At the end of last year, I started looking for a replacement for Forefront TMG and found some very interesting solutions:
- Part 1: KEMP Edge Security Pack
- Part 2: Sophos UTM 9.1
- Part 3: Windows Server 2012 R2 + ARR 2.5
- Part 4: Windows Server 2012 R2 + web application proxy
- Part 5: Debian 7 + HAProxy
Forefront TMG was/is of course more than a reverse proxy for Exchange. However, TMG was probably often used to publish Exchange web services on the Internet. I came up with the following evaluation criteria in advance:
- Upstream identification possible?
- Outlook Anywhere Support?
- Exchange 2013 support?
- Load balancing possible?
- How complex is the solution to implement?
There are not many evaluation criteria, but some of the solutions differ considerably. Here is a small table to give you an overview:
| KEMP ESP | Sophos UTM | IIS+AAR | ADFS web proxy | Debian HAProxy | |
| Expenditure | low | low | low | high | low |
| Authentication | Supports | not supported | not supported | Supports | possible |
| Outlook Anywhere | Supports | Supports | Supports | Supports | possible |
| Exchange 2013 Support | Possible, but unattractive | Supports | Supports | Partly | possible |
| Load balancing | Supports | not supported | Supports | not available | Supports |
The implementation effort is of course somewhat subjective, if one of the solutions is already in use, for example UTM as a firewall or KEMP as a load balancer, then the implementation effort is low, otherwise it can of course be "somewhat" more complicated.
The evaluation in detail and the impressions:
KEMP Edge Security Pack
The Kemp ESP is easy to set up and meets all the criteria. In fact, I have also chosen Kemp as my favorite. Unfortunately, there is one small flaw: Kemp provides its own web form for requesting authentication information. Unfortunately, at the time of my test, this was only available in the Exchange 2010 look. Unfortunately, this does not fit Exchange 2013 at all, but I think it will, or perhaps already has, been changed. Otherwise there is nothing wrong with Kemp.
Sophos UTM 9.1
I expected more from the Sophos UTM. Unfortunately, the UTM 9.1 doesn't really score well in any of the evaluation criteria. Although the WAF is configured quickly and it works, the configuration options are unfortunately very limited. Sophos does not live up to its advertising as a TMG replacement in terms of Exchange. Load balancing and upstream authentication do not work, but apparently Sophos wants to stay on the ball and deliver such features in UTM 9.2. So I'll give it another try. The beta version is already available, and authentication should also work.
IIS+AAR
IIS and AAR are an easy way to publish Exchange on the Internet. If it were now possible to do the authentication directly on the IIS/AAR, then it would have become my favorite. Unfortunately, the possibilities here are also very limited, TMG cannot be replaced. AAR is certainly sufficient for small environments and can be "drilled down" a little, but to enable a secure and highly available configuration with AAR, the effort is too high.
Web application proxy
To be honest, the web application proxy almost drove me crazy. So many components involved, so much configuration and then something doesn't work again. Just thinking about where to look for everything in the event of an error... No thanks. Really... No...! Anyone who has read the KnowTo will probably make a similar decision, there are simply better and simpler solutions.
Debian and HAProxy
HAProxy works, does exactly what it is supposed to do and is lean and reliable to boot. I'm not a Linux pro, but I was still able to achieve my goal quickly. Big advantage: You can expand it as much as you like. Big disadvantage: Who do I call in the middle of the night if something doesn't work? But if you have Linux know-how, you should invest some time here.
The real breakthrough is still missing. That's why the conclusion is a little shorter than expected. I hope that I can still get my hands on F5 with the APM, because it looks very promising. I will test KEMP and Sophos again at the beginning of March and see what has changed by then.
Comments are welcome 
Hallo Frank,
auch mich würde intersssieren, ob Du Deine Tests fortgesetzt hast und wie Deine heutige Einschätzung aussieht. Ich betreibe aktuell noch einen TMG2010 zur Exchange-Veröffentlichung (very small home office :-)) und denke nun doch intensiver an eine Ablösung.
Viele Grüße,
Christian
Hallo Frank,
ist ja ein bisschen Zeit vergangen und die Produkte haben sich ja weiter entwickelt.
Wer ist Dein Favorit geworden ?
Guten Tag,
genialer Artikel! Genau das was ich suchte.
Gibt es schon Erfahrungswerte mit der F5 bzw dem Update der Sophos?
Gruß Alexander Wild
Hi Frank,
ich hab gerade die Sophos UTM getestet und würde mich darüber gerne kurz mit dir austauschen da ich in meiner kurzen Tests zu etwas anderen Ergebnissen bekommen bin :-)
Hi Frank,
vielen Dank für deine Tests. Ich habe mir erhofft, dass der Webanwendungsproxy ein Volltreffer wird. Leider kann ich deine Erfahrung teilen. Wir haben gerade als dein Beitrag erschien, ein bisschen getestet und zufrieden war keiner.
Du könntest du dir noch Squid anschauen. Wir fangen nächste Woche mit ein paar Tests an.