly and easily enable DirectAccess for my Windows 7 users
  • I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
  • I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
  • I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
  • I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
  • I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
  • I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
  • I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
  • I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.

Concernant Exchange, il est possible de télécharger le document Microsoft suivant : http://download.microsoft.com/download/E/5/6/E56ACB6E-7BCC-40F1-8F18-E636B7BFE088/PublishingExchangeServer2010withForefront.doc

Voici un extrait des éléments importants de ce document:

Choosing Between Forefront TMG or Forefront UAG

Your first decision when planning to publish Exchange using Forefront TMG or Forefront UAG is to determine which of the two products best fits the needs of the deployment.

Both Forefront TMG and Forefront UAG can securely publish Exchange to the Internet, but each offers some features or supports scenarios that the other does not. So, the first step in choosing which product to use is deciding what features you need or think you may need.

Some deployments may actually use both Forefront TMG and Forefront UAG to satisfy specific requirements. For example, you might use Forefront UAG to provide a unified portal experience for your inbound Web-based client access, use Forefront TMG to protect Internet access for your internal users, and use Forefront TMG to provide certificate-based authentication to your mobile device-enabled workforce.

Exchange-Related Deployment Scenario or Feature
Forefront TMG
Forefront UAG

Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication

Publish Outlook Anywhere using Basic or NTLM authentication

Publish Microsoft Exchange ActiveSync using Basic authentication

Support two-factor authentication for Outlook Web App and Exchange ActiveSync

Provide load balancing for HTTP-based protocol accessing from the Internet

Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP

Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server

Protect and filter Internet access for internal users from malware and other Web-based threats

Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses


Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc.


Thoroughly clean up the client following an Outlook Web App session with settings configurable by the admin