[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 09:06:40 -0800
I never really saw much from the PM¹s over there? just that one stint about
SQL logging, and to be honest, there wasn¹t much valuable content sourced
from the MSFT side... In fact, as I understand it, the PM and product
support people (other than Jim) are apparently not pushed to participate
(and may be asked not to) because of the fact that it is NOT an official
MSFT site, and that NDA and product liability may be an issue.

I¹m going to draft up a ³suggestions for the MVP program² and submit them to
the powers that be, just so that things like this can be addressed.

t


On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:

> It's been a real problem for the ISA PG to work with the ISA MVPs, because
> they think that the ISA MVPs are still involved with the ISA MVP mailing list.
> I explained to them that because of "issues" with that list that there was
> less than optimal participation and that they needed to get a MS managed
> solution. At the very least, they could create their own DL and send mail to
> people on that list. I hate missing out on the ISA PGs communications on that
> "other" list, but my life is so much better not having to listen to the ******
> that happens over there.
>  
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
>>  
>>  
>> 
>>  From: isapros-bounce@xxxxxxxxxxxxx  [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of  God)
>> Sent: Monday, February 26, 2007 8:56 AM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>> 
>>  
>> I spoke with Melissa Travers, the MVP Lead for both  ISA and Exchange, and
>> she said the Exchange group¹s MVP site was really,  really good, and that the
>> Exchange group themselves is quite active.   Being they are the Exchange
>> group, I can see why they would have a  decent portal. ;)
>> 
>> I suggested that if there were a single sourced,  Microsoft controlled MVP
>> site where we could ³browse through² other MVP list  content, that issues
>> like this (the perceptions surrounding what Exchange will  and won¹t support
>> and why) would be much easier to manage, and that ³the right  people² from
>> both sides could engage each other in a positive way when two  technologies
>> collide like this.  To me, this is a major shortcoming in  the MVP program
>> overall.  Given the fact that the MVP program was created  in order to
>> provide a collaborative environment for various technologies, it  seems like
>> a horrible waste of a perfect opportunity to expand that  environment out to
>> the MVP¹s and product teams in other product competencies.    The fate of the
>> ISA-MVP list is testament to that.
>> 
>> So, in  the absence of a coordinated effort on Microsoft¹s part to wrap it¹s
>> collective arms around the MVP¹s and product teams, I¹ll see if I can get on
>> the Exchange MVP list and begin a dialog of exactly what is going on here.
>> But I¹ll need to get immersed in Ex2007 first, which I¹ve just not had  the
>> time to do.   The promise of true unified messaging in 2007 was  a major draw
>> to me, but given the apparent narrow PBX support and lack of  official
>> functionality documentation, the rush to explore has lost it¹s  luster.
>> 
>> t
>> 
>> 
>> On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx> spoketh to all:
>> 
>>  
>>> Documentation always follows the  product, which is barely on the streets.
>>> I¹ve seen some regarding WM6,  but the basic concepts are the same.
>>> ..coming soon to a website near  you?
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Jason Jones
>>> Sent: Monday, February 26, 2007  3:31 AM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> Hi All,
>>> 
>>> Anyone (Tim?) had chance to look at the least  privilige approach with
>>> Exchange 2007 yet?
>>> 
>>> From what I am hearing the "CAS not supported in  perimeter" statement is
>>> based more on "we haven't tested it yet" more than  "we don't think it is a
>>> good idea".
>>> 
>>> I have a few customers looking at placing the entire  Exchange architecture
>>> behind ISA (very untrusted LANs) - I have done this  with Exch2k3, but has
>>> anyone looked at this for  Exch2k7?
>>> 
>>> I am guessing this is not supported either, but  documentation is very thin
>>> on the ground with reference to 2k7 and  periemeter networking....
>>> 
>>> Cheers
>>> 
>>> JJ
>>> 
>>> 
>>> 
>>>  
>>>  
>>>  
>>> 
>>>   
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Thor (Hammer of God)
>>> Sent: 15 January 2007  15:27
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>>> Right you are...  The analogy fits when you use  ³comparative logic² as
>>> opposed to just thinking of the zone in  singularity... Compared to the
>>> areas on either side of the DMZ, it should be  easy to discern any activity
>>> at all in the DMZ itself- particularly hostile  activities.  There are
>>> strict policies about what can go on in the  Korean DMZ, as there should be
>>> in one¹s network DMZ.   Internet  traffic is chaotic, and I don¹t even
>>> bother trying to determine what is  going on out on my Internet segment- I
>>> can¹t control it anyway (other than  my policy of implementing router ACL¹s
>>> to match inbound/outbound traffic  policies at my border router).  Internal
>>> traffic isn¹t chaotic, but it  is  hard to monitor for ³hostile² packets
>>> given the sheer volume and  type of traffic being generated by internal
>>> users, servers, services, etc to  any number of different hosts and clients.
>>> But in the DMZ, you should  be able to immediately notice when something out
>>> of the ordinary is going  on.  For instance, if I see POP3 logon traffic, I
>>> know something is  FUBAR, as I don¹t support POP3 in my DMZ at all.  If I
>>> see modal  enumeration by way of a null session, I know something is going
>>> on.   And etc, etc.
>>> 
>>> So, to me, it fits, and that is the term I  choose to use.  I won¹t be
>>> changing ;)
>>> 
>>> t
>>> 
>>> 
>>> On 1/15/07  6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to  all:
>>> The DMZ in Korea itself isn¹t crawling with  military.  Either side of it
>>> is, ensuring that the definition of a  demilitarized zone is observed and
>>> maintained.  Before the advent of  DMZs in networking, a DMZ meant an area
>>> from which military forces,  operations, and installations were prohibited.
>>> Essentially, it¹s a  wide empty area that constitutes a border with forces
>>> on either side  pointing guns into it.
>>>  
>>> I¹ve always thought the adaptation of  the acronym to the world of
>>> networking a bit strange.  ³Oh!  We  got activity in our networked DMZ!
>>> Kill it!²  J
>>> 
>>> 
>>> Cordially  yours,
>>> Jerry G. Young  II
>>> Product  Engineer - Senior
>>> Platform Engineering, Enterprise Hosting
>>> NTT  America, an NTT Communications Company
>>>  
>>> 22451 Shaw  Rd.
>>> Sterling, VA 20166
>>>  
>>> Office: 571-434-1319
>>> Fax:  703-333-6749
>>> Email:  g.young@xxxxxxxx
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Amy Babinchak
>>> Sent: Sunday, January 14, 2007  7:08 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: RE: [isapros]  Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> 
>>> That's what it means to me too. Can't see the Korean  no mans' land as
>>> qualifying as a DMZ when it's crawling with military.
>>> 
>>>  
>>> 
>>> In this conversation we have to take into  consideration that CAS also
>>> includes the capability to provide access to  folders and files right in
>>> OWA. This may be the thing that the Exchange team  thinks throws a monkey
>>> wrench into the secure deployment of CAS in a a DMZ.
>>> 
>>>      
>>>  
>>> 
>>>   
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx on behalf  of Jason Jones
>>> Sent: Sat 1/13/2007 6:46 PM
>>> To:  isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007  and Perimeter Networks
>>> 
>>> For me, DMZ means scary place completely untrusted,  perimeter network means
>>> less scary place trusted to a degree, but strongly  controlled
>>>  
>>>  
>>> 
>>>   
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Thor (Hammer of God)
>>> Sent: 12 January 2007  23:51
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>>> Interesting... Probably a good idea for us to  actually articulate what we
>>> really mean when we say DMZ.
>>> 
>>> I guess to  some it means ³free for all network² but for me, it should be
>>> the network  where you have the most restrictive policies controlling each
>>> service so  that it is obvious when malicious traffic hits the wire.
>>> Thoughts>
>>> t
>>> 
>>> 
>>> On 1/12/07 3:30 PM, "Steve Moffat"  <steve@xxxxxxxxxx> spoketh to all:
>>> That¹s what I thought, now it¹s what I  know?.
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Jim Harrison
>>> Sent: Friday, January 12, 2007  6:35 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> Aside from normal router & switch ACLs, ISA is  the single line of defense.
>>> ³..we don¹t need no stinking  DMZs²
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>>> Behalf Of Steve Moffat
>>> Sent: Friday, January 12, 2007  12:12 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros]  Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> Ahh?just had a thought.
>>>  
>>> It¹s all  labeling.
>>>  
>>> Jason, and others (not Jason¹s fault), have been  using the term DMZ.
>>>  
>>> Historically, is the term DMZ not taken  literally as being completely
>>> firewalled off from the trusted networks, and  what Jason is talking about
>>> is trusted network segmentation.
>>>  
>>> I  betcha that¹s why the Exchange team don¹t support it?they think it¹s a
>>> typical run of the mill DMZ?
>>>  
>>> Jim, isn¹t MS¹s Internal network  segmented by usin ISA?? Including your
>>> mail servers?
>>>  
>>> S  
>>>  
>>> All mail to and  from this domain is GFI-scanned.
>>> 
>>> 
>>>  
>>> 
>>>  
>>> 
>>>     
>>> All mail to and from this domain is GFI-scanned.
>>> 
>> 
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
