Microsoft TMG EOL – Replace with Citrix NetScaler

As you may already know, Microsoft has decided to mark its Forefront Threat Management Gateway (TMG – formerly ISA Server) product as end of life. Primary development on it stopped back in September of 2012 and mainstream support ended in April of 2015.

The Microsoft TMG product has been around since 1997 under a few different names – Microsoft Proxy Server, Microsoft ISA Server, and currently Forefront Threat Management Gateway. It provides multiple protections using forward\reverse proxy, filtering, inspection,  firewall, virtual private network (VPN) endpoint, antivirus scanning, and caching technologies. It ran on a familiar Windows Server and was managed with an MMC console that was easy to use and looked similar to the System Center Consoles.

Forefront TMG was purpose built to protect Microsoft applications – Exchange, SharePoint, Lync and Office – with built in templates for the 2010 versions of these applications; protecting newer applications was possible, but required some manual configurations.

TMG End of Life – what now?

I once had a discussion (argument) with a customer about just how secure a Windows server in the demilitarized zone could really be – but that is neither here nor there – the point is that support has ended for the TMG product, and you really need to start thinking about replacing them in your environment.  Unfortunately, Microsoft does not have a replacement product for TMG\ISA in their portfolio so you will need to change vendors for this solution.

Citrix NetScaler

Citrix NetScaler is a purpose built, hardened appliance that can replace all of the functionality of your existing ISA\TMG servers while also providing better security, more features and higher reliability.

Why NetScaler?

The NetScaler is commonly thought of as just a simple load balancer – and rightfully so – it started life as a TCP proxy and then a load balancer…so while it is really good at load balancing, it has come a long way in overall functionality. Some core features include:

  • URL Filtering – advanced policy and responder engine
  • Network and Malware Inspection – Application Firewall protects web applications with a hybrid model of signatures and learned behaviors
  • Caching – AppCache provides static and dynamic caching for web applications as well as databases
  • Routing and Remote Access – Static and dynamic routing; full SSL and clientless VPN functionality
  • Authentication – Robust AAA engine provides basic (401), forms, certificate, and SAML authentication
  • Traffic Managment – Extensive TM engine for advanced, scalable and health aware traffic management; dynamic content switching also available
  • Optimization and Acceleration – Features include SSL offload and acceleration via SoC, TCP multiplexing, HTTP caching and compression
  • Forward\Reverse Proxy – Native functionality including layer 7 processing with robust rewrite and responder engines
  • Ease of Management – Configure via web GUI or command line; configuration file is human readable; no complex scripting

Are you looking to deploy a specific application or technology behind a NetScaler? There are several “AppExpert Templates” that automatically configure the NetScaler using a guided wizard. Citrix also provides numerous deployment guides for several scenarios found here.

Is your ISA\TMG server part of an ‘array’ for high availability and centralized management? No problem! In fact, it’s vastly easier to configure high availability with NetScalers – and you don’t need an “Enterprise Management Server”. All configuration changes are made on the primary node then automatically replicated to the HA partner – with heath of both nodes constantly being monitored.

A Word on Scalability Citrix TriScale technology

With TMG, the only options for scaling the performance and availability of the solution was to use a Forefront TMG array – this was complex and costly as it required enterprise licensing and an additional EMS server. With NetScaler, you have some options – Scale Up, Scale Out and Scale In, butter known as TriScale technology.

Scale Up – NetScaler uses “Pay-as-You-Grow” licensing meaning that you can pay less now for an appliance that can accommodate more throughput and performance in the future without needing to buy any new hardware or reconfigure it

Scale Out – The NetScaler appliances can be clustered to work together – up to 32 appliances can work in concert to scale out beyond 3 Tbps in total capacity

Scale In – This technology allows multiple NetScaler and 3rd party network appliances to be virtualized on a secured multi-tenant platform

Where to go From Here

Now that you are ready to replace your TMG servers with NetScaler appliances, lets discuss how to go about getting started. You can try or demo the NetScaler right now without spending a single dollar. Next, decide on your deployment strategy – there are several NetScaler models available to suit your environment needs with total system throughput upwards of 140Gbps+. The “pay-as-you-grow” licensing model allows you to add additional throughput and performance at a later date due to expanding network requirements – all without replacing hardware. Contact your preferred Citrix Partner for further details.


NetScaler all Models Data Sheet –

NetScaler Deployment guides –

A comprehensive replacement for Microsoft Forefront Threat Management Gateway –

Exchange 2013 on NetScaler –

Sharepoint 2013 on NetScaler –

Lync 2013 on NetScaler –

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.