This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos TMG replacement

Hi all

Just my thoughts.. Sophos is doing a lot right now selling as a TMG replacement.
We just did that.. Committed to do this migration.

I think IT people "out there" need to know - sophos is NOT close to be able to replace TMG at the moment. No matter what sales people might tell you..

What we have seen;

- we have had to disable all fireall profiles on simple https published sites.
- SSO on waf published sites is not working
- Link translation (if you use TMG you know what this is) is not available on Sophos.
- Remote desktop gateway publishing through waf is not working
- Mail clients of MAC computers not working on published Exchange sites is not working
- pptp vpn is unstable .. Working one day - not the NeXT
- log files size so big that they are hard to open and search in'
- Form based logon (an absolute must replacing TMG) cannot auth in sub-directories.. It will redirect to home directory at logon,
- No AD change password feature - you cannot login if youre account is set to change password at NeXT logon.

This is just what we have seen the first week using Sophos..

So - please do not sell this as a TMG replacement... You are miles away!!!

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

No matter what sales people might tell you..
See "How the business consultant described it" at Project Cartoon: How Projects Really Work (version 2.0), same as commission salespeople.  It's been more the exception than the rule when I've gotten to deal with honest salespeople at technical vendors who have any kind of understanding what they are actually selling.  Many just regurgitate marketing hype.  I take what they say with a grain of salt, and do my due diligence research before committing to a high dollar purchase.

Sophos is doing a lot right now selling as a TMG replacement
So is every company in this market segment and none of them are even close to a perfect match up with the features of TMG, nor will any of them be at any time in the near future.  TMG was created by Microsoft, for Microsoft.  All the various network appliance/UTM companies out there have to make their products as broad based as possible and not get tied down to vendor specific criteria.  Why has MS retired TMG?  Because it was losing a lot of money due to being somewhat narrow in scope.  Switching from one vendors product to another you will always lose some functionality or settings that you liked, but there should also be things that you gain as well.  It's a trade off.  From my experience here as well as other vendors forums, nobody coming off TMG is especially thrilled with any of the products in the market segment they have been forced to switch to.  Sad, but true.

So - please do not sell this as a TMG replacement... You are miles away!!!
This is a user-to-user forum, so the suggestion will not be seen or acted upon by Sophos.

Oh yes - Sophos support is useless
Mail clients of MAC computers not working on published Exchange sites is not working
Sometimes yes, but other times you must contact them.  Bugs are a good example.  Contacting support is the only means to let Sophos know about bugs, so they can get fixed,  and potentially get a "hotfix" for them.  Their main function is break-fix and to pass information up the chain to development for this purpose.  They won't do "set-up X" issues.  That is the purview of Professional Services and Resellers.

A few things that may help with a couple of your points:

we have had to disable all fireall profiles on simple https published sites
I've not seen this sort of issue where you can't use any firewall profile, BUT I have seen false positives being triggered that cause issues with sites.  The solution is to do some test connections to your site and check the WAF log for rules being triggered.  If you are certain these are false positives, then you can Skip Filter Rules in Firewall Profiles.  You can see the the pre-canned profiles as examples, but many sites will require tweaking/customizing of the settings within a firewall profile due to variations in different hosting or code platforms.

web filtering log files get to 12GB
I haven't seen your logs, so I have no idea what is in there, but if you have some sites or categories that everybody hits very frequently and you don't care to log, you can create an exception rule to skip logging for them.  Take a look at Web Filtering exception rules to see your specific options.  If it's a limited number of sites causing the issue, this would be a way to pare things down.  You also have options to use the reports in Logging and Reporting for a 10,000 foot overview and then if you want more detail on something specific, you can search for just that information (Example:  browsing from a single client system).  There's also the options of exporting the logs via Syslog to a third party log/data management system, like Splunk, which would allow you to be much more granular in displaying the information to your liking.

one of the community members has likely run into it and can give you pointers on how to fix it
Yep, but please create a new thread in the applicable forum for each issue.  This is a user-to-user forum, so nobody here is going to be able to spend hours of their day trying to help you resolve multiple issues with various components in one mega-thread.  As well, some people that assist others here are better with some areas, but know little about others.  Help us to help you.  [:)]

Link translation (if you use TMG you know what this is) is not available on Sophos.

No AD change password feature - you cannot login if youre account is set to change password at NeXT logon

Form based logon (an absolute must replacing TMG) cannot auth in sub-directories.. It will redirect to home directory at logon
predefined profiles and rules like "Sharepoint Firewall Profile" and "OWA firewall Profile" would be clever
If there is a feature you would like to see, make a feature request at http://feature.astaro.com.  Almost every new feature added, for years, to the UTM and its' predecessor has started as a feature request at this site.  Be as specific as possible, cite how the feature would solve business needs, and provide links to external information if needed for understanding.  If it's a good idea, that would be utilized by many customers, and is technically feasible, it might just be added in a future version.
Cancel
Vote Up 0 Vote Down

Cancel
0 Longman over 10 years ago in reply to Scott_Klassen

I started using the Microsoft Firewall product in 1997 - Proxy Server, ISA 200 0 and then TMG. In 2012 when it was obvious that the product was being discontinued I researched several competing products and found that the then Astaro Product had the features that I required. After spending a few months testing and configuring I deployed it in 2012. After 3 years I am pleased with the product. I use Waf for Exchange, Remote Desktop Gateway and a few other non-related MS Products. The Pptp Vpn has been very stable. In addition I use the Web Proxy both in SSO Mode (internal Lan) and Transparent Mode (Guest Network).
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Longman over 10 years ago in reply to Scott_Klassen

I started using the Microsoft Firewall product in 1997 - Proxy Server, ISA 200 0 and then TMG. In 2012 when it was obvious that the product was being discontinued I researched several competing products and found that the then Astaro Product had the features that I required. After spending a few months testing and configuring I deployed it in 2012. After 3 years I am pleased with the product. I use Waf for Exchange, Remote Desktop Gateway and a few other non-related MS Products. The Pptp Vpn has been very stable. In addition I use the Web Proxy both in SSO Mode (internal Lan) and Transparent Mode (Guest Network).
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data