Project TMG to pfSense?

  • Hello,

    I am a windows admin. for a 24/7 production environment for about 1200 users with currently very little knowledge of other operating systems.

    Currently we are using a 2 node TMG cluster that does 'everything'.

    Since TMG is phased out by Microsoft we are looking for an alternative and I would like to gather some information if pfSense can be a valid alternative.

    The TMG servers are Virtual servers on ESX with 10Gbit connection to 6 VLans and gigabit internet connection.

    The TMG does:
    -All the routing between the Vlans (TMG is DGW for all the Vlans) with ACLs
    -ACLs are supporting protocols with dynamic ports like RPC
    -Firewalling between the Vlans
    -NAT to the internet IPv4
    -Publishing / reverse proxy of http as well as https (RPD over https, RPC over https,..)
    -Publishing of secure websites that requires client certificate
    -Very easy real time connection troubleshooting.

    It does all of the above very well, but TMG is phased out by Microsoft and it will never have IPv6 support.

    We are looking for a new solution that can do all/some of the above:
    -Running as a VM on Hyper-V (We are phasing our ESX) ,
    -High Availability set-up.
    -Routing between 6 Vlans at 10Gbit speed with ACLs.
    -Internet connection with support for IPv6.
    -Publishing / reverse proxy of http as well as https
    -Publishing of secure websites that requires client certificate
    -Strong authentication solution for published websites (other than the mandatory client certificates)
    -Real time connection troubleshooting.

    Before I start doing a set-up in our lab environment, (and maybe seek for some extra support during set-up) I need to know if this can be accomplished using pfSense in a stable supported configuration?
    If we choose to go with pfSense can (paid) support be guaranteed to solve issues in a timely matter?

  • I did parts of it recently in my home/testenvironment.

    I don't have the same requirements as you do but I can help you with two of your questions

    It runs well on hyper-V (2012R2 in my case)
    It will publish HTTP/HTTPS even over nat. (I do multiple URL:s on one IP with SQUID as reverse proxy)

    The logging isn't as god as TMG. I do have logs but there is more to be done there before it reaches TMG levels.
    Another thing that is missing is TMG:s external Network object resulting in more complex firewall rule sets.

    For you that ain't used to TMG this is MS definition of the External network object:
    The default External network is a dynamic network that includes all IP addresses not explicitly included in any other network. The network definition changes dynamically when other networks are defined and modified. It cannot be directly modified or deleted. The External network generally represents the Internet. By default, it has a NAT relationship with all other networks.

    The nice thing with this is that you can do an allow rule with Internal as source and external as destination without having to create block rules for any other interface/network in the machine.

    In TMG the best way to do this is to create a deny rule for the traffic going to all other internal/opt networks to filter out the traffic to those networks and then create an Allow rule going anywhere since Pfsense will use the first matching rule it will only allow the correct traffic to pass

  • Can it do everything, yes. As stated before the backend reporting is a bit light IMO (it gets better with every rev). Paid support in state-side, there is no 6-levels of supports….if it's more involved, you talk with the developers 1/2 the time.

  • I am eager to know how it goes (with pfsense or some other solution. As at some time I may have to do so work our tmg)

  • Been busy lately so haven't checked forum for a while.

    Thank you for your replies.

    I am currently running in test in lab on 2012r2 and this seems to work if I install it as a Gen1.

    The interfaces I still need to get used to a bit but I'm startig to get the hang of it.

    Inbound NAT rule wasn't difficult. Assigning the inbound NAT rule to another IP address than the default one was a bit more tricky.

    Regarding reverse proxy I am a bit confused with the versioning. In th PFsense packages I see there is a Squid version 4.3.10 and Squid3 beta 0.4.4 >> So Squid3 is a newer version of Squid 4.3?

    Squid (4.3.10) seems to lack the reverse proxy feature which is mandatory for us. (At least I cannot find it in the interface)
    Squid3 version included seems to be still Beta (0.4.4) And I don't know it is wise to use a Beta version in a production environment.

    Links of both packages are pointing  to the exact same webpage:

    To make my confusion complete:
    In the Squid website I see latest stable release version 3.5 and 4.0 in Beta.  :-\

    If someone could clarify this that would be great ;)

    I'm playing around with the reverse proxying in Squid3 and currently fighting with certificates for https and hostheaders for http , but I think I'll be able to get it running.

    Also still looking where I can see the detected (Virtual)NIC speed PFsense is using on the interfaces.

  • I'm using pound as a very simple, yet really effective reverse proxy in pfSense. It doesn't have any pfSense-specific package, it can be installed as FreeBSD package (even on NanoBSD), and it's got one single config file to edit, which can be done with pfSense's web based file editor.

  • @robi:

    I'm using pound as a very simple, yet really effective reverse proxy in pfSense. It doesn't have any pfSense-specific package, it can be installed as FreeBSD package (even on NanoBSD), and it's got one single config file to edit, which can be done with pfSense's web based file editor.

    Thank you for the suggestion.

    I checked the website of Pound and it does seems to suit our needs. The only thing I cannot find is publish a website that required a client certificate for strong authentication.

    The problem is that we really don't know anything about BSD / Linux itself. I would prefer to use everything as standard as possible, because when it comes to troubleshooting we need to be able to support it or have someone available who know the product very good. (Internally we would like to build knowledge to administrator level, not expert level.
    As soon as we add a third-party application it would make troubleshooting more complex and finding someone with the knowledge of PFsense in combination with addition products will be difficult (Maybe something doesn't work anymore after a version update or a config change,..)

    If you have the in-house knowledge it is probably a great solution.

    May I ask why you start to use Pound? What were the limitations of the build in Squid reverse proxy that you decided to go with Pound?

  • It's never too late to start learning.
    Looking at Windows 10 these days, I'd advise everyone to start considering open source alternatives for desktop. But that's another story.

    I never tried squid on pfsense, I played with it once on a Linux box, and I had two problems with it:

    • overcomplicated for my needs
    • fuzzy documentation

    As far as I can see in pfSense forums, most of the issues people have with squid here arise from these two problems, and it also seems to make the whole system less stable, and harder to keep up to date.

    Pound is a very easy and straightforward piece of software. It just does what it should and that's it - and that's exactly what I need, nothing more. I really wonder how come nobody made a package for it yet, I even considered once I should make one, but you know, making pfSense packages these days is a real pain in the ass.

    As for websites requiring client certificates for strong authentication - look for Apache, and forward them with pound directly. I didn't do things like this yet, so I'm not aware of details, but I guess it shouldn't be too difficult.

Log in to reply