Courtesy of Tony Redmond’s Blog
Can Windows servers consume untreated Internet traffic safely?
Last September, Microsoft dropped a bombshell when they announced that they were dropping development of the Threat Management Gateway (TMG) product along with their decision to cease production of on-premises ant-virus products. The problem for the Exchange community was that TMG had become the de facto choice as a reverse proxy deployed alongside Internet-facing Client Access servers to handle inbound client traffic.
Since the original announcement, Microsoft has done its best to reassure customers and explain that TMG support remains in place until April 2015. In a nutshell, although no more TMG licenses can be bought, you can continue to run TMG alongside Exchange 2007, 2010, and 2013 until support expires.
But thinking about the situation after a thought-provoking discussion with Greg Taylor of Microsoft, I wonder whether the function served by TMG and ISA Server, its immediate predecessor, is focused on the needs of the past rather than the present. If you go back to a time when Outlook Anywhere started to popularize HTTPS connectivity instead of running MAPI RPCs over a VPN, the target infrastructure was Windows 2003 servers and Exchange 2003 SP2. External threats abounded as hackers attempted to penetrate past corporate firewalls to attack unhardened internal systems, including Exchange.
So it was logical to deploy multiple levels of protection, starting at the firewall and going through servers to perform tasks such as packet inspection before any traffic was allowed to go to an internal server. The approach worked and has served IT well as long as IT exerted strict control over networks, devices, and servers.
The same conditions do not exist today. On the plus side, the latest version of Windows and application servers like Exchange are more secure than they were in the past, thanks to customer pressure to drive improvement and changes in Microsoft’s engineering practices to enforce “secure by design”. On the downside, infrastructures have to cope with connections coming in from a multitude of device types, not all of which are “approved” because of the popularity of BYOD.
The latest versions of Exchange demand nothing more than TCP (port 443) to be open on corporate firewalls before clients can connect. The question then is what additional processing needs to happen before a sanitized traffic stream from the firewall hits an Exchange server. And as it turns out, the answer is “not much”, largely because Windows and Exchange have the capability to protect themselves against suspect packets and because the latest generation of firewall-cum-load balancer products are capable of doing much more than simply blocking inbound traffic. If this assertion is true, then what value does a product like TMG or UAG deliver? And is that additional product even required to maintain a secure environment?…. Read More