Microsoft axes many of its Forefront enterprise security products

Microsoft axes many of its Forefront enterprise security products

Summary: Microsoft is ceasing development of many of its Forefront products, choosing, instead to integrate more security capabilities into a number of its other products and services.


It's been rumored for a while that Microsoft planned to drop its Forefront Threat Management Gateway product. But it turns out that's not the only member of the Forefront family that is on its way out.

Microsoft announced on September 12 via a post to the Server & Cloud blog that it is discontinuing quite a number of its Forefront products:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

These products will no longer be available for purchase as of December 1, 2012.

Microsoft also announced it is renaming Forefront Online Protection for Exchange -- an unsung part of the Office 365 bundle of cloud services -- is being renamed to "Exchange Online Protection."

Microsoft will provide support for these discontinued products for a number of years, as indicated in this chart the company provided:


A couple Forefront products survived the purge: Forefront Unified Access Gateway (UAG) and Forefront Identity Manager. The product formerly known as Forefront Endpoint Security lives on as part of the System Center 2012 product (System Center 2012 Endpoint Protection).

Microsoft reason for dropping so many of its Forefront enterprise-security products seems to be that other products are integrating some of the same functionality. Microsoft is integrating "basic antimalware protection" into Exchange Server 2013. SharePoint and Lync Servers include built-in security. DirectAccess and Routing and Remote Access Server VPN in Windows Server 2012 provide secure remote access for those customers.

It's also worth noting Microsoft has been struggling with shipping promised Forefront products and undergone various management changes in its identity/security unit over the past couple of years.

If you're going to do a big product-family discontinuation that needs some air cover, there's no day better than an iPhone launch day....

Update (September 17): Former Microsoft Distinguished Engineer Hal Berenson, who was charged with overseeing a number of the Forefront products while still at Microsoft, has a good post on the changes leading up to last week's announcement of the phase-out of most of the Forefront family.

Topics: Security, Enterprise Software, Microsoft, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Disappointing...

    I actively use Forefront Protection for Exchange 2010 in my enterprise, and it's a great product. I appreciate that it's built into 2013, but I probably won't upgrade to it right away.

    Maybe it really is time to take a serious look at the Office 365 options going forward.
    • Licensing between UAG and TMG are very different

      TMG was licensed by the CPU and while UAG can mostly do what TMG did for reverse proxy it's licensed by CAL. This would be a significant cost increase over TMG. Any word on changes to licensing for UAG?
  • Alternatives?

    Does anyone have strong suggestions for a good enterprise software gateway alternative to replace these with? We've been using these since the ISA Server days for various clients and have been pleased with the security and flexibility they offered. Disappointing indeed.
    • Trend

      You could look at Trend Micro, they have a cloud solution as well as a gateway solution.
    • Clearswift products are very good alternatives

      Have you looked at the Clearswift Email and Web Gateways? They are excellent products and they normally get very good reviews:
    • Another Alternative

      We are using Sophos and Websense. Seems to be a solid combination.
  • disappointing doesn't quite cut it for me..

    its more like frustrating .. spent last three years planning to move to O365, debunked the myths internally over what TMG and FPE in 365 does vs various other cloud based service providers and on site systems .. and now this... Who is runing this division in MS? Looks like the same guy who ran server range products in Apple couple years ago.. This will do much flare to argument that 'MS cant do security properly' and I hope MS comes up with some really clear strategic indications and product guidance to customers/consumers/subscribers or whatever we are called these days..
    • Beta Testers... That is what we are called these days.

      Not customers/consumers/subscriber, they prefer to call us Beta Testers... MS wants everyone rushing out to buy the very latest and greatest MS products and to motivate us to do so, they decided to integrate Forefront into the very latest products... So if you want to be semi-protected, you have to be an early adopter... Oh Gee!!! Thanks MS!!!
      • Consumers...

        Is more appropriate from two perspectives:
        1) "consumer previews"
        2) EVERY IT software/hardware related producer animates us to consume more and more from his latest products.
        I wonder why there is no term like "IT obesity"...
  • That's very disappointing

    So basically they're retiring a whole line of Enterprise Edge protection products. UAG and TMG has been a very important part for integrating other vendors authentication protocols as well. This is certainly a very unfortunate development.
  • Provides Support????

    That's a laugh! So what edition do you have to buy to get support? ...Since I'm guessing that in true Microsoft style, they are still selling the products.

    Sorry, renting them.
  • With great power comes great responsibili

    Not the first vendor to change its approach in the cloud already without considering the impact on channels and as cloud continues to develop rapidly I expect we will see more vendors making changes that are easy from a backend cloud delivery end, but not so easy fro the channel and clients to palate.

    With great power comes great responsibility and in the cloud decisions and changes can be made quickly, but the ease of these changes has a consequence on customers and partners far quicker than product based changes have in the past.

    Ian Moyse
  • Made me laugh...

    "If you're going to do a big product-family discontinuation that needs some air cover, there's no day better than an iPhone launch day...."

    might as well been written

    "If you're going to do a big product-family discontinuation that needs some air cover, there's no day better than a Micro-who? day...."
  • Security is NOT job #1

    Integrated security is the wise decision. Visibility of security installation and components to customers should be minimized.

    From the perspective of the all important User Management executive, delivering computers services is job #1 and security is an unfortunate necessity. They see separate security as a resource cost center which periodical interferes with operation, development, and deployment of productive software. User management has long asked why the true experts on the functional vulnerabilities of particular products are not providing the security protection as part of the total package. Too often User Management perceives recurring and long term security integration issues as causing more annual productivity loss and corporate embarrassment than several brief outages due to malware and hacks.

    Indeed security should be integrated with productive software as invisibly and perfectly as possible -- and avoid asking wasting user technician time learning additional installations and imperfect integration of additional security only products.

    Yes separate security installation allows administrators and technicians iron control and fine detail. But the REAL job is providing the best security possible within limited time and budget --> without interfering with operations of essential production software.
    • Simplify network management and focusing on software service

      Basically integrated security should provide the best possible security for that specific product with any reduction in functionality being explicitly known when features are configured.

      Any additional security can be focused on external firewalls and possibly internal firewalls. Internal firewalls can be greatly simplified as internal servers will have only two states -- compromised or fully functional. Blocking compromised servers can be a manual software switch or simple signal from server itself detecting compromise. No more complex internal "firewalls" or proxies examining the content of email, office documents looking for viruses or spam.
  • Now what?

    So... uhh... what can I replace TMG with? It seems to be the best solution for enterprise gateways that easily and reliably integrate well into AD... particularly with how cheaply we can get it in the educational sector...
  • Pro TMG petition

    Because good editors should listen to their clients :