Although Microsoft ended development of its widely used Forefront Threat Management Gateway (TMG) 2010 tools in April, many organisations are still grappling with the migration of a core security service that had become so irretrievably interwoven with network security that it has proved extremely difficult to remove.
Despite having more than two years' warning, the end of support for TMG – which, like Microsoft Windows Server 2003, reached end of life this year – created mass “confusion” amongst customers and partners of application-security firm KEMP Technologies, company director Benjamin Hodge told CSO Australia.
“It was a very well understood and implemented solution, and now that it's gone a lot of people don't really know how to design their application solutions,” Hodge explained.
“They have a lot of security policy built around these types of appliances, all of which depends on these capabilities. So, changing that one piece of infrastructure has a huge impact on other parts of the infrastructure. That's why it has been such a slow migration process.”
The degree of reliance on TMG had become a significant issue for organisations seeking to not only update their threat-management environment, but to expand its scope to handle ever-changing IT infrastructure requirements – driven by the extension of corporate networks outside of conventional boundaries thanks to cloud and mobile investments – that are directly challenging established policies and procedures.
Although Microsoft provided an upgrade path and plenty of advance notice about the discontinuation of the platform, Hodge said “quite a few distractions” throughout 2014 – including SSL-related issues due to vulnerabilities such as the Heartbleed bug – had delayed the necessary changes being made.
Although attention had returned to the migration in the leadup to the transition, the magnitude of the task had become clear as IT teams worked to unravel the interdependencies that had evolved during years of TMG usage.
“A lot of people didn't realise what parts of TMG they were using,” Hodge explained, “so when they would say that they wanted to replace TMG it didn't really have any meaning until you found out exactly what they were using for.”
“Many were using it in ways that it wasn't intended to be used,” he added, noting that “it had been coded for internal use, for example, and now they were trying to publish it externally. That's where a lot of people were struggling, and it seems to have hit a crisis point where it is now a major focus for a lot of organisations.”
Many organisations moving away from TMG were finding viable alternatives in cloud-based solutions, which are increasingly being supported with a new breed of applications providing capabilities like single sign-on and reverse-proxy capabilities in different ways.
Organisations needed to be realistic about how long they could continue holding onto their old environments, Hodge advised – particularly as organisations pushed towards cloud applications through executive mandate but found that their underlying security infrastructure could no longer keep up.
“These kinds of business decisions are happening, but they're trying to be done in isolation without upgrading the underlying client system or infrastructure delivering it,” he explained. “That's really becoming a limiting factor in their ability to make decisions because they're creating a lot of maintenance overhead.”
“Mobile devices and client devices are changing rapidly – and if you've got this legacy infrastructure inbetween trying to connect the two, fairly soon you're going to hit the wall. From a stability or functionality perspective, it just won't work. It's really hit that crucial point where people just can't ignore it anymore.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.