At the end of last year, I started looking for a replacement for Forefront TMG and found some very interesting solutions:
- Part 1: KEMP Edge Security Pack
- Part 2: Sophos UTM 9.1
- Part 3: Windows Server 2012 R2 + ARR 2.5
- Part 4: Windows Server 2012 R2 + web application proxy
- Part 5: Debian 7 + HAProxy
Forefront TMG was/is of course more than a reverse proxy for Exchange. However, TMG was probably often used to publish Exchange web services on the Internet. I came up with the following evaluation criteria in advance:
- Upstream identification possible?
- Outlook Anywhere Support?
- Exchange 2013 support?
- Load balancing possible?
- How complex is the solution to implement?
There are not many evaluation criteria, but some of the solutions differ considerably. Here is a small table to give you an overview:
| KEMP ESP | Sophos UTM | IIS+AAR | ADFS web proxy | Debian HAProxy | |
| Expenditure | low | low | low | high | low |
| Authentication | Supports | not supported | not supported | Supports | possible |
| Outlook Anywhere | Supports | Supports | Supports | Supports | possible |
| Exchange 2013 Support | Possible, but unattractive | Supports | Supports | Partly | possible |
| Load balancing | Supports | not supported | Supports | not available | Supports |
Der Implementierungsaufwand ist natürlich etwas subjektiv, wenn schon eine der Lösungen im Einsatz ist, zum Beispiel UTM als Firewall oder KEMP als Loadbalancer, dann ist der Implementierungsaufwand gering, andernfalls kann natürlich „etwas“ komplizierter werden.
The evaluation in detail and the impressions:
KEMP Edge Security Pack
The Kemp ESP is easy to set up and meets all the criteria. In fact, I have also chosen Kemp as my favorite. Unfortunately, there is one small flaw: Kemp provides its own web form for requesting authentication information. Unfortunately, at the time of my test, this was only available in the Exchange 2010 look. Unfortunately, this does not fit Exchange 2013 at all, but I think it will, or perhaps already has, been changed. Otherwise there is nothing wrong with Kemp.
Sophos UTM 9.1
I expected more from the Sophos UTM. Unfortunately, the UTM 9.1 doesn't really score well in any of the evaluation criteria. Although the WAF is configured quickly and it works, the configuration options are unfortunately very limited. Sophos does not live up to its advertising as a TMG replacement in terms of Exchange. Load balancing and upstream authentication do not work, but apparently Sophos wants to stay on the ball and deliver such features in UTM 9.2. So I'll give it another try. The beta version is already available, and authentication should also work.
IIS+AAR
IIS und AAR, sind eine einfache Möglichkeit Exchange im Internet zu veröffentlichen. Wenn es jetzt noch möglich wäre die Authentifizierung auch gleich am IIS/AAR zu erledigen, dann wäre mein Favorit geworden. Leider sind auch hier die Möglichkeiten arg beschränkt, TMG ersetzt man damit nicht. Für kleine Umgebungen ist AAR sicherlich ausreichend und man kann es noch etwas „aufbohren“, aber um mit AAR eine sichere und hochverfügbare Konfiguration zu ermöglichen, ist der Aufwand doch zu hoch.
Web application proxy
To be honest, the web application proxy almost drove me crazy. So many components involved, so much configuration and then something doesn't work again. Just thinking about where to look for everything in the event of an error... No thanks. Really... No...! Anyone who has read the KnowTo will probably make a similar decision, there are simply better and simpler solutions.
Debian and HAProxy
HAProxy works, does exactly what it is supposed to do and is lean and reliable to boot. I'm not a Linux pro, but I was still able to achieve my goal quickly. Big advantage: You can expand it as much as you like. Big disadvantage: Who do I call in the middle of the night if something doesn't work? But if you have Linux know-how, you should invest some time here.
The real breakthrough is still missing. That's why the conclusion is a little shorter than expected. I hope that I can still get my hands on F5 with the APM, because it looks very promising. I will test KEMP and Sophos again at the beginning of March and see what has changed by then.
Comments are welcome 
