Blog Post

Exchange Team Blog
11 MIN READ

Life in a Post TMG World – Is It As Scary As You Think?

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jul 17, 2013
Let’s start this post about Exchange with a common question: Now that Microsoft has stopped selling TMG, should I rip it out and find something else to publish Exchange with? I have occasionall...
Updated Jul 01, 2019
Version 2.0
announcements
Client Access
deployment
Exchange 2010
Exchange 2013
Mobility
OWA
protocols
security
Deleted's avatar
Deleted
Jul 19, 2013

Excellent feedback and arguments. Love it.

@ Peter (and others) – I Bing’d for “account lockout policies strong passphrase DoS”. The top link has a bunch of advice in this area. In fact, that Bing search turns up a lot of useful related links. Well worth a read.

@ Michel – if the attacker is smart enough to break into the DMZ, and if all your reverse proxy is doing is poking a hole back to the LAN, and delegating (re-using creds), you will have an attacker inside your LAN very soon thereafter…

@ Mike – yes, IIS is core. Not sure I agree it’s the most hacked web service on the planet, but let’s agree to disagree.

@ Jabagi – Get him to use Hello123! Instead. Much stronger. I’m KIDDING.

@ Pmeijden – Good reason for having something in front of Exchange, if those are your absolute requirements, then you might find UAG or something other solution can help. You could also consider using IPsec, and authenticating the machine as well as the user… http://www.microsoft.com/en-us/download/details.aspx?id=23708

@ Freg – TMG was not discontinued because Exchange didn’t need it any more. The reasoning is discussed here - http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx . No evolving code is bug free, I discussed the need for keeping security patches and updates installed too, it’s a complete package this security thing, not one single measure. Your other comments are fair, and considerations one must take into account when deciding where on the sliding scale of skills/insurance I drew, the company is. Some are at one end, some at the other. One size does not fit all.

@ zumarek – Putting a domain joined CAS in a DMZ is not at all the same as allowing TCP443 all the way through. If the only window open from outside, through your router and load balancer is TCP443, that’s where your attacker is coming from (assuming he’s coming from outside… which likely, he isn’t). So you can watch for him. Great news that some VPN’s can provide granular access. It’s good to know it was acknowledged as a risk by at least one VPN vendor.

Appreciating the feedback, and the discussion.