The pfSense Store

Author Topic: Alternative for MS TMG 2010 = pfSense ???  (Read 24391 times)

0 Members and 2 Guests are viewing this topic.

Offline canefield

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
Alternative for MS TMG 2010 = pfSense ???
« on: March 08, 2012, 05:24:49 am »
Dear all,

I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.

Situation:
 - one external IP;
 - multiple servers
    - 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
    - 2x MS Exchange Edge (FO & LB); port 25
    - 2x Postfix (FO & LB) if Edge are offline; port 25
    - 3x MS RDP (FO & LB); port 3389
    - 3x MS IIS (FO & LB); port 80, 443
    - 2x MS SharePoint (FO & LB); port 80, 443, 987
    - 2x FTP (FO & LB); port 21
 - Wireless (multiple SSIDs)

Future request:
 - VoIP

With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.

Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?

I have seen so many kinds of packages, I really do not know which to choose in what matter.

Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?

I know it is a lot, but perhaps you can help me out here. It would be great when you have some 'step-by-step' tutorials available.


Thanks in advance,
Canefield

Offline canefield

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #1 on: March 08, 2012, 05:48:36 am »
In addition to the above; I already installed and configured pfSense successfully and played with several packages like Snort, Varnish, squid, squidGuard, squid-reverse, Dansguardian, HAVP, Postfix Forwarder and more, but do not know what to choose, installing or how to configure referring to my situation.

Offline canefield

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #2 on: March 10, 2012, 02:11:05 pm »
Anybody? Please help me out here...I want to use this free/open source solution instead of commercial software.

Thanks for your time and effort; I appreciate it,
Canefield

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #3 on: March 10, 2012, 02:29:20 pm »
pfsense in its base configuration is first and foremost a firewall/router with advanced functionality such as traffic shaping.

From a quick look at your requirements, much of what you want can be achieved using a combination of 3rd party reverse-proxy software (namely varnish & haproxy), which can also be installed on pfsense itself, and are available as separate packages.

As a starting point, I would suggest that you get another external IP, setup a pfsense box in front of TMG and start moving certain services (e.g. http, then https etc)

Offline canefield

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #4 on: March 11, 2012, 10:49:47 am »
Hi there,

I do not have the possibility to add/purchase another external IP. I hoped it in my case, but unfortunately.

I thought of using the following packages:
 - Snort as (additional) Firewall (IDS/IPS)
 - Squid-Reverse + SquidGuard (reverse-proxy; web performance HTTP/HTTPS)
 - HAVP (mean proxy for antivirus)
What (reverse)proxy should I use? You are suggesting others? Why?

Moreover I want to:
 - accelerate/boost my in- and outbound web requests
 - sevicing multilpe servers behind NAT
These issues is still very vague for me.

So you are indicating that my wishes are possible with pfSense? Could you give me more advise about the packages I should use? I really do not have a clue which package to use. Which system requirements?
Is there some kind of tutorial out there?

Hounesty, it disappionts me how many comments I get at this discussion. Is it not great if pfSense could do the job instead of other commercial software. This should enthuse all people of this forum, is it not? Let pfSense rule the world (especially in what it can do).


Thanks in advance,
Canefield
« Last Edit: March 11, 2012, 11:01:05 am by canefield »

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1493
  • Karma: +1/-1
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #5 on: March 11, 2012, 01:34:08 pm »
I have TMG with a PFSense router/firewall in front.

TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.

Furthermore the logging in TMG is much nicer. Keep the TMG.

I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.
Kind regards Brian


Offline canefield

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #6 on: March 11, 2012, 03:12:56 pm »
Hi,

Thanks for your reply...but really I only want to be able using pfSense.
Somebody any other ideas? How to setup and configure this scenario with pfSense only?

KR,
Canefield

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #7 on: March 12, 2012, 08:57:03 am »
I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.

Strange that you say that you find 1.2.3 better than 2.x, which is based on a newer FreeBSD version, with updated kernel, NIC drivers etc.

Also, while pfsense's NAT reflection may have problems (in fact it doesn't work at all with UDP), there are very few situations where one really has to resort to using NAT Reflection instead of some alternative like split-DNS.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9983
  • Karma: +2/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #8 on: March 12, 2012, 10:32:45 am »
I have TMG with a PFSense router/firewall in front.

TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.

Furthermore the logging in TMG is much nicer. Keep the TMG.

I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.

Supermule,

Not trying to be offensive and sorry if it sounds like but why you keep trying pfsense as you prefer and recommend TMG to every user on this forum? ???


canefield,

This setup can be done with pfsense, it will need some extra package to reach the best config and performance.

The tcp services you want to balance can be done using built in load balance on service menu.

squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.

haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.

The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.

posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.

Another suggestion:
Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)


att,
Marcello Coutinho
« Last Edit: March 12, 2012, 10:35:07 am by marcelloc »

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1493
  • Karma: +1/-1
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #9 on: March 12, 2012, 10:48:06 am »
Hey Marcello :) I like TMG for the things it does....

Its all about user friendliness and I love PFSense. Have been using it since it broke of from M0n0wall.

I dont like the 2.01 release since it needs a lot of moving around in the tabs to configure very simple tasks.

The TMG has a very useful intuitive user interface and if you set it up as a proxy then you wont have to dig around to cinfigure things....it is right there in the tabs when publishing a server...it changes depending on what you want to publish but you dont have to change anything to the basic setup everytime. It is very very easy see if the thing you are doing is working. It has a test rule button that gives you detailed information about what could be wrong and you dont have to search 3 different packages to watch the logs.

I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.
Kind regards Brian


Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #10 on: March 12, 2012, 11:32:18 am »
the 2.01 was not stable enough and basic things were broken

I'm sure the developers would appreciate receiving detailed bug reports.

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1493
  • Karma: +1/-1
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #11 on: March 12, 2012, 11:40:49 am »
I posted most of the finds on redmine....
Kind regards Brian


Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9983
  • Karma: +2/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #12 on: March 12, 2012, 02:11:25 pm »
I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.

ISA/TMG is easy but not good enough to stay on internet? Just like old M$ proxy 2.0? good to know. :)

I've never trusted microsoft with real ip, this is just one more example.

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1493
  • Karma: +1/-1
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #13 on: March 12, 2012, 02:31:00 pm »
HAHAHAHA it depends on how you configure it. It can easily act as a frontend. I chose PFSense insteaf because of the minimal footprint and that it runs on bare metal at the time.

Since ISA resides on Windows Server, I didnt want to use it because of windows and its complexity.

It is bloody good as a proxy/L7 firewall and that is what I use it for.
Kind regards Brian


Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: Alternative for MS TMG 2010 = pfSense ???
« Reply #14 on: March 12, 2012, 02:35:00 pm »
I think TMG's main advantage is its tight integration with AD.