Assuming TMG doesn't block whatever URL is in this hypothetical 0-day, then it's added no value really as it gets passed right through.
Thanks, Brian Desmond [email protected] w - 312.625.1438 | c - 312.731.3132 From: Derrenbacker, L. Jonathan [mailto:[email protected]] Sent: Tuesday, March 22, 2011 8:17 AM To: NT System Admin Issues Subject: re: Forefront TMG -- Reverse Proxy OWA As far as the security benefit, with just NAT, if a new IIS 0-day comes out and someone turns it into a worm before MS can patch it, your internal core network(everything) is potentially compromised. If you have forefront in a DMZ, only your DMZ boxes are compromised. My only skepticism is if your CAS/HUB have to still have port 80/443 open to forefront, it would seem to me any exploit used to get into forefront could also be used to pivot from forefront to the CAS/HUB. Jon On Mon, Mar 21, 2011 at 9:19 PM, Harry Singh <[email protected]<mailto:[email protected]>> wrote: > Out of curiosity, what are the added security advantages over a NAT'd > connection through a FW ? > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
