End of an Era: Proxy and Exchange

Yesterday Microsoft announced the end of UAG. This brings to a close an era where Exchange was secured by ISA, then TMG and partially UAG. I’ve worked with many versions of Exchange and in a majority of cases, we would place ISA/TMG as a security proxy for their messaging environment. We would secure OWA, RPC over HTTP and ActiveSync connections. Now, with the release of Exchange 2013 and the demise of both TMG and UAG, another approach seems to be warranted.

Which road to take?

No Proxy?
Microsoft has some unofficial advice on how to handle this change:

Life in a Post TMG World – Is It As Scary As You Think?

IIS ARR or Windows 2012 Web App Proxy
For IIS ARR you are creating a simple pass through Web Proxy with no Authentication mechanisms at all – How to publish Exchange 2013 with it.

With Windows 2012 Web App Proxy provides a session level barrier to external traffic and some forms of authentication preauthentication as well – Example of Lync 2013 and WAP and an Overview.

Hardware Load Balancer with Proxy?
Many HLB vendors are now producing products with a built in Proxy function – KEMP and F5 are two prime examples. These products essentially provide the HLB you need for your back-end high availability, while simultaneously handling your proxy and pre-auth requirements. I personally like this solution because it has the potential to simplify your messaging environment (remove TMG layer and incorporate it into the HLB layer).

TMG – Keep it if you have it?

So here lies the question, do you implement it as explained here and keep your existing proxy in place? Or do you remove the product as it is now on its way out of Microsoft support (yes it is supported, but in a few years it won’t be). If you are putting in a HLB, will you not use the proxy features that are built in? Or will you keep both?

Each situation seems to demand a different solution. My personal preferences are in order:

  • TMG if the client has it
  • Proxy on HLB is utilized
  • If no HLB or TMG – no proxy
  • IIS ARR if a customer insists
  • Windows 2012 WAP – once guidelines are published


One thought on “End of an Era: Proxy and Exchange

  1. Pingback: interesting things i have seen on the internet 30/12/2013 | 503 5.0.0 polite people say HELO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s