Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Feb 22, 2016

TMG Firewall client and F5 forward-proxy

Hi,

 

Sorry if it's stupid question, I am not by any means expert in TMG and forward-proxy on F5. Have basic understanding but not in-depth knowledge.

 

I wonder if there is a way to implement functionality provided by TMG Firewall Client using F5. Based on info in this article Firewall Client Features and Benefits my understanding is that TMG with TMG Firewall Client enables automatic take over of any application and protocol and redirect it to TMG working as forward-proxy (I guess in SOCKS mode). Additionally it seems that all that traffic can be authenticated and probably controled by some kind of policy.

 

I am a bit lost where to begin investigating and if it's at all possible.

 

Piotr

 

APM
forward proxy
Secure Web Gateway
security
tmg firewall client

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 22, 2016

    Hi Piotr,

     

    the Forefront TMG Firewall Proxy is not a classic Socks4/5 proxy, but rather than a WinSocks Proxy.

     

    When ever an Win32 application ask for network access, the WinSocks stack of the clients (replaced by a TMG client component) will compare the DNS_NAME and the resolved DST_ADDR with two tables called the Local Adress Table (LAT) and Local Domain Table (LDT). If the DNS_NAME and DST_ADDR is not contained in the LAT or LDT, then WinSocks would forward RAW WinSocks calls (on OSI Layer5) directly to the TMG to finalize the OSI-Layer 4, 3, 2 and 1 communication.

     

    In the end the client application can also use WinSocks allow secondary inbound/outbound connection without application aware fixups in place to parse the control channels. Some sort of UPNP for enterprises. And another cool feature is that TMG was always aware which username has executed which the application (even on multiuser terminal servers) and use those information within firewall access policies or transparent HTTP proxy rules.

     

    Good luck coding this in an iRule.... ;-)

     

    Cheers, Kai