Forefront TMG has now been discontinued and a replacement will have to be found sooner or later. There are now several manufacturers who are filling the gap left by Forefront TMG. I will test some promising solutions and publish a howto for each of them. Finally, there will be an article comparing the solutions and listing the pros and cons from my point of view. So much for the plan.
I have therefore created a standard test environment that I will use for all solutions. The test environment has a relatively simple structure:
There is a Windows Server 2012 R2 with the name DC1 on which the Domain Controller role and Outlook 2013 are installed. Exchange 2013 is also installed on Server 2012 R2. The Exchange servers have the names EX1 and EX2. This is always the starting point for all solutions.
I defined a few evaluation criteria in advance in order to be able to draw a conclusion later. Mind you, these are my own criteria, which probably say little about the quality of the individual products. But more on that later.
This article is about Sophos UTM 9.1, which Sophos sells as a complete firewall solution. However, since this article is only about a TMG replacement with regard to Exchange, I am not interested in VPN, firewall, routing, etc.. Sophos calls the interesting feature "Web Application Firewall (WAF)". Here too, the manufacturer advertises it as a replacement for TMG:
http://www.sophos.com/de-de/products/unified/utm/tmg-replacement.aspx
So I have the Home version of the UTM and expanded my test environment again
Once the UTM is up and running, you can start configuring the WAF. The WAF can be found under "Webserver Protection" -> "Web Application Firewall"
First, the "real servers" must be created, i.e. EX1 and EX2 in the same way:
As soon as this is done, it should look like this:
Next, a new "Firewall Profile" is required (Addendum: At least that's how it works, as soon as I select additional options, OWA stopped working in my test environment. I still need to clarify how this works...)
Now a "Virtual Webserver" is required. At this point I have to mention that I don't care much about certificates, at least in my test environment, so I select the WebAdmin certificate. Of course, this causes an infinite number of warnings, but it has the advantage that I can easily distinguish between Sophos UTM certificates and Exchange certificates. In my test environment, I have deliberately opted for this.
The virtual web server must also be activated
The web application firewall can now be activated on the "Global" tab
So far so good, the test with OWA works:
I'm surprised that was easy, at least up to here, but there are still some questions that I need to clarify with a specialist. I may have to revise this article again. Until then, I'll maintain my table and experiment a bit.