What’s the Difference Between Unified Access Gateway (UAG) and Threat Management Gateway (TMG)?

There are some major differences between Microsoft Threat Management Gateway (TMG) and Microsoft Unified Access Gateway (UAG). The two products are completely distinct and do not share any code. However, if you install UAG, it will automatically install TMG and if you remove UAG it will automatically uninstall TMG. So they are definitely linked in certain ways. TMG can be installed on Standard, Enterprise or Datacenter editions of Windows Server 2008 SP2 or R2. UAG can be installed on Windows Server 2008 R2 (Standard or Enterprise).

TMG is a software firewall. Unfortunately, it will go away in future as Microsoft doesn’t seem to have any plans for its renewal. However, it will be supported until April 14, 2015 and won’t completely disappear from the scene until April 14, 2020. UAG is also going to be a dead duck. I would love to see Microsoft sell these Forefront products to another company that can turn them into a more useful solution, rather than making them disappear altogether.

The following are some highlights to give you some insight on both these products. This is not a comprehensive list by any means. It’s just something to help you figure out which product might be the right choice for you.

TMG (Threat Management Gateway)

UAG (Unified Access Gateway)

Replacement for ISA (Internet Security and Acceleration) Server 2006 that serves as a firewall Replacement for IAG (Intelligent Application Gateway) that serves as a remote access solution for applications
Primarily meant to be a firewall solution for internal network Does not offer a firewall solution but installs TMG, which is used as a firewall for UAG local host (not for internal network) and allows you to only publish SMTP server
Supports inbound and outbound access (firewall or forward proxy) Does not support outbound access
Supports forward-proxy Does not support forward-proxy
Supports reverse-proxy Supports reverse-proxy but because of some limitations TMG is considered a better reverse-proxy solution for certain situations
Can be used to publish internal resources to the outside world Better for publishing internal resources than TMG because it can publish multiple applications on a single IP address using the UAG portal, which is essentially one URL that gives users access to all published applications on internal network
Can be used for VPN connections Can be used for VPN connections
Supports PPTP and L2TP VPNs Does not support PPTP and L2TP VPNs
Much simpler to configure than UAG (keep in mind they serve different purposes), especially if upgrading from ISA Server 2006 because it may take just a few minutes to configure by simply exporting ISA Server 2006 configuration and importing it in TMG Complicated to configure than TMG (keep in mind they serve different purposes) because it can possibly take months to configure UAG properly
Does not include an advanced end-point mechanism similar to Network Access Protection (NAP) Includes an advanced end-point mechanism which is similar to Network Access Protection (NAP) where you can control access to your network by setting rules, such as restricting connections only to clients that have a certain operating system and anti-virus software installed
Licensing is per processor Licensing is per Client Access License (CAL)

For more information check out this article on TechNet.

Copyright ©2012 Zubair Alexander. All rights reserved.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Spam Protection by WP-SpamFree