[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 10:50:46 -0600

It's been a real problem for the ISA PG to work with the ISA MVPs,
because they think that the ISA MVPs are still involved with the ISA MVP
mailing list. I explained to them that because of "issues" with that
list that there was less than optimal participation and that they needed
to get a MS managed solution. At the very least, they could create their
own DL and send mail to people on that list. I hate missing out on the
ISA PGs communications on that "other" list, but my life is so much
better not having to listen to the ****** that happens over there.
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- Microsoft Firewalls (ISA)

 


________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Monday, February 26, 2007 8:56 AM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        
        I spoke with Melissa Travers, the MVP Lead for both ISA and
Exchange, and she said the Exchange group's MVP site was really, really
good, and that the Exchange group themselves is quite active.  Being
they are the Exchange group, I can see why they would have a decent
portal. ;)
        
        I suggested that if there were a single sourced, Microsoft
controlled MVP site where we could "browse through" other MVP list
content, that issues like this (the perceptions surrounding what
Exchange will and won't support and why) would be much easier to manage,
and that "the right people" from both sides could engage each other in a
positive way when two technologies collide like this.  To me, this is a
major shortcoming in the MVP program overall.  Given the fact that the
MVP program was created in order to provide a collaborative environment
for various technologies, it seems like a horrible waste of a perfect
opportunity to expand that environment out to the MVP's and product
teams in other product competencies.   The fate of the ISA-MVP list is
testament to that. 
        
        So, in the absence of a coordinated effort on Microsoft's part
to wrap it's collective arms around the MVP's and product teams, I'll
see if I can get on the Exchange MVP list and begin a dialog of exactly
what is going on here.  But I'll need to get immersed in Ex2007 first,
which I've just not had the time to do.   The promise of true unified
messaging in 2007 was a major draw to me, but given the apparent narrow
PBX support and lack of official functionality documentation, the rush
to explore has lost it's luster. 
        
        t
        
        
        On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        
        

                Documentation always follows the product, which is
barely on the streets.
                I've seen some regarding WM6, but the basic concepts are
the same.
                ..coming soon to a website near you...
                 
                
                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
                Sent: Monday, February 26, 2007 3:31 AM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                Hi All,
                
                Anyone (Tim?) had chance to look at the least privilige
approach with Exchange 2007 yet?
                
                From what I am hearing the "CAS not supported in
perimeter" statement is based more on "we haven't tested it yet" more
than "we don't think it is a good idea".
                
                I have a few customers looking at placing the entire
Exchange architecture behind ISA (very untrusted LANs) - I have done
this with Exch2k3, but has anyone looked at this for Exch2k7?
                
                I am guessing this is not supported either, but
documentation is very thin on the ground with reference to 2k7 and
periemeter networking....
                
                Cheers
                
                JJ
                
                
                
                 
                

                
________________________________


                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                Sent: 15 January 2007 15:27
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                Right you are...  The analogy fits when you use
"comparative logic" as opposed to just thinking of the zone in
singularity... Compared to the areas on either side of the DMZ, it
should be easy to discern any activity at all in the DMZ itself-
particularly hostile activities.  There are strict policies about what
can go on in the Korean DMZ, as there should be in one's network DMZ.
Internet traffic is chaotic, and I don't even bother trying to determine
what is going on out on my Internet segment- I can't control it anyway
(other than my policy of implementing router ACL's to match
inbound/outbound traffic policies at my border router).  Internal
traffic isn't chaotic, but it is  hard to monitor for "hostile" packets
given the sheer volume and type of traffic being generated by internal
users, servers, services, etc to any number of different hosts and
clients.  But in the DMZ, you should be able to immediately notice when
something out of the ordinary is going on.  For instance, if I see POP3
logon traffic, I know something is FUBAR, as I don't support POP3 in my
DMZ at all.  If I see modal enumeration by way of a null session, I know
something is going on.  And etc, etc. 
                
                So, to me, it fits, and that is the term I choose to
use.  I won't be changing ;)
                
                t
                
                
                On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx>
spoketh to all:
                The DMZ in Korea itself isn't crawling with military.
Either side of it is, ensuring that the definition of a demilitarized
zone is observed and maintained.  Before the advent of DMZs in
networking, a DMZ meant an area from which military forces, operations,
and installations were prohibited.  Essentially, it's a wide empty area
that constitutes a border with forces on either side pointing guns into
it.
                 
                I've always thought the adaptation of the acronym to the
world of networking a bit strange.  "Oh!  We got activity in our
networked DMZ!  Kill it!" :-)
                
                
                Cordially yours,
                Jerry G. Young II
                Product Engineer - Senior
                Platform Engineering, Enterprise Hosting
                NTT America, an NTT Communications Company
                 
                22451 Shaw Rd.
                Sterling, VA 20166
                 
                Office: 571-434-1319
                Fax: 703-333-6749
                Email: g.young@xxxxxxxx
                 
                
                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
                Sent: Sunday, January 14, 2007 7:08 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: RE: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
                
                
                That's what it means to me too. Can't see the Korean no
mans' land as qualifying as a DMZ when it's crawling with military. 
                
                 
                
                In this conversation we have to take into consideration
that CAS also includes the capability to provide access to folders and
files right in OWA. This may be the thing that the Exchange team thinks
throws a monkey wrench into the secure deployment of CAS in a a DMZ. 
                
                   

                
________________________________


                
                
                From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason
Jones
                Sent: Sat 1/13/2007 6:46 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                For me, DMZ means scary place completely untrusted,
perimeter network means less scary place trusted to a degree, but
strongly controlled
                

                
________________________________


                
                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                Sent: 12 January 2007 23:51
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                Interesting... Probably a good idea for us to actually
articulate what we really mean when we say DMZ.
                
                I guess to some it means "free for all network" but for
me, it should be the network where you have the most restrictive
policies controlling each service so that it is obvious when malicious
traffic hits the wire.  Thoughts>
                t
                
                
                On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx>
spoketh to all:
                That's what I thought, now it's what I know....
                 
                
                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Friday, January 12, 2007 6:35 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                Aside from normal router & switch ACLs, ISA is the
single line of defense.
                "..we don't need no stinking DMZs"
                 
                
                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                Sent: Friday, January 12, 2007 12:12 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                Ahh...just had a thought.
                 
                It's all labeling.
                 
                Jason, and others (not Jason's fault), have been using
the term DMZ.
                 
                Historically, is the term DMZ not taken literally as
being completely firewalled off from the trusted networks, and what
Jason is talking about is trusted network segmentation.
                 
                I betcha that's why the Exchange team don't support
it...they think it's a typical run of the mill DMZ...
                 
                Jim, isn't MS's Internal network segmented by usin ISA??
Including your mail servers?
                 
                S 
                

                All mail to and from this domain is GFI-scanned. 

                
                
                 
                
                 
                
                  

                All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 02-2007