Call a Specialist Today! 844-960-3902

Celestix MSA 3400 Threat Management Gateway
Comprehensive protection against web-based threats, integrated into a unified gateway solution

Celestix MSA 3400 Threat Management Gateway

Celestix Products
Celestix MSA 3400 Series
Celestix MSA 3400 Threat Management Gateway
Including CAT6 Ethernet Cable, Power Cable, RJ45 Connector Cable, and Mounting Brackets
Get a Quote!

Click here to jump to more pricing!


Celestix is committed to continue servicing the market for Microsoft TMG 2010 until 2023, enabling businesses to continue deploying this market leading perimeter security platform.Celestix MSA security appliances deliver Microsoft’s Forefront Threat Management Gateway 2010 for unmatched multi-threat protection with industry-leading ease of use and value. Performance, reliability, and ease of management backed by expert Celestix customer support have made MSA the world’s best-selling Microsoft security appliances.

Celestix MSA delivers multiple layers of network security through Microsoft Forefront Threat Management Gateway (TMG) 2010. MSA enables organizations of all sizes to safely use the internet by providing continuously updated protection for the network edge, the web gateway, and email through Exchange. It is a comprehensive solution that will reduce exposure to web-based threats, increase productivity, and improve any organization’s overall security posture.

Microsoft Forefront Threat Management GatewayHighlights

  • Simplifies the complexity of web security
  • Network and application firewall
  • Internet access protection (proxy)
  • IPSec VPN gateway
  • HTTP and HTTPS inspection
  • Supports Windows Server 2008 (x64)
  • Web anti-virus and anti-malware
  • URL filtering (optional)
  • Email anti-malware and anti-spam
  • Network intrusion prevention
  • HTTPs Inspection
  • ISP redundancy
  • Enhanced UI, management, reporting
  • Includes OS license and TMG 2010 processor license

Collaboratively administrate empowered markets via plug-and-play networks. Dynamically procrastinate B2C users after installed base benefits. Dramatically visualize customer directed convergence without revolutionary ROI.

Celestix MSA appliance range is the world’s most deployed platform for Microsoft TMG 2010. MSA appliances are built for rapid deployment, simplified management and high performance. The Comet software engine provides an intuitive and feature rich web UI that allows for advanced configuration for both TMG and the appliance.

Celestix provides numerous additional features that complement and enhance the use of TMG. Automated update services provide pre-screened alerts and patches through the web UI, and multiple back-up and restore options provide solutions for disaster recovery.

Because of Celestix’ purpose-built appliance hardware and Comet appliance engine software, MSA appliances have earned an international reputation for great performance and reliability. We engineered our 6th generation hardware platforms to optimize the performance of TMG using the latest high-speed components and architecture optimized for 64-bit operations. We harden our appliance hardware platforms by eliminating all hardware components not needed to run TMG. Eliminating extraneous hardware and drivers removes security vulnerabilities and potential points of failure. Simplified hardware also reduces power and cooling requirements for cost savings on energy.

MSA powered by Microsoft TMG, web based protection from Celestix business anywhere solutions.

Network Edge Protection Secure Web Gateway Email Protection for Exchange
  • Enterprise class firewall
  • Application-layer inspection
  • VPN
  • Intrusion detection/prevention
  • URL filtering
  • Web anti-virus/malware
  • Proxy (forward/reverse)
  • Content cache
  • Network Inspection System (NIS)
  • HTTPS inspection
  • Anti-malware
  • Anti-spam
  • Anti-phishing


Celestix provides numerous additional features that complement and enhance the use of TMG. Automated update services provide pre-screened alerts and patches through the COMET web UI, and multiple back-up and restore options provide solutions for disaster recovery. Celestix appliances are the de facto platform for the secure and risk free deployment of TMG 2010, just ask the readers of who have voted MSA the reader’s choice award winner consistently for the last three years.

Superior security gateway functionality

  • EAL4+ certified application firewall secures your network with layer 2-7 traffic inspection
  • Market leading proxy and caching engine includes reverse proxy for application publishing and forward proxy for secure web browsing
  • IPSec VPN delivers secure remote user access and site-to-site connectivity
  • Web (URL) filtering blocks users from visiting infected websites and lets administrators control users’ access to enforce corporate web policies.
  • Web anti-virus/anti-malware security functions inspect files, scripts and all other forms of portable code to block sophisticated Web-based attacks
  • HTTPS inspection examines encrypted traffic to detect and stop encrypted malware
  • Network Inspection (intrusion detection/prevention) thwarts suspicious activity inside the firewall
  • Windows Server 2008 R2 (64-bit) operating system

Built-for-purpose appliance platform

Celestix MSA appliances provide an award winning, hardened turnkey platform for the deployment of TMG 2010. Celestix optimizes both the hardware and software on the MSA appliance to ensure a risk free “right first time” deployment. Celestix helps to lower the cost of ownership through reduced deployment timescales and increased hardware reliability.

  • Rapid deployment with jog dial, LCD display and intuitive interface
  • Simplified administration with COMET user interface
  • Automated patching and updates for application, OS and firmware
  • Out of Band management
  • A range of appliance form factors for Enterprises of all sizes


Unlike competing products that provide web proxy services only, the Celestix MSA featuring Microsoft ForeFront TMG 2010 is an enterprise-class firewall that also supports proxy services (forward and reverse). Because the firewall performs stateful packet inspection and deep application layer inspection, deploying the Celestix MSA as a forward proxy is inherently more secure.

Deploying the Celestix MSA as a forward proxy server improves your organization’s overall security posture in several ways. The first positive benefit is that a proxy provides network isolation. Internal clients are completely segregated from the public Internet and are not allowed to make direct socket connections to remote hosts. Requests from internal clients to external resources are terminated at the proxy, and the proxy creates a new connection to the remote host to retrieve the requested content on behalf of the internal user.

As a forward proxy server, the Celestix MSA also has the ability to authenticate user traffic; it enforces access policies based not only on source, destination, protocol, and port, but on Active Directory user account and group membership as well. This is compelling because it allows security administrators to accurately identify individual users and the sites they visit. When combined with the ISA Firewall Client, the Celestix MSA can also proxy all TCP and UDP based communication. It is not limited to web-based protocols or a small subset of TCP and UDP protocols like other competing products.

You can add additional enhanced security features such as content filtering, anti-virus and anti-malware detection and prevention, and Data Loss Prevention (DLP) utilities when using the MSA as a forward proxy. You can even employ forward SSL inspection utilities that allow the ISA firewall to inspect SSL encrypted communication. Integrating these technologies with the Celestix MSA is an effective way to defend against emerging threats and to provide regulatory compliance.


Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway that functions as an enterprise-class firewall, caching proxy (forward and reverse), and VPN (remote access and site-to-site) server.

URL filtering, malware inspection, intrusion detection/prevention, and HTTPS inspection can enhance and complement your existing endpoint protection strategy.

URL Filtering

With integrated URL filtering capabilities, TMG firewall administrators now have the ability to apply reputation-based access controls to web-based traffic. URL filtering is the first line of defense in a modern secure web gateway, and by assessing the reputation of web sites being accessed the administrator can prevent users from accessing known malicious sites.

Malware Inspection

Since no URL filtering solution is 100% effective (it is impossible to categorize every web site on the Internet) it is inevitable that users will visit a site that contains malicious software. To address this, TMG includes a gateway-integrated scanning engine to prevent virus and malicious software downloads

Network Inspection System

Malicious software authors will often attempt to exploit vulnerabilities that might exist in Microsoft operating systems, applications, or networking protocols. To address this, the TMG firewall includes the Network Inspection System (NIS). NIS is a new vulnerability-based intrusion detection and prevention system that performs low-level protocol inspection to detect and prevent attacks against these vulnerabilities.

HTTPS Inspection

HTTPS communication presents a special challenge to many firewalls. Often referred to as the “universal firewall bypass protocol”, HTTPS encrypts application layer data which prevents even the most advanced application layer firewalls from inspecting this communication. For many years, virus and malware authors have used HTTPS as a way to move malicious or infected payloads through secure web gateways without being detected. Malicious users have been using HTTPS as a channel to circumvent access control with proxy avoidance software.

HTTPS inspection closes this loophole. With HTTPS inspection enabled, the TMG firewall copies the originally requested SSL certificate and issues the user a duplicate. The TMG firewall can now terminate the SSL session at the Internal network interface and decrypt and inspect all outbound HTTPS communication. With HTTPS inspection enabled the TMG firewall has access to unencrypted application layer data which has many positive effects. The TMG firewall now has access to the full request path, not just the IP address of the site. With this additional information it can more accurately enforce URL filtering. The TMG firewall can now also enforce HTTP policy and inspect content for viruses and malicious software.


MSA has multiple network interfaces in addition to a flexible networking model that allows it to be deployed in diverse scenarios, including:

  • UTM gateway – MSA can be deployed as a UTM solution providing enterprise class network edge protection, secure web gateway access and email protection for Exchange, all in a single appliance.
  • Back-end firewall – MSA can complement any existing edge security solution such as Cisco, Juniper, Checkpoint, and others. When deployed as a back-end firewall, the existing edge security device handles the low level traffic filtering responsibilities leaving the MSA dedicated to perform authentication and conduct deep application layer traffic inspection, providing an advanced level of web protection.
  • Dedicated proxy – MSA can be configured as a standalone dedicated proxy server. In this configuration, the system is limited to providing proxy service for web-based protocols only. It can function as a transparent or explicit proxy.

Deployment Scenarios

Reverse Proxy Deployment

Reverse Proxy Deployment
Reverse Proxy Deployment

Connecting and Secure Your Branch Offices

Businesses need to connect remote-site branch offices to their corporate headquarters, provide security-enhanced Internet access from branch offices and utilize limited bandwidth more efficiently.

Organizations can use MSA appliance (TMG 2010) as a Branch Office Gateway to connect to and secure their branch offices, while efficiently utilizing network bandwidth. By providing HTTP compression -- caching of content, including software updates and site-to-site virtual private network (VPN) capabilities integrated with application-layer filtering -- MSA appliance (TMG 2010) makes it easier to securely expand corporate networks.

Branch Office Deployment
Branch Office Deployment

Defending Your Environment Against External and Internal Web-Based Threats

Businesses need to connect remote-site branch offices to their corporate headquarters, provide security-enhanced Internet access from branch offices and utilize limited bandwidth more efficiently.

Businesses need to eliminate the damaging effects of malware and attackers through comprehensive tools for scanning and blocking harmful content, files, and Web sites.

Web access protection with MSA appliance (TMG 2010) can help organizations protect their environments from internally- and externally-originating Internet-based threats. With a hybrid proxy-firewall architecture, deep content inspection, granular policies, and comprehensive alerting and monitoring capabilities, MSA appliance (TMG 2010) makes it easier to manage and protect your network.

External Threat Deployment
External Threat Deployment

Product Details:

Firewall protection

  • Multi-layer firewall
  • Application-layer filtering
  • Granular HTTP controls
  • DoS protection
  • Extensive protocol support

Application security

  • Highly secure email access from Outlook client
  • Single sign-on
  • Delegation of basic authentication
  • Link translation to internal servers
  • SSL bridging support

TMG 2010 license editions

  • Workgroup
  • Branch
  • Standard
  • Enterprise

Remote access

  • Site-to-site and remote access VPN
  • VPN traffic inspection, and quarantine
  • Secure NAT for VPN clients
  • Publish VPN servers
  • DirectAccess
  • NAP integration

Networking and performance

  • Leverages network load balancing to provide fail over and scaling of performance
  • Network-based configuration
  • Caching
  • Background Intelligent Transfer Service (BITS) caching
  • HTTP compression


  • Celestix COMET management console
  • Web UI and wizards
  • Enterprise policy that can be assigned to gateways, arrays, or enterprise-wide
  • Real-time monitoring and reporting
  • Query building
  • Report creation and publishing
  • External logging
  • Delegated permissions

Advanced features

  • Windows Server 64-bit support
  • Enhanced Voice over IP (VoIP) support
  • Enhanced Network Address Translation (NAT)
  • Network Inspection System (NIS)
  • ISP redundancy


MSA 3400 Front and Rear Views

  MSA 3400 MSA 6400 MSA 8400
MSA Series Model MSA 3400 MSA 6400 MSA 8400
Type of Business Designed for small to mid-sized enterprises Designed for large and multinational enterprises Designed for large and multinational enterprises
Recommended Users Up to 500 500 - 5,000 5,000 - 10,000
Microsoft TMG 2010 Edition Workgroup Edition
Branch Edition
Branch Edition
Enterprise Edition
Branch Edition
Enterprise Edition
Form Factor 1U 1U 2U
CPU Intel i5 Intel E3 2 x Intel E5
Number of Processors 4 Cores 4 Cores 12 Cores (hyperthreading)
Memory 8 GB 16 GB 16 GB
Cache 6 MB 6 MB 15 MB
Hard drive SATA-II 120 GB available storage SATA-II 120 GB available storage
2 x 160 GB hot-swappable hard drive
SATA-II 300 GB available storage
4 x 160 GB hot-swappable hard drive
Hot-Swappable Fans
Power Supply 220W auto-switching universal 110/220V AC power supply Redundant hot-swappable power supply 2 x 250W Redundant hot-swappable power supply 2 x 500W
Disk Mirror RAID - RAID 1 RAID 6
Gigabit Ethernet Ports 6 6 8
Dimensions (H x W x L) 1.75” x 17.3” x 13.0” inches 1.75” x 17.3” x 21.5” inches 3.5” x 17.4” x 23.25” inches

Options & Upgrades:

Web Security Subscriptions

Your Celestix MSA appliance can be enhanced with higher security via Microsoft ForeFront TMG Web Protection Services. It provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats. Please contact us to purchase Microsoft ForeFront services.

Celestix MSA Upgrade Program

Introduction -By participating in the Celestix Upgrade Program, you ensure your network is protected by the very latest in security, reliability, and performance available without hurting your bottom line. The Celestix Upgrade program is available to current Celestix customers with earlier generation products wishing to upgrade to our latest line of threat management solutions.

Details -Celestix customer is able to upgrade an earlier generation Celestix appliance, to eligible new Celestix solutions at 25% off the standard purchase price. To activate Upgrade products one must simply retire the eligible earlier generation Celestix appliance already on their account with 8x5 or 24x7 support contract. Not all devices are eligible for all Upgrade appliances. Specific eligibility details are outlined in the “Eligibility Chart”.

How to Purchase Celestix Upgrade Products - If you have an eligible product you would like to upgrade, simply purchase the Upgrade part number that corresponds to the desired available Upgrade product. Celestix products with unique Trade Up part numbers are available through this website. The discount is built into the price so you see the savings instantly.

Activating Upgrade Products - During activation of the Upgrade product you will be required to identify an eligible product on your account to be replaced. The specific device must be active in order to complete the activation of the Upgrade product. (To verify that the device you wish to replace is active and please contact us) Once the eligible device has been identified, it will be retired and the new box will become active.

  • Retired product will be removed from the customer's Support contract account
  • Retired product will not be eligible for upgrades, support, or software updates

Further Action Required - To complete the process, a certificate of retirement (CORE) must be completed and returned to Celestix within sixty (60) days of activation. Please contact us to get started!

Terms and Conditions:

  1. Celestix Networks reserves the right to deactivate an Upgrade product at any time if found to be in violation of program guidelines.
  2. Distributors or resellers found to be abusing the Celestix Upgrade Program may face penalties from Celestix, which may include but are not limited to: termination of partnership status, loss of specific partnership benefits as deemed appropriate by Celestix, and/or exemption from participating in any or all Celestix promotions and/or programs that benefit partners and/or end users.
  3. Celestix reserves the right to change or cancel any aspect of this program at any time.
  4. Upgrade offer valid for Celestix MSA Series products only.
  5. For certain products Upgrade is restricted, review "Eligibility Chart" for qualifications.
  6. In order to be eligible for the Upgrade Program, the device being upgraded must be activated in the same Support contract account that the new Upgrade product will be activated in.
  7. Device being upgraded must not have been previously retired or otherwise deactivated prior to activation of new Upgrade product.


Download the Celestix MSA Series Datasheet (.PDF)


Celestix Products
Celestix MSA 3400 Series
Celestix MSA 3400 Threat Management Gateway
Including CAT6 Ethernet Cable, Power Cable, RJ45 Connector Cable, and Mounting Brackets
Get a Quote!
Celestix MSA 3400 Series 8x5 Support & Maintenance
Celestix MSA 3400 8x5 Support, 1 Year
Get a Quote!
Celestix MSA 3400 8x5 Support, 3 Year
Get a Quote!
Celestix MSA 3400 Series 24x7 Support & Maintenance
Celestix MSA 3400 24x7 Support, 1 Year
Get a Quote!