Microsoft Discontinues Some Forefront Security Products used by Lync

We knew this was coming for a while and had discussed this on The UC Architects Podcast recently, but Microsoft have finally made it official. The application most Lync Pros use to publish Lync’s web services externally, Forefront TMG 2010, is going the way of the ghost along with Microsoft’s OCS/Lync hygiene application – Forefront Security for OCS (FSOCS).

Forefront Security for Office Communications Server (FSOCS)

In my opinion, FSOCS didn’t achive much anyway. In a nutshell it provides anti-virus/anti-spam for IM and allowed you to specify keywords to block within IMs in OCS and (only recently) Lync Server 2010. It’s good for companies that want to rule the way their staff use IM with an iron fist by blocking things like profanity, but I found most companies had no real requirement for this.

And in the years I’ve been using the RTC product set ranging back to LCS days, I’ve never seen malware or viruses spread via IM. In my opinion, this product being discontinued isn’t a big deal. There are other existing solutions from 3rd party vendors on the market that provide this functionality if a hygiene requirement exists in organisations.

Forefront Threat Management Gateway (TMG)

I’m a big fan of Forefront TMG and have been using the product in various iterations since the ISA 2004 days to do proxying and other web-related functions. It gets the job done so easily and provides packet inspection and intrusion detection/prevention to really provide a secure solution for a key part of Lync’s external access story. Seeing this product discontinued is disappointing and definitely leaves a gap in the market.

How Else Can I Publish Lync Web Services?

There are a few other options still around fortunately. One that big enterprises typically use because they already have them is F5’s BIG-IP LTM load balancers. BIG-IP has a web publishing capability built in and it’s pretty simple to setup, with a deployment guide readily available already. But, if you’re not a big org, you’ll be looking for cheaper and less complex solutions.

Microsoft will undoubtedly be encouraging people to use their Forefront Unified Access Gateway (UAG) product to publish not only Lync’s URLs but also Exchange Web Services. My opinion when it comes to publishing Lync through UAG is to run away, fast, because all I’ve heard and read about getting it to work are nightmare stories of some things working, others not, authentication prompts and other weird behaviour. Evidently it looks I won’t have any choice anymore and I’ll need to start getting my head around using UAG to publish Lync – watch this space.

Additionally, UAG is apparently quite expensive and buying it just to do reverse proxying for Lync is going to be a hard pill to swallow.


You’ll still be able to use these products obviously, but you won’t be able to purchase either of them after December 1st 2012 and they won’t receive any love in terms of new service packs. Support wise, vulnerabilities will still get patched and you’ll still be able to call up Microsoft and get help for TMG and FSOCS until 2015. After, TMG only will go into extended support until 2020.

My advice if you currently have TMG deployed is to not sweat it too much right now as you’ll be covered for support and security patches for what will probably be the lifecycle of your Lync deployment anyway. If however you are planning a new Lync implementation (or waiting for Lync 2013 perhaps), you will want to factor in deploying Forefront UAG or leveraging your load balancers (you are using load balancers right? ;)) to provide the reverse proxy component.

As always, any questions or contributions, comment below.

2 thoughts on “Microsoft Discontinues Some Forefront Security Products used by Lync

  1. Pingback: Bye bye, TMG, es war schön… « Es gibt 10 Arten von Menschen.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.