A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF Whitepaper 08/17/2015
Summary 1. Introductio... 3 1.1 What is TMG / UAG?... 3 2. How can DenyAll DA-WAF Help... 4 2.1 Based on reverse proxy technology... 4 2.2 Security... 5 2.2.1 Workflows... 5 2.3 Pre-Authentication and Single Sign On (SSO)... 5 2.4 Load Balancing... 6 2.5 End-to-end Application Security... 6 3. Conclusion... 6
1. Introductio 1.1 What is TMG / UAG? Microsoft recently announced to retire all their Forefront products including the Threat Management Gateway (TMG) and of the Unified Access Gateway (UAG). TMG is a Windows-based software combining routing, firewall, antivirus, revers-proxy and SSL-VPN features. The Unified Acces Gateway (UAG) provides access to internal Application via a Portal Page for Example. In many cases TMG is deployed as a reverse proxy and provides access to internal web assets like company websites, collaboration services such as SharePoint, or webmail such as Outlook Web Access. Besides simple reverse proxy functions, few application security features are available in TMG. TMG Replacement v1 08/17/2015 3/7
2. How can DenyAll DA-WAF Help A reverse proxy provides a central point of administration access to multiple applications. Without such an approach, access must be configured and managed separately for each internal resource, such as Exchange or SharePoint. DenyAll s proven web application firewall (WAF) solution is built on top of reverse proxy technology and can provide all of TMG s reverse proxy functions and more. It adds a lot of application security and acceleration features, offering a strategic point of control for deploying corporate applications across an organization. 2.1 Based on reverse proxy technology All requests are terminated at the WAF level. SSL encryption is performed there and can, if needed, be forwarded towards backends in order to encrypt all traffic inside the network. TMG Replacement v1 08/17/2015 4/7
2.2 Security A lot of innovation has taken place in web application security since the early days, due to the very evolution of web application development languages and protocols and the fact that attackers have switched their attention to the application layer. Most WAF vendors only provide black and white listing functions, while DenyAll has invested a lot in. alternative and complementary techniques 2.2.1 Workflows The workflow introduces a complete different way of configuring web application security. Instead of starting at a technical topic, as everyone does, the workflow configures a logical way through the application flow. The configuration is as easy as moving some bricks, decision bricks and flow arrows at the right position into a workflow Using this easy to understand module even web security in experienced administrators are able to configure a web application firewall with high security standard. 2.3 Pre-Authentication and Single Sign On (SSO) In order to move all administration from the application towards the application gateway or reverse proxy, it is mandatory to also move the authentication in,front of the application. DenyAll s WAM Module offers a wide range of authentication mechanisms (X506, LDAP, Radius, PostgreSQL /MySQL, Kerberos (intranet), OTP / SMS, Elcard, HTTP Basic, HTTP From) to pre-authenticate clients. In order to replace a TMG / UAG the built in SSO solution using SAML 2.0 tokens is best practice to provide seamless access to other corporate applications. TMG Replacement v1 08/17/2015 5/7
2.4 Load Balancing Microsoft s TMG was able to provide Load Balancing features. DenyAll s DA-WAF is also able to provide this functionality. Best-of-breed technology is integrated in a convenient graphical user interface that also enables non-security experts to implement load balancing mechanisms. 2.5 End-to-end Application Security While a reverse proxy is normally deployed inside the internal network (or DMZ), DenyAll Connect can also extend the security to connecting endpoints. Its Client Shield technology can be seamlessly integrated inside the clients response and provides browser security without the need for administrative rights. 3. Conclusion DenyAll s DA-WAF fills the gap left by Microsoft s Solutions and is a compelling alternative to the TMG / UAG that delivers a reverse proxy architecture, modern security engines, high availability and scalability. DA-WAF offers all mandatory features to grant secure access to internal application TMG Replacement v1 08/17/2015 6/7
Headquarter 6 avenue de la Cristallerie 92310 Sèvres - FRANCE Tel : +33 (0)1 46 20 96 00 Fax : +33 (0)1 46 20 96 02 Email : info@denyall.com www.denyall.com