SWG - Adding the Last Piece to the TMG Replacement Puzzle

Yep, it’s another blog post on TMG replacement.  However, until now we’ve neglected the last piece of the TMG replacement puzzle, (forward web proxy).  In addition to remote access and application publishing, a large number or organizations have relied on Forefront Threat Management Gateway so secure their outbound web traffic.  A typical TMG web proxy array, (shown below),  resides in the DMZ and utilizes various features such as URL and content filtering to control outbound user access.  Organizations that don’t provide outbound web security are at significant risk.  Data loss, or the liability or loss of employee productivity due to inappropriate use of the Internet can be very costly.



Features and Functionality

An effective solution will include various features that work in concert to ensure secure and managed access.

Forward web proxy -

Providing a level of anonymity between corporate systems and resources on the Internet is a key requirement to providing secure web access. A solution should include a full forward proxy where outbound connections are terminated at the proxy and reestablished on behalf of the client. The client system (whether located on premises or remotely) should be obscured from the Internet resource.

URL/content filtering -

To prevent malicious or inappropriate traffic from entering the corporate environment, a web proxy needs to have visibility into a given site/content and respond accordingly.  This includes both encrypted (SSL) traffic as well as unencrypted.

User access control -

Enterprises often need to control different users’ access to Internet resources according to a number of factors such as position, work hours, and general business need. For a web proxy to provide real value to the enterprise, it must incorporate a variety of features and functionality that control access based upon users’ attributes and behavior.

Auditing and compliance -

Ensuring acceptable use policies are appropriately configured and adhered to is a critical function of both HR and IT departments. A web proxy solution must include the ability to monitor and report on end-user activity.


“So what’s an IT admin supposed to do?  Hmmm…. Let’s see…. If only there was a device strategically located in the enterprise infrastructure that could act as a point of control for outbound web access; maybe one with a glowing red ball.”


F5 Secure Web Gateway

Secure Web Gateway, (SWG) delivers a comprehensive, forward-proxy solution.  The SWG solution, (shown below), incorporates BIG-IP® Access Policy Manager™, BIG-IP® Local Traffic Manager™, and BIG-IP® Advanced Firewall Manager™ that significantly streamlines web proxy deployments while providing enhanced functionality and security.



Forward Web Proxy - SWG provides full, forward web proxy functionality, including the ability to evaluate and proxy encrypted, SSL-based traffic. The solution can be configured to secure web access for a variety of clients, both internal and remote.

URL and Content Filtering -  The threat intelligence behind SWG analyzes more than 5 billion web requests every day to produce a comprehensive categorization database of 40 million website URLs.

User Access Control - SWG uses Access Policy Manager to give administrators the flexibility to evaluate and assign policy at an extremely granular level.  For example, an administrator might apply a specific set of URL filters to a particular user within a certain Active Directory group for a specific period of time.


Compliance - Ensuring acceptable and secure web access is more than just good business; more often than not, it’s corporate policy—with the potential for very real consequences if not appropriately managed.  Secure Web Gateway Services provide IT administrators and HR professionals with the tools they need to ensure acceptable use policies are both effective and  appropriate. The solution includes several dynamically  generated and exportable reports that provide a clear picture of the enterprise’s web activity. Additionally, the F5 solution can be integrated with many remote central logging systems.


F5’s Secure Web Gateway is a great alternative to TMG. The solution combines granular access control, robust compliance reporting, and a comprehensive  categorization database to provide the single point of control enterprises need to ensure safe and appropriate web access.


Additional Links:

Important Changes to Forefront Product Roadmaps

To Pre-authenticate or Not to Pre-authenticate

“Apples to Apples” Comparing an APM Deployment to TMG

Secure Web Gateway Solution

Published Mar 07, 2014
Version 1.0

Was this article helpful?