LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-07-2016, 01:29 PM   #1
osama.mansoor
Member
 
Registered: Oct 2015
Posts: 43

Rep: Reputation: Disabled
TMG Replacement with SQUID


Hi Experts/Members,

I am Newbie in linux world and trying to learn linux , i am searching in the process of REPLACMENT OF MICROSOFT THREAT MANAGEMENT GATEWAY 2010 (Previously known as ISA Server).

Some my friends told me to learn about SQUID server and told me that SQUID Can full fill my all requirements.Please confirm me are all the requirement available in SQUId.

Most important are point 1 , 2 and 3.

Following are my requirements.

1. Protocol Filtering (e.g http/s, telnet, DNS etc) w.r.t destination IP Addresses
2. Web Filtering (allow/block websites like Google, Facebook w.r.t category)
3. Integration with MS AD (this helps us to allow Internet based on groups in AD)
4. Detailed Reporting of Users Activity (to keep track of user activity)
5. Logging (to keep track of user activity)
6. Web Caching (to cache web traffic to offload the main internet link)
7. Customized rules to block different software’s like Skype, MSN Messenger
 
Old 04-07-2016, 10:26 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,680

Rep: Reputation: Disabled
Short answer: Yes. Long answer follows.

TMG can do the following:
  1. Perform stateful packet filtering
  2. Perform NAT/NAT Overloading of IPv4 traffic
  3. Filter and NAT a few problematic protocols via ALGs
  4. Function as an IPsec/PPTP/L2TP endpoint/VPN concentrator for site-to-site connections
  5. Be a PPTP, L2TP and/or SSTP VPN endpoint for clients
  6. Perform HTTP and FTP content filtering (antivirus/anti-malware)
  7. Be a caching proxy with HTTP URL filtering, including category filtering (for as long as Microsoft bothers to maintain the category lists; TMG is a discontinued product)
  8. Be part of a hierachy of proxy servers
  9. Act as a reverse proxy for internal web servers, including being an SSL/TLS endpoint
  10. Perform authentication of VPN clients and proxy users against a local user database, Active Directory or RADIUS
  11. Generate fake certificates on the fly in order to act as a man-in-the-middle for outgoing HTTPS connections, which means it can scan data transmitted via HTTPS (only works if you can convince the client computers that the TMG server is a trusted root Certificate Authority)
I think that's pretty much it. I've worked extensively with TMG for many years, and the product would have been kind of OK back in 2010, had it not been for the fact that compared to just about any other firewall on the market, it's horribly unstable.

Squid is a proxy server. It can act as a forward and/or reverse proxy, and it's slightly more flexible than the TMG proxy in many areas. It can be configured to authenticate clients against several types of services, including all those supported by TMG. Squid lacks the "content download job" function that TMG has, but that can easily be simulated by a script. It does not have a built-in URL category list, but there are third party add-ons for that.

In other words, Squid can do 7, 8, 9 and the proxy bit in 10. If you add one of the many filtering plugins that exist, you can get it to do 6 as well.

If you run Squid on Linux or BSD, the OS and its built-in firewall will take care of points 1-3. In fact, Linux is a vastly better firewall than TMG ever was, and has superior ALG support. Also, Linux and BSD has proper IPv6 support as well.

For IPsec, PPTP, L2TP or SSTP you'll need additional software, which is freely available. That takes care of 4, 5 and the remaining parts of 10.

As for point 11, I've never seen a Linux/BSD firewall do SSL certificate spoofing, but even that may be possible. Not that you'd want to do it, though, as it only works in centrally managed environments and may in fact be illegal in some states/countries (the proxy is actively impersonating HTTPS servers on the Internet).
 
Old 04-08-2016, 11:13 AM   #3
osama.mansoor
Member
 
Registered: Oct 2015
Posts: 43

Original Poster
Rep: Reputation: Disabled
Thanks for detailed answer one more question.

I have some that some choices are avaiable on linux based operating system like PF Sense , OpenDNS and Squid.

What you think is most applicable on my envioroment to replace TMG Server.
 
  


Reply

Tags
squid3


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Behind TMG proxy using laptop as router as a hotspot for wifi, routing traffic from wlan0 to localhost:1234 Flyboy007 Linux - Networking 2 03-30-2016 11:51 AM
Squid Newbie RH2.5 Squid 2.5, 4 ethernet question, default gw not an option Bindairdundat Linux - Newbie 5 05-14-2014 03:34 PM
Squid Redirect specific domain to an Secondary (External) Squid Proxy Zxarr Linux - Server 2 04-20-2010 01:50 PM
squid conf: squid failed when I type insert redirect_program /usr/bin/squidguard Niceman2005 Linux - Software 1 11-24-2004 03:29 PM
Squid Cache Manager Replacement Suggestions... kemplej Linux - Software 0 03-15-2004 12:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration