Transitioning to Application Proxy from UAG and TMG

Many customers are asking us how to move from Forefront UAG and TMG to the new Application Proxies. We have written a whitepaper to describe this move. You can download this whitepaper from here.

Here is an excerpt from this whitepaper:

TMG/UAG Functionality

Web Application Proxy (WAP) / Azure AD Application Proxy (AADAP)

Selective HTTP Publishing for Browser Apps

Available in WAP in Windows Server 2012 R2

Available in AADAP today

ADFS Integration

Available in WAP in Windows Server 2012 R2

Available in AADAP today via Azure AD

Rich Protocols Publishing (e.g., Citrix, Lync, RDG)

Available in WAP in Windows Server 2012 R2

Partially available in AADAP today – will be enhanced

Preauthentication for ActiveSync (HTTP Basic) and RDG

Will be available in WAP in Windows Server vNext

Will be coming to AADAP


Use Intune / System Center for WAP

Use AAD Access Panel or Office 365 App Launcher available for AADAP

Endpoint Health Detection

Use Intune / System Center

SSL Tunneling

Use Windows SSL-VPN capability

Layer 2/3 Firewall

Use Windows Server capabilities

Web Application Firewall

No current solution from Microsoft

Secure Web Gateway (Forward Proxy)

No current solution from Microsoft

Comments (15)

  1. Shawn Harry says:

    Are there really that many customers making the switch from TMG/UAG to WAP? WAP is super basic in comparison to UAG & TMG with only a miniscule subset of the features of either. Granted it works very well with ADFS and is super light and easy to configure
    as a reverse proxy for Lync or Exchange. But if you need anything more than basic RP functionality WAP doesn’t really cut the mustard in my opinion.

  2. MeirM says:

    Shawn, we see many customer that move to our new solutions. TMG had a feature set that developed since the 1990s. Most of them are not relevant for today’s clients and servers. The question is not where there are more features but if the business scenarios
    that you are looking for are available. We get lots of positive feedback on that. We see many customers publishing SharePoint, OWA and CRM via the new application proxy solutions.

  3. Anonymous says:

    Back in September 2012, we communicated broadly on Forefront product roadmap changes .

    At this

  4. Anonymous says:

    Just a quick FYI in case you missed it. The information below was posted to the Microsoft Application

  5. soder says:

    @ShawnHarry: did you seriously expect a proper answer from an MSFT employee?

    "developed since the ’90s" –> oh my god MeirM, sorry but I have to say but thats BS excuse! TMG is one of the very few products (especially in the security arena) that meets the expectations, and considered quite stable. Why? Surprise: because it had at least
    10 years to mature, and not re-written every 2nd year into a new product, thatswhy!

    Guess what, Active Directory was developed since 1999, so following your logic do you want to obsolete that also? TCP/IP is in use since the ’70s, do you have something better than that? You guys in Redmond should be ordered to leave the fences of your campus
    every 2-3 months, and look around in the outside (real) world, because you guys locked in that company seems to be living in a parallel universe, gone far from the reality your consumers are living in.

  6. Anonymous says:

    As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services

  7. Keith Alabaster says:

    @soder … many a word said in jest…. AD as we know it now has already been looked at and there are several comments starting to come out that a move from the traditional AD is on the cards. Whether that is just a move to Azure AD-type services or something
    more I don’t know.

  8. Alex C1 says:

    Who is the idiot at Microsoft that decided that TMG and UAG were worthy of the chopping block? All the organizations that I have deployed SharePoint and Exchange into required either TMG or UAG without exception. To not provide a suitable replacement is
    irresponsible and is causing many issues within the community that I work. To my knowledge, no TMG server when deployed within the community that I work was ever compromised. Why is Microsoft putting it’s customers at risk?

  9. Alex C1 says:

    I might add. We do Pre-Authentication, Two form-factor Authentication, Rely on Deep Application Inspection for securing SharePoint, Exchange and Web Applications. Not sure what exists out there that is comparable to TMG/UAG. Many of the deployments that
    we do are in remote parts of the world with small footprints use the majority of features of TMG and to a lesser extent UAG. TMG/UAG provides us with the most secure, feature rich solutions for accomplishing our mission.

  10. C M says:

    "TMG had a feature set that developed since the 1990s. Most of them are not relevant for today’s clients and servers". I am not sure what world this guy lives in. The one I live in has tons of clients and IT mad at Microsoft for dropping the ball on still
    the best Enterprise firewall out there (Even after Microsoft stopped adding new features years ago).

    I have seen people saying that Sophos UTM is TMG’s replacement. That thing doesn’t even run on Windows!

  11. Michael H says:

    For a TMG replacement try a pair of Kemp Technologies Load Master load balancers with the Edge Security pack.

  12. A lot of the companies we see are running into roadblocks piecing together UAG replacement solutions, involving multiple functional IT areas, and having to do custom development. Plus a lot of the new needs around global app delivery (optimization, CDN) and security (MFA) are add-ons that complicate deployment.
    Having all of this functionality rolled into a simple to deploy service like what delivers takes the pain out of the transition away from UAG/TMG.

  13. This has been discontinue is my opinion because they wanted everyone to move to 365 Azure in the Cloud. Why use a TMG on your network when you will authenticate through their presenter server and cloud. They would host all applications like Office 365.They were always moving in this direction. If they kept going with the TMG, many companies would still stay with the TMG host their own office applications and not move to the Cloud or at the least, the move to the cloud would take longer if everyone continued to use the TMG.

  14. Aaron Robison says:

    I’ve just stumbled upon the TAC gateway from PortSys. Anyone checked this out?

  15. Jean-Luc says:

    Is Microsoft will provide complete guide to publish Exchange/Sharepoint/Skype4B? WAP is a very interesting solution, when you can publish without “pass-through” rules…
    Best regards

Skip to main content