Further details and guidance regarding discontinuation of TMG Web Protection Services

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:-

http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx

We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking.

The services that will be affected by this are:-

- URL Categorization
- Malware Inspection

Importantly, the Microsoft Reputation Services that supports URL Filtering will be turned off on or shortly after the 31st December 2015.

To avoid service impacting issues due to these services no longer being available, or incorrect rule processing where rules rely on URL Categorization categories, we would strongly advise customers review and amend their TMG configurations as follows:-

- Review and amend any rules based on URL Categorization categories in your TMG policy

Any Allow and Deny rules that currently use URL Categories or URL Category Sets must be changed to remove the usage of URL filtering categories.

Using URL Sets or Domain Name Sets may provide limited replacement functionality or you may also want to consider a 3rd party URL filtering plug-in or upstream proxy service to provide replacement URL filtering functionality.

Note - If you have rules that are using URL filtering to allow traffic – HTTP traffic can be totally blocked after the service shutdown. Equally, if you use URL Filtering to block access to certain categories then these may be allowed after the change. There is also a possibility that performance issues will be seen if URL Filtering is left enabled after the MRS service is taken offline.

- Disable URL Filtering

After amending your TMG policy ensure you then disable URL Filtering. This can be done in the TMG Management Console in the Web Access Policy node by selecting URL Filtering and unchecking the “Enable URL Filtering” check-box. This is essential to avoid TMG trying to contact the MRS services after they go offline.

clip_image002

- Malware Inspection may continue to work but would not receive updated signatures

We would recommend implementing an alternative Anti-Virus solution and to disable Malware Inspection once this is in place.

As noted in the previous blog, Forefront Threat Management Gateway 2010, remains under extended support until April 14, 2020.

For details on moving from TMG to our new web publishing solutions please visit this URL:

http://blogs.technet.com/b/applicationproxyblog/archive/2015/07/02/transitioning-to-application-proxy-from-uag-and-tmg.aspx

Some Frequently Asked Questions we’ve had regarding the change are:-

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

For the original announcement of the Forefront product roadmap changes please refer to the following URL:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Comments

  • Anonymous
    January 04, 2016
    Malware Inspection definition updates are still being updated on 05/01/2016?