Do I use Forefront TMG or Forefront UAG for reverse proxy publishing for Exchange 2010?

I get asked this quite a quite a bit and I couldn’t find a consistent answer. My colleague, Steve Scholz, provided me this useful feature matrix as when to use UAG for publishing Exchange 2010 and when to use TMG:


To summarize, either UAG or TMG will provide reverse proxy publishing for Exchange 2010.  The only differences are specific features are lit up with TMG and UAG.  For example, if you need client cert based auth go with TMG but if you are worried about OWA leaving residue on public machines you will have to go with UAG.




Both UAG and TMG leverage the same protocols, same certificates, and similar publishing approaches.


Here is a whitepaper explaining UAG vs. TMG options with further details:

Comments (2)

  1. markga says:


    Thanks. I didn't mention Lync in this scenario only Exchange 2010.

  2. says:

    acutally this is not 100% accurate

    Here is the official ms word on this issue…/ee522953.aspx

    In here is spefically states that uag even with tmg installed on top of it will not work as an outbound proxy..

    This breaks federation slide downloads..

    (assumming uag is the only proxy in the enterprise solution)…

    this also breaks the proxy scenario where a user in company a signs into domain B (discovers their proxy using wpad) and then connects over 8080 to the outbound proxy (uag doesnt support this either)..

    I heard from another person i work with that uag also doesnt do ssl termination and port translation like tmg does ssl bridging with port mapping(i need to verify this) of course..

    So i would Never recommend UAG for Lync or Ocs 2007 Gold, Ocs 2007 R2

    Even without verify the ssl part as it breaks 2 of my 3 mainline scenarios

    James D Cila

Skip to main content