[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Sat, 13 Jan 2007 23:05:36 -0000

Really pleased my post has generated so much discussion, quite
unexpected, but good as it has been a little quiet on here lately...due
to the holidays I guess ;-)

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: 12 January 2007 17:44
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


Yeah, been there, event log full of DSaccess errors!

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Gerald G. Young
Sent: 12 January 2007 14:27
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks



If it's participating in the domain, add the subnet to AD, especially if
you have more than one AD site (I consider this a best practice).  A lot
of funny things can occur with Active Directory aware applications when
they can't tell which site they belong to.  Exchange (2003), for
instance, won't start an information store.

 

Cordially yours,

Jerry G. Young II

Product Engineer - Senior

Platform Engineering, Enterprise Hosting

NTT America, an NTT Communications Company

 

22451 Shaw Rd.

Sterling, VA 20166

 

Office: 571-434-1319

Fax: 703-333-6749

Email: g.young@xxxxxxxx

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Friday, January 12, 2007 6:53 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Either way, I think the idea of an intranet CAS and extranet CAS is
probably a good approach - the extranet CAS one would assume could then
go into the auth access perimeter network whilst the intranet one could
stay on the LAN. In this model, each CAS has a different security risk
and hence could be put into different security zones. 

 

Would it be such a bad thing to add the perimeter subnet to the AD site?
It will have domain members in it after all...

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: 12 January 2007 05:35
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

doing a little bit more reading the only thing i can think might be the
reason is that apparently each mailbox server needs to have a CAS server
in its AD site. Therefore they recommend you keep the cas box on the
same lan. Also in multi domain environments this would add more design
considerations. Also in larger environments you might need 2 CAS boxes,
one for internal users and one for external users, for the sake of
keeping outbound lan access out of the dmz or better design.

 

but im not sure about the whole idea of the "swiss cheese" argument.
seems a bit like flogging a dead horse to me..i dont see how or why it
wouldn't work in the dmz environment. 

 

greg

 

 

        ----- Original Message ----- 

        From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>  

        To: isapros@xxxxxxxxxxxxx 

        Sent: Friday, January 12, 2007 3:22 PM

        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        WORD!

         

        I'll gladly joining you in that public nut-kicking when the time
comes. What I want to understand first is what are the protocol
requirements for the CAS to the back-end components, and what their
rationale is for making the statements that have been reported so far.
They might have a good point, and if they have it, I want to hear it.
But if the point is 'it's too hard" or "I don't understand network
security, I just say what my boss tells me to say" or "I'm on the take
with Syphco" then those aren't valid and body parts will deserve some
shaking up in the public square. The least they can do is state "we
don't have the time or inclination to show you have to provide the
highest level of network security, but it is possible to do it right,
we're just not going to show you how to do it" as a disclaimer. With
that, we can then go ahead and help those who want to be helped J

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Thursday, January 11, 2007 6:40 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        It may be just this type of "beating it to death" that is
required to get the Exchange group's attention.  I don't really care if
they don't support "perimeter network" deployments as long as ISA is an
exception.  I have every intention to ensure that an ISA authenticated
perimeter network DMZ segment "in front" of the CAS server is fully
supported if the proper protocols are allowed.  I will make sure to
press them into officially stating why it is not supported.  Even so, if
they try that, I will publicly kick them in the nuts. 
        
        t
        
        
        On 1/11/07 4:15 PM, "Jason Jones"
<Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to all:

        Hi Amy,
        
        I am not really sure for their reasoning, but think it is based
around the "Swiss cheese", don't pass intradomain traffic across a
normal firewall argument.
        
        Sorry, my bad for using the term DMZ, the exact phrase used by
Scholl is "It's true. The Client Access Server (CAS), which among other
things includes the OWA feature, is not supported in a perimeter network
(aka a DMZ).  Instead you'll deploy one or more CASs inside your
organization and put a robust firewall such as ISA 2006 in front of it."
I am guessing from experience of other Exchange team recommendations
that when they say perimeter network they really mean a traditional DMZ
which is created using traditional packet filter firewalls. The
recommended deployment is to put the CAS on the internal network e.g. on
the same network as the Exchange back-end servers. Once the CAS is on
the internal network, it should then be published to the Internet using
ISA.
        
        This design if fine if you want a simple open network where all
servers exist in the same security zone and hence all trust each other,
but many people are now trying to better this design by placing
different types of servers into different security zones based upon
their risk level and internet presence - say hello to the ISA auth
access perimeter network! ;-) 
        
        Basically I think it all harks back to the "don't put domain
members in a DMZ" mantra which is a pretty fair statement when using PF
firewalls like PIX, but things have moved on as least privilege
authenticated access perimeter networks with ISA are now getting
advanced enough to challenge this argument. Maybe the difference between
a PIX firewall and ISA firewall is just too subtle for some people???
        
        Think we have now done this to death now!! - be very surprised
if the Exchange team go back on these type of statements though. I
remember Tom banging his head against a brick wall with Henrik based
upon one of his MSExchange.org articles which said "not in the DMZ" type
statements.
        
        JJ

        
________________________________


        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
        Sent: 11 January 2007 23:15
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Jason,
         
        What's the reasoning behind CAS not in the DMZ? Where to they
want it? Handing nude off the router? Behind a firewall?
         
        If the later, then just drop the out dated DMZ language. Most
firewall admins think that DMZ means nude off the other port on my nat
box. Your least priv design puts CAS safely behind a firewall.
         
        
        Amy Babinchak
        Harbor Computer Services

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
        Sent: Thursday, January 11, 2007 5:58 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Thanks Amy - maybe I am being a little oversensitive, just
didn't expect some of the initial responses.
        
        I tend to avoid most of the main mailing lists, probably for
similar reasons as others, and I tend to hang out at isaserver.org 95%
of the time. Hence maybe why only Tom (and Stefan) tend to see my input
and views on stuff.
        
        Tom invited me to this list as he felt it would be a good place
for me to pose all the questions that he can't answer or go unreplied on
isaserver.org
        
        I really do value the combined "ISA brain power" here, but just
think it could be a little more forgiving and friendly at times...having
said that I have found answers here that I just couldn't get elsewhere,
so don't misunderstand me as ungrateful.
        
        Anyhow back to the "core issue", from what I hearing from
Exchange MVP contacts, MS are playing the "CAS in a DMZ is totally
unsupported" tune very strongly. This is a real shame as it looks like I
will never be able to deploy the existing least privilege design with
Exchange 2007 without fear of customers coming back to us after trying
to log PSS calls or getting other non-ISA firewall guys in who slate the
design...oh well, at least ISA will still involved to some degree, just
not as cool as it could be...
        
        JJ  
        
        
          

________________________________

        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
        Sent: 11 January 2007 15:09
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        Jason don't get discouraged. The changes in Exchange are
monumental so there are bound to be disagreements and changes of opinion
on how to best secure it. The concept of an authenticated access DMZ in
a separate security zone allowing only a very minimal set of protocols
is a completely foreign concept to 99% of firewall admins out there.
That fact you are even thinking about this stuff put you in an elite
class. The rest are still poking holes and setting up VLANs. 
         
        Tom, Thor and Jim can be a bit clubby and a little overly poky
to new comers. It's a twitch they developed after participating on the
ISA server mailing list. It got worse when they decided to join a
general purpose SBS list. I'm not sure that they'll ever completely
recover.  
         
        
        Amy 
         
        
         
         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
        Sent: Thursday, January 11, 2007 5:47 AM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Wish I had never asked now...sometimes, some of you guys really
don't make it easy for new people to try express their views and pose
questions for comment without being slapped down. One minute I am being
labelled as an "idiot" for my comments/views, the next minute someone
else who says the same thing as me is now right and not challenged. What
gives?  
        
        I know many of you guys don't know me from Adam, but kinda
unfair to just assume I know jack about ISA and secure network design
just because I'm not "part of the club".
        
        
        Anyhow, thanks to Tim and Tom for seeming to share my
disappointment with the decision made by the Exchange 2007 team...I
think I need to try and find out how "official" their lack of support
with 2k7 is going to be before I can continue recommending the least
privilege model I have been using for Exchange 2003.

________________________________

        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: 11 January 2007 04:30
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        ..maybe I'm just tired...
        I spent two hours trying to get home tonight and I'm clearly not
in my mind (right or otherwise).
        Forget I wrote and we'll start over tomorrow...
        
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Wednesday, January 10, 2007 8:18 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        That's exactly what I'm talking about.  And precisely the
configuration I deploy:
        
        My FE is in the authenticated segment of the DMZ - and a member
of my internal domain; however, the "recommended protocols" the Exchange
group recommends are not necessary- and thus, Steve's contention that
"CIFS and all that other stuff... Might as well just be internal" I
reject.  I only allow Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only
from my FE to the internal DC's.  And only HTTP to the BE's.  
        
        Even if the other prots WERE required, it would still be far
smarter to deploy the FE in the authenticated DMZ with limited access
than to just give full stack access to the ENTIRE internal network.
This is a deployment of a services made available (initially) to a
global, anonymous, untrusted network. 
        
        Maybe I'm not properly articulating my point, but I have to say
I'm really surprised that we are having this conversation...
        
        t
        
        
        On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        C'mon, Tim; I know what your deployment recommendations are;
this isn't it.
        He wants to extend his domain via "remote membership"; not
create a separate domain.
         
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Thor (Hammer of
God)
        Sent: Wednesday, January 10, 2007 4:26 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
         
        Because it's safer that way, that's why... That's what an
authenticated access DMZ perimeter is for- with a CAS server that
presents logon services to any Internet user, I would (and, in fact,
require) that the server be in a least-privileged authenticated access
perimeter network that limits that servers communications to the minimum
required for required functionality - and only to the hosts it needs to
talk to.
        
        Let's say there is a front-end implementation issue or coding
vulnerability: the CAS on the internal network would allow unfettered,
full-stack access to the internal network.  A CAS in a perimeter DMZ
would mitigate potential exposure in the event of a 0day or
configuration issue. 
        
        "Safer on the internal network" is a complete misnomer when it
comes to servers presenting services to an untrusted network. 
        
        t
        
        
        On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        Why would you want to place a member of your internal domain in
your DMZ, fer chrissakes?!?
        Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.
        You can either use a network shotgun at your firewall or attempt
to use your facvorite VPN tunnel across the firewall to the domain.
        
        Jim 

        
________________________________


        
        
        From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
        Sent: Wed 1/10/2007 2:35 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        From what I can gather, the new CAS role now uses RPC to
communicate with the back-end (not sure of new name!) servers so I am
guessing that this is an "RPC isn't safe across firewalls" type stance.
Which I guess for a PIX, is a pretty true statement.
        
        Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)
        
        Shame the Exchange team can't see how much ISA changes the
traditional approach to DMZ thinking...kinda makes you think that both
teams work for a different company :-(
        Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 |
Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>  
        
          

        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Greg Mulholland
        Sent: 10 January 2007 22:07
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        I seriously hope that they have take different paths and these
are not limitations on the software or it is going to mean a nice little
redesign and break from custom..
        
        Greg
        ----- Original Message ----- 
        From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>   
        To: isapros@xxxxxxxxxxxxx 
        Sent: Thursday, January 11, 2007 8:25 AM
        Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
        
        
        Hi All, 
        
        I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not
support placing the new Exchange 2007 Client Access Server (like the old
Exch2k3 FE role) role into a perimeter network. Has anyone else heard
the same? This sounds very similar to Exchange admins of old when they
didn't really understand modern application firewalls like ISA could do
- RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>  
        
        I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate
security zone from BE servers, DC's etc and now I here this...
        
        Are the Exchange team confusing the old traditional DMZ's with
what ISA can achieve with perimeter networks? 
        
        From what I believe, it is good perimeter security practice to
place servers which are Internet accessible into different security
zones than servers that are purely internal. Therefore, the idea of
placing Exchange 2003 FE servers in an ISA auth access perimeter network
with Exchange 2003 BE servers on the internal network has always seemed
like a good approach. It also follows a good least privilege model. 
        
        Is this another example of the Exchange and ISA teams following
different paths???? 
        
        Please tell me that I am wrong and that I am not going to have
to start putting all Exchange roles, irrespective of security risk, on
the same network again!!!!
        
        Comments? 
        
        Cheers 
        
        JJ 

        All mail to and from this domain is GFI-scanned. 

        
        
         
        
          

        All mail to and from this domain is GFI-scanned. 

         

        All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007