My last job at Microsoft was as the “Chief Architect” of the Identity and Security Division (and briefly its successor organization, DAIP) and General Manager for Forefront UAG, Forefront TMG, Rights Management Services, Certificate Services, Windows NAP, and some other odds and ends. The odds and ends are always amusing. Project Sydney reported to me for a short time. And after RMS started working for me I was shocked to discover I was now responsible for the aging software and infrastructure used for Microsoft Reader DRM. Funny how no one mentioned that before I took the job! There has been a lot of news about all these items over the last year, but this posting is specifically about Forefront.
As you may know this week Microsoft killed off the Forefront brand, killed some of the Forefront products, and renamed others to reflect their real strategic alignment. This is the natural outcome of a process that started about four years ago, and most specifically two and half years ago, as the economic downturn and resulting budget cuts at Microsoft collided with its ambitions in the security products space.
In the early years of the last decade (2000-2002) two factors came together at Microsoft that would lead it into the security products business. The first was the recognition that the Internet had changed the game in terms of the security required of Microsoft’s software and ecosystem (and that Microsoft was failing miserably at it), and second was a search for new revenue streams to complement the maturing Windows business. The former people are quite familiar with as Microsoft pursued Trustworthy Computing, took a hiatus from development on many of its products to do a security cleanup, created the security development life-cycle, replaced manual updates with automatic updates across its product lines, etc. But what of its ambitions for a new revenue stream?
Step back to the 2000-2002 period and look at the really strong IT growth businesses and you find Storage Management and Security at the top of the list. In 2004 Symantec would go as far as to combine these two by acquiring Veritas for $13.5 Billion (which is what Symantec’s market cap is today, hmmmm)! Microsoft created two new businesses pursue these markets, a Storage Management business under Bob Muglia and a Security Business under Mike Nash. Neither worked out as expected, though the Security Business came close.
The problem for Microsoft in the early days of its security products business was where to prioritize protecting the Windows ecosystem from malicious activity and where to seek revenue. In one of the earliest moves they made (and I was not an employee at the time, so only have second or third-hand knowledge of what was happening) they introduced a free Anti-Spyware offering called Windows Defender. At the time the Anti-Virus business was well established but mainstream vendors such as Symantec had not yet addressed the growing category of Spyware. A complicating factor for Microsoft was its (then very active) anti-trust issues, where introducing anything free (or worse, packaged with Windows,) was a lightning rod for regulators. So while to those of us on the outside it seems like introducing a free anti-virus product would have made sense, Microsoft instead chose to introduce the paid OneCare service (of which anti-virus was one component). I don’t know how much of this decision was due to its revenue ambitions and how much was due to its anti-trust concerns, but nonetheless the Windows ecosystem did not gain the protection it really deserved. Later, as third parties such as Avast! had success with free anti-virus offerings, Microsoft would introduce the free Microsoft Security Essentials. And with Windows 8 it would (finally!) upgrade the built-in Windows Defender to have full anti-malware capability.
But the real story here is, of course, products for enterprises. Enterprise security products is where the real money is. There is also less conflict with the notion of ecosystem protection versus selling products because enterprises want far more than the basic protection capabilities. No medium to large enterprise is likely to rely on Windows Defender (or Microsoft Security Essentials), not because of any perceived lack of protection but because they don’t offer the centralized reporting and control that enterprises require. Likewise edge protection, that is protecting the corporate network, is something that enterprises have extensive control and reporting requirements on. So this is where Microsoft’s product business focus went, leading to the Forefront brand and products.
Creating Forefront initially is a typical story of pulling together unrelated, even competing, products and acquisitions. For example, Microsoft made three attempts at addressing the SPAM problem. First, the Exchange team took the Microsoft Research developed SmartScreen technology and incorporated it into Exchange as the Intelligent Message Filter. This was a very basic capability that was heavily used by smaller Exchange installations, but was inadequate for larger enterprises. Meanwhile the Exchange team was looking for a solution to high availability and archival requirements and acquired Frontbridge. Frontbridge also offered anti-SPAM as part of its service. At the same time the security business acquired Sybari so that it could offer an anti-SPAM product. This became Forefront Protection for Exchange (FPE). Eventually Frontbridge would be split in two, with the archival offering moving to the storage management business and the anti-SPAM service moving to the security business and becoming Forefront Online Protection for Exchange (FOPE).
Anyway, Microsoft ends up with a bunch of security products for the enterprise. Its ambition is to be a full-line security products vendor and build another $Billion business. A major project is initiated to re-engineer the entire product family and integrate it under a truly unified management umbrella. The group, at this point the Identity and Security Division (ISD), hires a lot of people and embarks on this major undertaking. It turns out to be an over-reach that is very late and is perceived by some to be both lost in the woods and to have made some poor technology choices. A new management team is brought in to get ISD on track.
At the same time this is happening Microsoft’s first set of budget cuts and large-scale layoffs hits, and ISD is hit hard. Two more rounds of cuts would occur over the following 18 months. The first round didn’t really change ISD’s ambitions, it just added to the need to do a reset on the Forefront product plans and re-think tactics and priorities for addressing the market. The second round lead to a re-think about competing across the security product space and to a few areas being declared non-strategic with dramatically pared investment levels. The third round put back into play the question of what’s important, having a security products business per se or having security products that support the needs of other strategic Microsoft initiatives.
External observers saw the first results of our decision in a reorganization about two and half years ago. ISD was dissolved with some products moved to the groups they aligned with and the remained becoming a new Directory, Access, and Information Protection (DAIP) division. In particular end-point security, as well as the general protection technology responsibility, was moved into the management division and the email (and related) filtering technologies were moved to the Office Server organization. Forefront retained a business organization and umbrella, but with the products split over three Microsoft divisions and two Presidents it is no wonder that the other shoe dropped this week.
Forefront as a business is gone. The offerings within Forefront have either been absorbed into the Microsoft offerings they were aligned with, into the businesses they were aligned with, or where neither made sense been declared end-of-life.
Forefront TMG (previously known as ISA) was one of the casualties. This one strikes close to home because it was one of “mine”. TMG was victim to a changing landscape in which the vast majority of the network edge security business had moved to network appliances. And so TMG was the leading product in the software-only category, but it had become an insignificant factor in the overall market. In addition, the general view was that the network boundary was going to disappear as the trends toward BYOD, IPv6, and IPsec accelerated. As such TMG had lost its strategic value before TMG 2010 (which was the major revamp and rename from ISA) even shipped. It’s demise was inevitable, and I knew it couldn’t be far off when I saw an article in which Microsoft made available a SNORT rule that Microsoft IT had created. That meant Microsoft IT had abandoned TMG in favor of a SNORT-based solution.
While Microsoft’s moves with Forefront over the last few years will no doubt cause many customers pain, one has to ask if in the end customers will be better off for them. I think so. Security is being better built into Microsoft’s products and management of security is more fully integrated into Microsoft’s overall management tool set. The focus is on “your email is protected”, “your computer is protected”, “you can centrally manage the security of all your systems” and less on “how do we compete with security vendor X”. I’m actually quite pleased with where things are ending up.
There is a lot more that can be said about why an effort like Forefront was so difficult to pursue inside Microsoft. Comments I’ve made in other blog postings about Microsoft’s sales model apply, for example. But I’ll stop here. Forefront is gone. Hopefully it won’t be missed.
Hal's (Im)Perfect Vision 
Excellent Post – nice to get a thorough insider view of the why’s and wherefores. Obviously Microsoft is willing to sacrifice TMG to a hardware vendor. Doesn’t help us people “in the real” who are currently using it! Any idea of a timeframe for End Of Life?
Dates are in the announcement at http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx
How can MS continue support for UAG but not TMG – UAG installs and uses TMG at the moment! There is a very good comparison article here; http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-UAG-feature-comparison.html
Describing what is “supported”.
It will be interesting to see what MS do here!
Pingback: Goodbye Forefront, it was nice knowing you | Hal's (Im)Perfect Vision | libytimugaro
if MS where more engineering U would know that U would end-up
” The focus is on “your email is protected”, “your computer is protected”, “you can centrally manage the security of all your systems” and less on “how do we compete with security vendor X”. I’m actually quite pleased with where things are ending up.”
All business people don’t have the know how to think about it causing then to do stupid things,
Nice lecture, loved it!
I was always interested in why did Windows do so bad in virus / spyware protection.
I’m a very lazy user, as most windows users are 😀 So I never cared about viruses. I always just installed some crappy free anti-virus once windows was (re)installed (usually after a serious case of viral infection 🙂 ) and made sure I always put a copy of my important data on some email server or external hard drive.
Because of the lack of transparency from Microsoft, I always thought that bad virus protection was was pure ignorance, indolence and end-user abuse from the “only” OS provider for the lazy masses… and maybe a marketing strategy to make some partner anti-virus software sell more. Norton was incredibly slow at some point in its evolution, so it was only natural that a follower of the conspiracy theory, I simply assumed MS may have just blocked one anti-virus and made a new partnership with someone else. (the closed source code could only enforce this belief at that time).
It never hit me it was simply bad management and MS’s cross-eyed perspective of virus protection. However, this does not surprise me, as I eventually came to hate multinational companies exactly because of their lack of transparency, and the idiotic penalties applied to the ordinary programmers instead of their bosses, who usually have no f******* idea what the project has to cover, and are keeping their positions because the company sent them to time-wasting workshops where to learn agile, scrum or time management skills. The dumbest paradox in managing management positions, don;t you think?
I like it
An interesting but worrying post.
It points to a lack of corporate integrity, misunderstandings and absolutely no strategic thinking.
Goalposts seem to be changed almost daily, no properly instituted distinction between the “company’s profile” as seen by the public and what they (Microsoft) see as their profile.
Looks like marketing statistics are ruling the roost, a dangerous model indeed.
This all stems from lack of leadership, focus and understanding… at the very top.
Actually quite the opposite.
Malestrom
You are wonderful writer.
Suicide ideas are ending like this…
Why would’nt be improveved internal safety of MS products ?
I don’t understand why creator of IE, are not itegrated security into IE ?
Why external “antivirus” when I am “The big Creator” ?????
That same think depends to Windows .
A said before long long long long long time ago , that application should have rights like user .
This is now a reality. But in “small” system Android . And Android aplications are runing in virtual Java machine .
Android is safer than Windows????? 😯
Where is “MS virtual machine” .net Silverlight ????
This and .net self was eat from bad C++ programers ????
:oD
The last sentence of your post leave me puzzled…
TMG will be miss, if not by all probably by many. I’d like to know what you think we should replace TMG to kkep the same level of efficency (Reverse Proxy, Publication, Malware detection,..) but with the support of IPv6,…
TMG specifically has had a very loyal customer base and I suspect that out of all the Forefront products being discontinued it will be missed the most.
I would start with Gartner’s Magic Quadrant in terms of investigating alternatives. I don’t know if this is the latest version, but there is one at http://www.websense.com/assets/reports/report-gartner-magic-quadrant-for-security-web-gateway-2011-en.pdf
My workplace was planning to use Forefront TMG as a key component of an upcoming project, but then we just got an email from one of our software suppliers saying Microsoft had announced in a blog post that it was being discontinued. There doesn’t seem to be any direct replacement for TMG either, so are there any suggestions or recommendations for a product which can do web filtering, RRAS and network-level antivirus on a Windows server system? For this particular project endpoint security software will not be possible which is why we need to do this stuff at the network level, but now TMG is gone there is a big hole in our plans!
You may need to use more than one product
You can still use Forefront TMG 2010. It will be on the pricelists until December 1st 2012. It will be supported for 8 more years. Currently, there is no product like Forefront TMG 2010 that you can put on the edge of your network and do the job you want to. My advice is to use TMG 2010 like everything is normal – in the years that come, we will have a clearer picture on the secure web gateway market and you will have plenty of time to do the migration to a new product once you decide which one is best for you.
Regards,
Srđan
Pingback: HP: Once more into the smartphone breach? | Thoughtsofanidlemind's Blog
Great post, thank you for sharing this information. Pardon my ignorance, what does SNORT stands for?
I have no idea :-). It is an open source alternative to TMG.
snort-solution I think he is talking about the IDS technology from UNIX
Hal, do you think today’s MS would be more prepared to venture into building and selling appliances? Secondly, is MS’s approach to investment wrong? Would MS be better off committing these type of projects to a 3 year committed funding plan, more like venture capital rather than year-on-year review? Are there any examples of recent MS acquisitions that has achieved some measure of success post-integration?
Yes, I do think an appliance proposal would get a more favorable reception these days.
I don’t think the 3 year model works because no business could become material in that timeframe. Microsoft gives things it believes in much more time.
Skype is already a huge success for them
RIP
Great review and alternatives at SC Magazine group test:
http://www.scmagazine.com/email-security–content-filtering/grouptest/273/
So, in easy English (pls. pardon my language as English is my 5th language), free essential seucirty tools built for critical products i.e. Operating Systems (Windows) are replacing the expensive and usually cumbersome antivirus/anti-malware products i.e. Forefront? If that was the case, Norton, McAfee or other huge antivirus companies would be out of business already. At the bottom of every system (whether a corporate user or an individual user), they all need basic anti-virus, anti-spam and anti-malware protection. How would you make your case (of Forefront) in front of an IT Manager about their corporate needs for security in presence of free security tools i.e. Microsoft Security Essentials?
Free security tools have not impacted IT yet because they do not include the monitoring and control capabilities that IT desires AND because licensing prohibits use of the free tools in enterprises.
“Free security tools have not impacted IT yet”
As both an open source evangelist and a fan of TMG, having some knowledge in this area, may I offer a few counter-factuals (and possible alternative to TMG when used in some combination):
Mod Security
Snort (not an acronym, as far as I know)
Nessus
Dans Guardian
pfsense
Untangle
Pound
HAProxy
Squid
Endian
Zeroshell
Smoothwall
Vyatta
Many of these have commercial support offerings if required, while making available free enterprise-grade solutions. I’m leaning towards Squid+Dans Guardian+Snort.
If monitoring/management is required, there are a few dedicated open source products for that.
I should have been more precise about this referring to endpoint security.
What tics me off about this decision is the absolute lack of MS supported alternatives. Yes, I have the ability to implement an apache reverse proxy but is that supported by MS in any way? What semi-affordable alternative is supported? And UAG is far from affordable for the general cost-conscious business. TMG (or UAG) are the staple recommendations for implementing a secure Exchange environment. It is actually a requirement for a Lync environment as well. The Forefront brand was far more than anti-spam after all. You are tooting this decision as some sort of over all awesome MS directional change instead of what it actually is, obtuse and greedy.
Putting TMG on the chopping block but leaving UAG kills the per-proc licensing which made maintaining a company internal infrastructure (while also following best practices) affordable. Forcing MS partners to push UAG also forces cloud based deployments on the table as they become far more desirable due to cost factor alone.
Some general math for you; 1 TMG Std. server costs about $1500 per cpu socket, 1 UAG server costs about $15 per user. So I can implement 2 TMG virtual machines with external DNS round-robin load balancing (not the best solution, but a fully supported one) for an infrastructure of a thousand users with TMG for 3K. That same infrastructure with just one UAG server costs 15k for just the licensing alone.
Lets just call it as it is instead of making a bunch of lofty fan-boy statements, Cutting TMG is very clearly a concerted decision to force businesses into the cloud as MS has heavily invested themselves into the cloud market. There is nothing wrong with that as a business decision, but say it is anything else is really silly and almost misleading. Now clients across the board are forced to question sound infrastructure designs which include TMG in their implementation. I literally just had a client the other day with the most insecure edge I’d ever seen question me on implementing TMG because of this announcement. And because of this they are opting to still directly publish Exchange 2010 cas servers on the internet.
I didn’t write it as a “fan-boy”, I wrote it as one of the participants in making the decisions that lead to this.
Greedy? No. Microsoft will take a revenue hit by dropping TMG. Any resulting increase in UAG revenue will be immaterial.
Is the cloud influencing these decisions? Definitely. But in TMG’s case I can say with absolute certainty that the strategic decisions occurred while the cloud was still a side-show at Microsoft. The tactical decisions (i.e., drop it now) are no doubt influenced by the cloud. For example, most people were probably licensing UAG CALs as part of one of the CAL suites. But the page for the eCal suite, where UAG CALs were present, now redirects to Office 365.
Can’t reply to your “endpoint security” comment above for some reason (nested too deep, perhaps?). I have to concede that point, absolutely – I don’t know of any commercial grade options. That’s not to say that you’re completely out of options: http://www.utoronto.ca/security/UTORprotect/ESP/index.htm
But for my business, we will almost certainly be deploying McAfee Endpoint Security (heaven help up).
*us
Cloud. Feh! The trends at Microsoft to enter into new markets at the expense of old ones doesn’t allow them the option of maintaining revenue streams in the event that the new expedition is a fad or a flash in the pan. Seems everything they are doing these days isn’t expanding their offerings to customers, only changing them. The Start Menu is a good example. Rather than present the modern UI in the OS as a better method of using a computer than the Start Menu, they FORCED you into it. Now Stardock comes in and makes a program to keep people using what they used to use. Server 2012, Hyper-V, VHD compaction. This process has new steps FOR NO REASON. I grew up on Microsoft software but the trends these days leave me looking elsewhere. TMG was one of the best products MS ever made and it was by a very large margin the leading product in its market. Killing it makes no sense and never will.
Killing TMG and going all-in on “cloud” software is a mistake.
Spot on!
3x!!
Completely agreed!!!
This is why I NEVER use Microsoft for strategic software projects. Flip a coin, heads you will be overcharged for increasingly granulated CALS, tails your product is orphaned by the latest Microsoft brain fart that is labeled “New Strategic Vision”. I have used the same boundary device for ten years. It does VPN, authentication, traffic and application security. The architecture has changed, the quality varied, but the features have always been supported, never orphaned. I am in a small shop and cannot afford the time for these shenanagins. Sorry, Microsoft. File and print services, yes; security, vpn, or cloud stuff, no. Wait, make that Hell no.
So, what should we get instead of this product