Hi Experts/Members,

I am Newbie in linux world and trying to learn linux , i am searching in the process of REPLACMENT OF MICROSOFT THREAT MANAGEMENT GATEWAY 2010 (Previously known as ISA Server).

Some my friends told me to learn about SQUID server and told me that SQUID Can full fill my all requirements.Please confirm me are all the requirement available in SQUId.

Most important are point 1 , 2 and 3.

Following are my requirements.

1. Protocol Filtering (e.g http/s, telnet, DNS etc) w.r.t destination IP Addresses
2. Web Filtering (allow/block websites like Google, Facebook w.r.t category)
3. Integration with MS AD (this helps us to allow Internet based on groups in AD)
4. Detailed Reporting of Users Activity (to keep track of user activity)
5. Logging (to keep track of user activity)
6. Web Caching (to cache web traffic to offload the main internet link)
7. Customized rules to block different software’s like Skype, MSN Messenger

Short answer: Yes. Long answer follows.

TMG can do the following:

1. Perform stateful packet filtering
2. Perform NAT/NAT Overloading of IPv4 traffic
3. Filter and NAT a few problematic protocols via ALGs
4. Function as an IPsec/PPTP/L2TP endpoint/VPN concentrator for site-to-site connections
5. Be a PPTP, L2TP and/or SSTP VPN endpoint for clients
6. Perform HTTP and FTP content filtering (antivirus/anti-malware)
7. Be a caching proxy with HTTP URL filtering, including category filtering (for as long as Microsoft bothers to maintain the category lists; TMG is a discontinued product)
8. Be part of a hierachy of proxy servers
9. Act as a reverse proxy for internal web servers, including being an SSL/TLS endpoint
10. Perform authentication of VPN clients and proxy users against a local user database, Active Directory or RADIUS
11. Generate fake certificates on the fly in order to act as a man-in-the-middle for outgoing HTTPS connections, which means it can scan data transmitted via HTTPS (only works if you can convince the client computers that the TMG server is a trusted root Certificate Authority)

I think that's pretty much it. I've worked extensively with TMG for many years, and the product would have been kind of OK back in 2010, had it not been for the fact that compared to just about any other firewall on the market, it's horribly unstable.

Squid is a proxy server. It can act as a forward and/or reverse proxy, and it's slightly more flexible than the TMG proxy in many areas. It can be configured to authenticate clients against several types of services, including all those supported by TMG. Squid lacks the "content download job" function that TMG has, but that can easily be simulated by a script. It does not have a built-in URL category list, but there are third party add-ons for that.

In other words, Squid can do 7, 8, 9 and the proxy bit in 10. If you add one of the many filtering plugins that exist, you can get it to do 6 as well.

If you run Squid on Linux or BSD, the OS and its built-in firewall will take care of points 1-3. In fact, Linux is a vastly better firewall than TMG ever was, and has superior ALG support. Also, Linux and BSD has proper IPv6 support as well.

For IPsec, PPTP, L2TP or SSTP you'll need additional software, which is freely available. That takes care of 4, 5 and the remaining parts of 10.

As for point 11, I've never seen a Linux/BSD firewall do SSL certificate spoofing, but even that may be possible. Not that you'd want to do it, though, as it only works in centrally managed environments and may in fact be illegal in some states/countries (the proxy is actively impersonating HTTPS servers on the Internet).

Thanks for detailed answer one more question.

I have some that some choices are avaiable on linux based operating system like PF Sense , OpenDNS and Squid.

What you think is most applicable on my envioroment to replace TMG Server.