We currently run pfSense with no problems, however we are looking at TMG as it is included in our partner subscription to MS and allows Windows 7 DirectConnect features to our domain for off-site users.
I have had a google, but there don't seem to be any comparisons of TMG to pfSense.
Anyone have experience/knowledge of this?
Our infrastructure is Windows Server 2008 R2 behind pfSense at the moment.
There's no comparison because they're really two totally seperate products that are aimed at two different markets. Kind of how you'll probably never see a comparison of a Ferrari 599 against a Bugatti Veryon. Both crazy fast expensive cars, but aimed at two different markets.
I've used both. In fact our internal office uses TMG, and our remote site uses PFSense, and it really comes down to what you're after in a firewall appliance and your ability to maintain.
I find PFSense a breeze to maintain. Setting up failover links, IPSec tunnels, VPNs, etc very very simple. All of this is much more complicated in TMG, but that's because TMG is very tightly integrated into your Active Directory environment.
TMG can also do host-based HTTP routing, whereas PFSense can't, so you can use one IP address across multiple internal web servers without needing a specific reverse proxy.
One of the best things about TMG is that you can effectively turn off just one person's internet access by disabling their AD account in the firewall. No need to set up any Squid authentication with RADIUS against your AD and then setting up ACLs.
I'd say the TMG is more difficult to learn then PFSense if you're starting from a blank plate.
Exactly as Mark said, they're very much two entirely different products. If you're looking for a proxy server that's tightly integrated with Active Directory and provides a slew of nice functionality in that area, you want TMG. If you need advanced NAT, routing, multi-WAN, flexible cross-platform VPN options, etc. you're somewhere between some, minimal and non-existent functionality with TMG, but pfSense offers a lot in those areas and is widely deployed for those things.
Maybe the best option? Use both. TMG inside the network, pfSense at the edge, and you get the best of both worlds.
Just like both Mark and Chris said, the products differ too much to be compared with eachother, and now, I will make it more "unfair" because I will compare some differences between TMG SP1 + Software update 1 vs BETA version of pfSense 2.
pfSense is an incredible firewall with many nice and advanced features, and extremely low hardware requirements compared to TMG. It´s free and is updated rapidly. It is easy to use and responds very quickly to your settings.
pfSence seems to handle enormous blocking rules FASTER than TMG and you can notice that in traffic flow in both ends of the firewall (after the packets have been processed) and you will also notice the GUI-response to be pretty fast on pfSense compared to the very slow TMG. Have not tried load balancing for this test.
When it comes to stability and reliability, pfSense does not seem to have any chance at all. We made a stress test with a setup of 10-machines with 8-torrents each plus 2-ftp servers and a SharePoint farm with 2-nodes behind a firewall connected to the Internet via 1 Gbit fibre. Additionally, we had 6 other machines connected to Internet via separate 100 Mbit lines (different locations with 4-different ISPs) to disturb the traffic which was flowing through the firewall. Undisturbed, the traffic flow through the TMG firewall was pending somewhere between 60-120 MB/s (upstream and downstream) and with full attack from all 6 "disturbers", the throughput speed went down to 30-70 MB/s. The webpages on the SharePoint server were responding pretty fair during the attacks. The same test with pfSense as firewall was horrible :-( The throughput went down to 2-30 MB/s and most of the clickings (from an external network) on the SharePoint webpage timed out. We even changed the hardware to another manufacturer to be sure that it was no compatibility issues with pfSense and the server(s), but it was hard to tell if it got better or worse.
I do not agree that TMG has minimal functionality for use as advanced NAT, routing, multiple WANs etc; pfSense offers more, but absolutely not MUCH more.
For use with Windows clients on the inside, TMG offers a lot more functionality, especially if combined with the rest of the ForeFront family.
Reports and monitoring in TMG is much better than pfSense.
If you really want to compare TMG with another firewall, try Cisco. I like the combination of ASA and TMG.
If you intend to stay partner with MS for a long time, I suggest that you use your partner benefits to its limits! ;-)
+1 for stability / management issues with PfSense. I think the team created an outstanding product when compared to other free/open source projects. With that said: things like disappearing Webconfigurator and inability to manage the system quickly reduces its usability in an enterprise environment. here is one link, but the Internet is littered with them: http://forum.pfsense.org/index.php?topic=38965.0
This is a typical case of inability to compare commercial product with open source, the quality is simply not there. I'm not going to go into a debate on this, so in defense of open source, so far I have seen exactly 1 product: x264 video encoder that beats any commercial version hands down. The rest looks more like a science project than something you'd want to use where stability matters.