Security

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

Threat Management Gateway (TMG) has grown into a solid-edge security solution with a large installed base, yet Gartner says that Microsoft won't be shipping another full version of the product. Deb Shinder looks at initial reactions to this report -- and what may lie ahead for TMG and the companies that rely on it.

Last week, I reported in my blog over at ISAServer.org that Gartner's Magic Quadrant for Secure Web Gateway, published May 25, left Microsoft out of the matrix completely. The report explained that this was because Microsoft had informed Gartner that it wouldn't be shipping another full version of TMG (Threat Management Gateway), that the product is now in "sustaining" mode, and that the company doesn't intend to compete head-to-head with other vendors in that (the secure Web gateway/firewall) space.

TMG 2010 is part of the Microsoft Forefront family of security products and is the latest incarnation of the software formerly known as ISA Server, which itself evolved out of Microsoft's Proxy Server. TMG provides advanced stateful packet and application layer inspection (firewall) services, VPN services, and Web caching.

I have a special affinity for TMG because my husband, Tom Shinder, and I specialized in Proxy Server/ISA Server early in our IT careers. We wrote several books and many articles about the products and have been involved with the ISAServer.org Web site for more than 10 years. When Tom left to become a Microsoft employee in 2009, I took over his lead author role there. Thus, to me, TMG isn't just any old Microsoft Server — it's been a big part of my life and my career.

Say it isn't so

The news of TMG's apparent impending demise came as a shock to many customers who have deployed or have been planning deployments of TMG, to consultants who specialize in or work with TMG, to partner companies that make TMG-based appliances, and to Microsoft Forefront MVPs. In fact, I received many responses to my post, and most were along the lines of "Gartner must be mistaken" or "Maybe you're interpreting this wrong." A few even seemed to blame me for pointing out what the Gartner report said.

Those initial reactions weren't at all surprising. In my life before IT, I was a police officer, and delivering death notifications was always one of the most unpleasant aspects of the job. We all know that the first stage of grief is denial, and the second stage, anger, often comes soon after. While some were protesting that it couldn't possibly be true, others were composing lovely eulogies. Forefront MVP Richard Hicks said, "The demise of TMG most certainly must be for reasons other than the viability of the product. The level of protection provided by TMG is unrivaled, in my opinion, by any other firewall or proxy on the market today."

In fact, that's what made Gartner's bold statement so difficult to swallow for those who have been working with TMG. Through various versions and name changes, the product has matured into a solid-edge security solution that has attracted a fiercely loyal following. At the MVP Summits I've attended, the Forefront MVPs have always been some of the most enthusiastic about their product and the most engaged with their product groups and with each other. The TechGenix-sponsored ISAServer.org Web site has remained popular, with an active core membership.

Handwriting on the wall?

Some of the people who wrote to me about my blog post were understandably upset, not just about the news itself, but by the fact that they were first hearing about it from Gartner rather than from Microsoft. If TMG is indeed now to be considered in sustaining mode, if no future versions are planned, why has there been nothing about this in the Product Team Blog? Why were partners, MVPs, and others whose livelihood is tied up with the product not told? One likened the feeling to the experience of having a loved one go into the hospital to have a wart removed and then getting a phone call telling you that the person died during the procedure.

Others, though, noted that the signs may have been there for a while. At the TechEd 2011 conference in Atlanta in mid-May, there were no sessions on TMG. There have been grumblings from TMG resellers about the lack of a roadmap for TMG. Some pointed to the "killing" of other products, such as Forefront Protection Manager and Windows Essential Business Server (EBS). And then there were the personnel moves. Sure, Microsoft is always reorganizing, but a few folks noted that maybe the departure of key members of the TMG team, along with the fact that some of the Microsoft employees who had been most active in the TMG community have recently moved to other jobs within the company, should have been an indication that all was not well with TMG.

Gone to heaven — or to the cloud?

As a matter of fact, it seems many of those employees who have moved from TMG are now working in cloud-based products and services. After all, that's where the action is at Microsoft these days. Some see the current push to cloud computing — by Microsoft and other major players in the tech industry — as something that will bring about the "end of the edge." They say that would negate the need for firewalls — or at least, network-based firewalls that protect the LAN from the "outside." When the Internet serves the purpose formerly reserved for the local network (storage of your data, delivery of your applications), most security will need to be host-based. Deperimeterization is a concept that's been talked about in IT for years. The term was made famous by the Jericho forum, a group dedicated to "boundaryless information flow" within and between enterprises. Obviously, if the (fire)walls all come tumbling down, TMG will become less relevant.

On the other hand, Microsoft's cloud focus has also caused some speculation that perhaps TMG isn't really going away after all but will instead morph into a "cloudified" security product (maybe with yet another new name). Richard Hicks explains this view: "...Some have suggested that the importance of TMG is being diminished in a cloud-based world. I would disagree completely. In my opinion, it is even more important to have TMG! Perhaps TMG should be renamed CAG (Cloud Access Gateway). It provides secure, reliable access to cloud-based apps while still providing excellent protection for on-premises users, protecting them from web-based threats and maintaining productivity as well. It can inspect encrypted communication, which will be essential for monitoring and protecting communication with the cloud. It is also an excellent place to enforce DLP policies."

Life after death?

Yet another possibility I've seen mentioned is that TMG's functionalities will be rolled into the next version of Windows Server. You would be able to set your Windows Server up to perform the threat management gateway role, just as you can configure it with the DNS Server role or the Active Directory domain controller role.

Now that idea might be a bit more palatable to customers, as Microsoft could sell it as giving you TMG "for free" instead of making you buy a whole separate product to get it (similarly to the way terminal services — now Remote Desktop Services — got rolled into most versions of Windows Server after having originally been included only in the special Terminal Services Edition of NT). This could also be in keeping with the idea that host-based firewalls will become more important and network/edge firewalls less so.

Then there's the possibility that the reports of TMG's death, like those of Mark Twain's, have been greatly exaggerated. According to blogger Kent Nordstrom, unnamed sources "within Microsoft" have issued a statement that starts out on a positive note by assuring us that "Microsoft is still in the SWG business despite Gartner's opinion." However, if you read through the whole thing a couple of times, you notice that it really doesn't say much beyond the fact that TMG will continue to be supported with updates throughout the product's life cycle. The issue of whether there will be future versions is not addressed.

Nordstrom speculates that Microsoft will combine TMG with its Unified Access Gateway (UAG). TMG aficionados have been debating that idea for years. Microsoft was already positioning UAG as the preferred solution for filtering inbound access to internal resources, and UAG includes the TMG engine but doesn't support outbound access. If Microsoft drops TMG, rolls its functions into UAG, and makes UAG its "one and only," some customers are not going to be happy campers, especially small businesses on a budget that use TMG. Many TMG fans aren't crazy about UAG's interface — they find it more clunky and less user-friendly — but that's not all. The big problem is that UAG (which was designed with the enterprise in mind) is more expensive than TMG and is overkill if you just want to publish your Web servers, SharePoint, and Exchange servers to the Internet. Of course, in an all-cloud world, you wouldn't have any internal servers to publish, since you would buy those as hosted services.

Where does that leave us?

What if we assume a worst-case scenario, that TMG has been relegated to IT purgatory where products languish in limbo after innovation and development stops until their DLC runs out? Even in such a dire case, I think it's important to realize that doesn't mean those partners, third-party developers, MVPs, and Web sites dedicated to TMG will suddenly become obsolete. In fact, if Microsoft did kill the product today, those external resources would become even more important.

TMG (and its predecessor, ISA Server) still has a significant installed base, and those companies aren't all going to dump it just because they hear that Microsoft isn't going to ship a new version in the future. They will still need support, add-ons, documentation, etc. If Microsoft provides less of it, that will create an opportunity for those outside the company to provide more.

With no official word and no roadmap from Microsoft, it's impossible for anyone to say with authority what the future holds for TMG. What I do know is that human beings hate uncertainty. They prefer dealing with bad news to worrying that bad news might be on the way. Now that Gartner has unleashed this tempest, I think it would be smart to let the public know, one way or the other, whether TMG is terminally ill and on life supportĀ or just undergoing cosmetic surgery from which it will emerge prettier than before.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks