Many web ads are moving to HTTPS/SSL instead of nonencrypted to get around ad blockers. This also represents a malware risk as app layer firewalls such as TMG will not be able to detect it. Companies such as clear tunnel have come up with a solution as a plug-in to ISA server 2006.
Might TMG incorporate such a feature in its final version? If not, why not?
Very very good question. I will also want to know this.
It's just my feeling, or the big names out there run after "SSL inspection"... The "New kid on the block" Palo Alto Networks support this. They all tell that they are the first or some of the few to support that. For example Secure Computing support SSL inspection, what Collective Software misses in raport with them IMHO, is the level of quality of marketing "white papers".
If Microsoft would not add outbound SSL inspection for TMG, we can hope that maybe Collective Software will help ?
Just my thoughts.. If you have an expensive product then you can afford to spend a lot on marketing. And you *have* to, because otherwise customers won't stomach the cost.
Collective is a pretty low overhead shop, we mostly spend on R&D and support and keep product prices as low as possible to stay in line with the ISA pricing model. Not a perfect solution, but it works well enough.
Hi Greg, Yeah, I know and understand and agree. Sometimes is not enough to have a great product, life ain't faire.... I was re-reading a couple of days ago their "white papers", and again I found them overwhelming. It's just hard, at least for me, that once certain customers read those things, to make them see another way....
I felt that too. Many people out there don't know what ISA Server is after so many years, and very likely, IMHO, most of the ones who know what ISA is and what ISA can do, found out due to the tremendous efforts of Tom.
From: United Kingdom
Numerous years in production and not one reported security vulnerability...you bet!
I still love providing ISA Server handovers after implememtation as nearly everyone is just so unaware of its capabilties when used properly...showing Cisco bods the web publishing capabilites and real-time log monitor (with filters) are two of my favourites!
I think TMG is going to be a killer version...would love to say more, but under NDA
MS are really getting their security 'ducks in line' with the combination of the upcoming edge product releases and Stirling...I think 2009 will be an interesting year for MS security...
< Message edited by Jason Jones -- 21.Aug.2008 6:55:07 PM >
Absolutely! I wish we could share what's in the next version of the TMG. Esp. in light of this discussion. But I think everyone is going to be pretty happy with what they're going to do with it, even some long lived DCRs are going to be addressed! :)
And some new stuff is going to be really amazing -- stuff that no other firewall on the market can do or will able to do by the time that TMG is released.
People need to keep in mind that the TMG that comes with EBS bears little or no relationship with what they're going to see in the final TMG RTM. So, don't get disappointed.
And with the upcoming Stirling integration, it's really going to blow people's socks off! :)
as long as you collectively patting yourself on the back on how wonderful ISA/TMG is/will be, let's hope it is a forward thinking product and not a follow-me product.
I use ISA Server 2006 and TMG in my network and they both work fairly well. Even get my MAcs to authenticate to it via Kerberos for outbound traffic. Would like to see more cross platform support as the dog that is Vista not being deployed in most enterprises I have seen. What about a firewall client agent for Mac?
Anyway if SSL inspection is not built in I would not upgrade. Do not see much difference (yet) between ISA Server 2006 w/ Web monitor (better IMO becasue of 3 AV engines) and TMG.
Web Protection: Scan files that are downloaded by the users for malware and block them on the gateway by the TMG server.
We can even inspect outbound SSL traffic as we are bridging SSL on the server if you want it. The user is informed that SSL will be inspected. This is very important from a privacy perspective. So, with this technology we can block invalid or expired certs. Last but not least here, you can exclude certain sites or site groups (e.g. Finance and Banking) from the SSL inspection. So, you can configure it the way that you do not inspect the traffic but the certificate will be validated or nothing is done at all.
Original Edward: as long as you collectively patting yourself on the back on how wonderful ISA/TMG is/will be, let's hope it is a forward thinking product and not a follow-me product.
< Message edited by adimcev -- 5.Nov.2008 12:04:30 PM >