With most Forefront tools now dead, what’s an Exchange admin to do?

In September, Microsoft abruptly announced it was discontinuing nearly the entire set of Forefront security tools, including the following:

• Forefront Protection 2010 for Exchange Server (FPE)
• Forefront Protection 2010 for SharePoint (FPSP)
• Forefront Security for Office Communications Server (FSOCS)
• Forefront Threat Management Gateway 2010 (TMG)
• Forefront Threat Management Gateway Web Protection Services (TMG WPS)

Not killed were Forefront Identity Manager and Unified Access Gateway (UAG), both of which Microsoft says it will continue to actively develop.

[ Get ready for Windows Server 2012 with the Windows Server 2012 Deep Dive PDF special report. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

What will take the place of these security tools? It’s a big question for many IT organizations, which put a good amount of money and time into deploying Forefront tools based on Microsoft’s strong sales efforts. Suddenly, they were orphaned products. One comment on a Microsoft forum encapsulates that frustration: “Microsoft invested a lot of time selling us on this product, and we have invested a lot of time implementing and supporting it. To have end of sale announced with little warning and no alternatives just isn’t good business practice.”

If there’s any consolation, it’s that Microsoft will provide mainstream support the current Forefront tools until 2016 and extended support until 2020. But that’s a small relief.

There’s also some comfort if you’re using Forefront TMG — the tool whose discontinuance has caused the most anguish, based on the posts in Microsoft’s comments boards — to protect your Exchange environment: Although there is no TMG upgrade for Exchange 2013, you can still use TMG 2010 with a clean installation of Exchange 2013 via a few tweaks of the TMG 2010 wizard. In fact, the Exchange Team provided a post this week to assist you in doing that. If you have Exchange 2010 now with TMG 2010, you’ll also be fine — especially considering that you won’t be able to migrate to Exchange 2013 from Exchange 2010 until some time next year. (If you haven’t already purchased TMG 2010, you have only a couple of weeks to do so.)

Why did Microsoft kill the Forefront tools? In a nutshell, they weren’t successful products. They failed because the market had moved on to other security approaches, such as the use of network appliances, instead of the server software approach employed in Forefront. That’s the explanation from Hal Berenson. Now president of the consultancy True Mountain Group, Berenson had been Microsoft’s general manager for Forefront UAG, Forefront TMG, and other security products.

“TMG was victim to a changing landscape in which the vast majority of the network-edge security business had moved to network appliance,” he wrote in his blog. He notes that the traditional network boundaries that Forefront tools were designed for have largely disappeared, thanks to the migrations to BYOD, IPv6, and IPsec. In fact, Berenson says that TMG lost its “strategic value before TMG 2010 even shipped.” (You never heard Microsoft say that while it was selling TMG 2010, of course!)

At the end of the day, killing off the Forefront products designed to protect a disappearing network perimeter makes perfect business sense. Microsoft is doing the honorable thing by providing mainstream support for three more years. But the sudden discontinuation of the Forefront product jolted customers.

At this point, my best advice is to move off Forefront TMG and the other tools. Although Microsoft doesn’t have alternatives, you can look at adopting hardware firewall devices, which should also reduce complexity in the long run if you also use Microsoft security tools like DirectAccess. Some of these appliances also provide load balancing and authentication services, which are critical in a BYOD world.

In the end, Berenson says, you may be better off with the death of Forefront TMG and its brethren tools. You just won’t feel that way for a while.

This story, “With most Forefront tools now dead, what’s an Exchange admin to do?,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.