Alternative for MS TMG 2010 = pfSense ???



  • Dear all,

    I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.

    Situation:

    • one external IP;
    • multiple servers
          - 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
          - 2x MS Exchange Edge (FO & LB); port 25
          - 2x Postfix (FO & LB) if Edge are offline; port 25
          - 3x MS RDP (FO & LB); port 3389
          - 3x MS IIS (FO & LB); port 80, 443
          - 2x MS SharePoint (FO & LB); port 80, 443, 987
          - 2x FTP (FO & LB); port 21
    • Wireless (multiple SSIDs)

    Future request:

    • VoIP

    With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.

    Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?

    I have seen so many kinds of packages, I really do not know which to choose in what matter.

    Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?

    I know it is a lot, but perhaps you can help me out here. It would be great when you have some ‘step-by-step’ tutorials available.

    Thanks in advance,
    Canefield



  • In addition to the above; I already installed and configured pfSense successfully and played with several packages like Snort, Varnish, squid, squidGuard, squid-reverse, Dansguardian, HAVP, Postfix Forwarder and more, but do not know what to choose, installing or how to configure referring to my situation.



  • Anybody? Please help me out here…I want to use this free/open source solution instead of commercial software.

    Thanks for your time and effort; I appreciate it,
    Canefield



  • pfsense in its base configuration is first and foremost a firewall/router with advanced functionality such as traffic shaping.

    From a quick look at your requirements, much of what you want can be achieved using a combination of 3rd party reverse-proxy software (namely varnish & haproxy), which can also be installed on pfsense itself, and are available as separate packages.

    As a starting point, I would suggest that you get another external IP, setup a pfsense box in front of TMG and start moving certain services (e.g. http, then https etc)



  • Hi there,

    I do not have the possibility to add/purchase another external IP. I hoped it in my case, but unfortunately.

    I thought of using the following packages:

    • Snort as (additional) Firewall (IDS/IPS)
    • Squid-Reverse + SquidGuard (reverse-proxy; web performance HTTP/HTTPS)
    • HAVP (mean proxy for antivirus)
      What (reverse)proxy should I use? You are suggesting others? Why?

    Moreover I want to:

    • accelerate/boost my in- and outbound web requests
    • sevicing multilpe servers behind NAT
      These issues is still very vague for me.

    So you are indicating that my wishes are possible with pfSense? Could you give me more advise about the packages I should use? I really do not have a clue which package to use. Which system requirements?
    Is there some kind of tutorial out there?

    Hounesty, it disappionts me how many comments I get at this discussion. Is it not great if pfSense could do the job instead of other commercial software. This should enthuse all people of this forum, is it not? Let pfSense rule the world (especially in what it can do).

    Thanks in advance,
    Canefield


  • Banned

    I have TMG with a PFSense router/firewall in front.

    TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.

    Furthermore the logging in TMG is much nicer. Keep the TMG.

    I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.



  • Hi,

    Thanks for your reply…but really I only want to be able using pfSense.
    Somebody any other ideas? How to setup and configure this scenario with pfSense only?

    KR,
    Canefield



  • @Supermule:

    I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.

    Strange that you say that you find 1.2.3 better than 2.x, which is based on a newer FreeBSD version, with updated kernel, NIC drivers etc.

    Also, while pfsense’s NAT reflection may have problems (in fact it doesn’t work at all with UDP), there are very few situations where one really has to resort to using NAT Reflection instead of some alternative like split-DNS.



  • @Supermule:

    I have TMG with a PFSense router/firewall in front.

    TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.

    Furthermore the logging in TMG is much nicer. Keep the TMG.

    I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.

    Supermule,

    Not trying to be offensive and sorry if it sounds like but why you keep trying pfsense as you prefer and recommend TMG to every user on this forum? ???

    canefield,

    This setup can be done with pfsense, it will need some extra package to reach the best config and performance.

    The tcp services you want to balance can be done using built in load balance on service menu.

    squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.

    haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.

    The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.

    posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.

    Another suggestion:
    Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)

    att,
    Marcello Coutinho


  • Banned

    Hey Marcello 🙂 I like TMG for the things it does….

    Its all about user friendliness and I love PFSense. Have been using it since it broke of from M0n0wall.

    I dont like the 2.01 release since it needs a lot of moving around in the tabs to configure very simple tasks.

    The TMG has a very useful intuitive user interface and if you set it up as a proxy then you wont have to dig around to cinfigure things…it is right there in the tabs when publishing a server…it changes depending on what you want to publish but you dont have to change anything to the basic setup everytime. It is very very easy see if the thing you are doing is working. It has a test rule button that gives you detailed information about what could be wrong and you dont have to search 3 different packages to watch the logs.

    I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.



  • @Supermule:

    the 2.01 was not stable enough and basic things were broken

    I’m sure the developers would appreciate receiving detailed bug reports.


  • Banned

    I posted most of the finds on redmine….



  • @Supermule:

    I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.

    ISA/TMG is easy but not good enough to stay on internet? Just like old M$ proxy 2.0? good to know. 🙂

    I’ve never trusted microsoft with real ip, this is just one more example.


  • Banned

    HAHAHAHA it depends on how you configure it. It can easily act as a frontend. I chose PFSense insteaf because of the minimal footprint and that it runs on bare metal at the time.

    Since ISA resides on Windows Server, I didnt want to use it because of windows and its complexity.

    It is bloody good as a proxy/L7 firewall and that is what I use it for.



  • I think TMG’s main advantage is its tight integration with AD.


  • Banned

    And true L7 🙂



  • canefield,

    This setup can be done with pfsense, it will need some extra package to reach the best config and performance.

    The tcp services you want to balance can be done using built in load balance on service menu.

    squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.

    haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.

    The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.

    posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.

    Another suggestion:
    Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)

    att,
    Marcello Coutinho

    Marcello (and others) thank a lot for your time. I still have a couple of questions.

    • When you speak of Squid you also mean Squid-Reverse?
    • You suggest two scenarios implementing proxy’s, which one to choose in what situation? Your own opinion?
    • I matter of security you are not talking about using Snort, any reason? Other suggestions?
    • To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
          - How to set this up running?
    • In the way of fallback/backup MX how to use/setup Postfix?

    You are probably think, why so many question? To be honest, I am particulary specialized in Microsoft products. So this step approaching the Linux platform is completely new, surprising, exiting and promising. I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.
    So please help me as much as possible. Step-by-step tutorials are more than welcome.

    Thanks in advance,
    Canefield



  • @canefield:

    • When you speak of Squid you also mean Squid-Reverse?

    Yes, squid-reverse can do inbound and outbound proxy.

    @canefield:

    • You suggest two scenarios implementing proxy’s, which one to choose in what situation? Your own opinion?

    Dansguardian is not free for comercial use but has content filtering(something I need). I’m not using squidguard but is a great package too.

    @canefield:

    • I matter of security you are not talking about using Snort, any reason? Other suggestions?

    You can use snort but you have to first enable it as an IDS only, after you adjust this package to suppress rules you get false positives, then you can enable IPS mode.

    @canefield:

    • To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
          - How to set this up running?

    I’m using varnish for http cache/balance and haproxy for https balance.

    @canefield:

    • In the way of fallback/backup MX how to use/setup Postfix?

    Postfix package can do a really good job on protecting exchange server from internet.
    It does not has local mailboxes support, but can be configured to act as a backup mx by configuring main mx server as an internal smtp.

    @canefield:

    I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.

    Using the best of each so is, in my opinion, a great decision



  • Marcello,

    Thanks for your reply. I make a note of what your are telling about Snort (IDS/IPS).

    Could you (or somebody else) help me out with the configuration of the pfSense packages:

    • Varnish or Varnish3 & HAProxy or HAProxy Full
      To get -in test- six LB servers up-and-running. I have two Exchange servers (LB & FO) configured and listening on port 80 and 443 (host-header: webmail.testing.com, only SSL), two SharePoint servers (LB & FO) configured and listening on port 80, 443 and 987 (host-header: extranet.testing.com, both HTTP and SSL) and two Web servers (LB & FO) configured and listening on port 80, 443 and 21 (SFTP) 989 & 990 (FTPS) (host-header: testing.com).

    • Postfix (as backup/fallback MX) & Mailscanner
      First of all I want Postfix to handle the SMTP requests (in- and outbound) and checks for antimalware, virus, etc. Second, based on the domainname forward it to the corresponding Exchange/Linux server.
      If one or all the mail-servers are down, for any reason, Postfix holds the messages in the queue and forwards them to the corresponding servers when they come back online. One thing to keep in mind is that all my Exchange servers are communication over TLS (certificate) and I want -if possible- that Postfix also communicate over TLS internally to the Exchange Egde servers.

    For certainty, I only got one external IP-address.

    Thanks a lot,
    Canefield



  • Tls support on postfix package is not implemented yet, you need to allow your lan ip to send mail to exchange as a relay server.

    On http balance, host headers can be set on varnish package, https for multiple host headers AFAIK will give you cert warnings if you do not have a wildcard cert applied to it.

    On varnish you need first to define your internal servers on backend tab and then define load balance pools.
    Varnish setup is not trivial, so it’s better if listen it’s daemon on other port then 80 until you get it working.



  • Dear all,

    Please some kind of configuration/step-by-step examples? Only with plaintext I can not configure it the right way.

    1. How to get Postfix to listen on port 25, queue messages and forward to the corresponding mail-server.
    2. Just an example how to configure Varnish to do this job. I have an UCC certificate, can Varnish handle this?

    Thanks in advance,
    Canefield



  • Postfix mini howto:

    firewall rules -> wan

    • create a wan rule to permit smtp traffic to wan address

    postfix General tab

    • check enable postfix option

    • choose at least wan loopback interfaces

    postifx domain tab

    • fill your domain/internal smtp info

    Postfix Antispam tab

    • follow default/recommended settings

    • Leave third part antispam unselected(try latter when you get better Knowledge on postfix)

    Some screenshots/full thread for this package
    http://forum.pfsense.org/index.php/topic,40622.0.html





  • Thanks. I’ll look into it.

    KR,
    Canefield



  • Dear Marcello and others,

    I’ve tried several attemps to forward requests to multiple servers without any result.
    I can’t get it right. What is the problem? I want to have multiple servers running on port 80 (HTTP) as well as 443 (HTTPS)

    My steps:

    1. Disabled the ‘webConfigurator redirect rule’ (System->Advanced)
    2. Added Backends (Services->Varnish->Backends)
      2a) E.g.:
    • Backend name: WWW

    • IPAddress: 192.168.12.1

    • Port: 80

    • URL: /

    • Probe Interval: 5

    • Probe Timeout: 1

    • Probe Window: 5

    • Probe Threshold: 3

    • Backend Mappings: Map: Host, Match: Equals, Expression: www.domain.com, Grace:

    - What is the difference between Host and URL by ‘Backend Mappings->Map’?
    - Performance metrics are not configured; I don’t know what to do with it.
    - I’ve also tried leaving ‘Backend Mappings’ clear and configured those under ‘LB Directors’. That’s what I’m trying to accomplish.

    1. Enabled Varnish (Services->Varnish->Settings)
      3a) Listening port 80, management port 81; accepted all defaults
    2. No NAT rules for port 80 (Firewall->NAT)
    3. Rules, added listening port (Firewall->Rules->WAN)
      5a) Proto: TCP, Source: *, Port: *, Destination: *, Port: 80 (HTTP), Gateway: *, Queue: none, Schedule: <empty>It does not work?!?

    Can you give me some examples about configuring ‘LB Directors’?
    I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?

    I didn’t configured Postfix jet because of my issues with Varnish.

    Thanks a lot,
    Canefield</empty>



  • @canefield:

    Can you give me some examples about configuring ‘LB Directors’?

    To use load balance, leave empty Backend Mappings
    check on varnish dashborad widget if varnish can sucessfull check server status based on url you provided for check.

    @canefield:

    I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?

    I use varnish for http as it does cache and reduce server load(of course depending on your config).

    Haproxy, AFAIK can’t do host header https, just service balance.

    I’m also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.








  • Marcello,

    At the Varnish dashboard none of the servers are listed? How come?

    Thanks,
    Canefield

    P.S. It is more difficult than I thought. Please step-by-step; otherwise I really mess up.



  • I’m also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.

    What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?

    Thanks,
    Canefield


  • Banned

    Thats exactly why PFSense is not an option for TMG….

    All of this is included in TMG and not in PFsense. Use one package for http…another for https and a third for some other thing.

    The more packages one runs, the more vulnerable your system will be.



  • @canefield:

    What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?

    That’s it. A Combining package for http/https publishing.
    I have no estimate yet because I’m busy with sarg and mailscanner quarantine tab.
    I’ll do this as soon as I have time to help sysadmins on this kind of configuration.

    Apache+modsecurity for example is a package that does http/https proxy with memcache. I do not use it on pfsense but you can get help on this forum to configure it.


  • Banned

    Thank you Marcello!

    That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.

    Otherwise its useless.



  • @Supermule:

    Thats exactly why PFSense is not an option for TMG….

    All of this is included in TMG and not in PFsense. Use one package for http…another for https and a third for some other thing.

    The more packages one runs, the more vulnerable your system will be.

    Not a usefull post in any way. 😞
    If you do not have a wildcard applied to ISA to remove https and check headers, you can’t do this setup too.
    You are saying That keeping things easy on pfsense will make it as vunerable as ISA.

    Pfsense is for sure an excelent option for Microsoft. I use this way for years.



  • @Supermule:

    That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.

    Otherwise its useless.

    Unbelievable!

    I’m saying that I want to help sysadmins and you think it will be useless if I can’t reach a billion dollar company software.


  • Banned

    Sorry mate….ISA is by far one of the most secure solutions out there…

    The underlying windows is the culprit regarding security and therefore its better of as a second layer firewall.

    I dont understand what you mean by wildcard…?



  • @Supermule:

    I dont understand what you mean by wildcard….?

    Ask microsoft support.

    You are looking like a troll.



  • Although there is some overlap between pfsense and TMG, they seem to cover quite different needs.

    pfsense is primarily a firewall, multiwan device, NAT, router (especially if Quagga is included in base system someday), VPN concentrator, DHCP/DNS, and, to a lesser extent (many 3rd party packages still need improvements), it can be an IDS/IPS, rev-proxy and proxy+web-filter.

    I’ve only had a cursory look at Microsoft’s TMG 2010, but is seems to be primarily a L7 web-filter (anti-malware etc), a proxy which is tightly integrated with AD, a reverse proxy, all with good reporting. I’ve also seen TMG sometimes being labeled as a router/firewall/NAT/VPN-server.

    Perhaps someone with intimate knowledge of TMG, who has tested it to its limits, can offer more insights about its actual strengths.



  • canefiled,

    This information may be usefull for you.

    http://forum.pfsense.org/index.php/topic,44735.msg249284.html#msg249284



  • Marcello,

    Thanks for your reply. Still I can not figure out how to configure my overall configuration in pfSense. Especially the host-header part with HTTP and HTTPS and the backup MX using Postfix. Somehow I’m not able to get it work.

    I suppose I will use M$ TMG 2010 instead for the time being. In the mean time I would appreciate it if you could help me with my overall configuration and needs to make TMG 2010 superfluous.

    I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.

    Situation:

    • one external IP;
    • multiple servers
          - 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
          - 2x MS Exchange Edge (FO & LB); port 25
          - 2x Postfix (FO & LB; for fallback/backup MX) if Edge are offline; port 25
          - 3x MS RDP (FO & LB); port 3389
          - 3x MS IIS (FO & LB); port 80, 443
          - 2x MS SharePoint (FO & LB); port 80, 443, 987
          - 2x FTP (FO & LB); port 21
    • Wireless (multiple SSIDs)

    Future request:

    • VoIP

    With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.

    Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?

    I have seen so many kinds of packages, I really do not know which to choose in what matter.

    Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?

    I know it is a lot, but perhaps you can help me out here. It would be great when you have some ‘step-by-step’ tutorials available.

    Thanks in advance,
    Canefield


  • Banned

    @marcelloc:

    @Supermule:

    I dont understand what you mean by wildcard….?

    Thc for the kind words.

    Ask microsoft support.

    You are looking like a troll.



  • I use both pfSense and TMG since I have many requirements. Use pfSense for all your network level configuration (multiple interfaces, routing, NAT & port forwarding, VPN termination etc.).

    TMG is hands down superior for your publishing requirements. Your servers such as Exchange and IIS should have an application layer firewall such as TMG performing intrusion detection and Active Directory integrated access control. Without experience you will most likely fail to setup an equivalent linux protection layer since it requires complex configuration of several separate components. TMG can also provide authenticated internet access to LAN users using the TMG client and their internet rights are assigned according to their Windows login. This is far superior to an insecure by design captive portal.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy