[isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------

You have it.
When deployed alone, the Exch team recommends deploying in a WG.
When deployed concurrent with TMG, we generally recommend deploying as a DM.

..of course, this will also depend on whether you deploy TMG strictly for 
publishing or for publishing & protected Internet access.
You _can_ publish Exch services without TMG being a DM, and you _can_ provide 
protected Internet access with TMG as a WG, and you can even deploy TMG for 
Exch web publishing as a WG, but if you want strong authentication for either 
case, you should deploy TMG as a DM.
If you decide to deploy TMG as a DM and you want Exch Edge on the same machine, 
then you have by extension decided to deploy Exch Edge as a DM. If you can't 
tolerate that, separate them to different machines.
..and we haven't even begun to discuss the fun that compliance requirements 
incur.

Recommendations are exactly that - recommendations.
You still have to perform your own threat modeling and business needs analysis 
to arrive at a reasonable solution for your own needs.

Jim


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Han Valk
Sent: Sunday, August 16, 2009 10:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
Ok I understand, that still leaves the point that some 'official' guidance from 
Microsoft would be nice.

Han.

________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of 
Jim Harrison [Jim@xxxxxxxxxxxx]
Sent: Sunday, August 16, 2009 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

There is no "always" or "never" to either of them. It's situational and 
requires that the deployment team perform their own threat modeling.
Exchange supports placing the edge role on a WG server to appease the "no 
domain members at the edge" tinfoil hat crowd, but when you combine it with 
TMG, the attack surface and thus the perceived threat of having the Exch edge 
role as a domain member is greatly reduced; even over that offered by Windows 
Firewall policies.

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Han Valk
Sent: Saturday, August 15, 2009 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

As far as I know Exchange Edge is to be installed on a workgroup server while 
TMG does its best job when domain joined. So this is a bit of a contradiction 
to me. I would love to see guidance from Microsoft on that. Maybe this can be 
added to the Q&A in Understanding Email Protection on TMG.

Han.


> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, August 16, 2009 00:35
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] New Articles on Tales
>
> http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> edge-articles.aspx

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: