Seeing that we are under a yearly educational license, and are soon to be completely unlicensed for TMG because we are unable to relicense, what do we do now? Surely you cannot tell us to go to the UAG model at many times the cost? Besides, we are implementing IPv6 and UAG (and TMG) has no support for IPv6.
We have just tried using a third party product that is supposed to be best in its class, but it fails miserably because the many of the services we reverse proxy use propriatary protocols such as RPC over HTTPS. I have just watched in horror as Outlook Anywhere connects to Outlook.domain and then, after establishing a connection, switching its headers to autodiscover.domain and then <servername>.domain in the same connection. RPC_DATA_IN will not work because outlook only sends a handful of bytes and most 3rd Party Proxy products will not accept that non-RFC behaviour as it is exploitable.
Even worse, EWS is mangled. This is scaring the doolies out of me. Of course that is not Microsoft's fault other products can not handle Microsoft customizations, but Microsoft is throwing its loyal customers to the wolves. We now have a choice - struggle on until Microsoft comes to its senses, or ditch Microsoft products because we cannot ensure best practice and security?
Anthony Sheehy - MCP, MCITP