[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 09:52:01 -0800
Yes, I recall it well- but with ISAPro¹s around, there¹s not need to go
back, particularly if you are saying that no one participates.

I was told that since the list is NOT controlled by MS, though we are all
under NDA, we cannot discuss anything that may be considered NDA on that
list at all. The ³treat it as NDA² meant ³do not discuss anything on the
list² as MSFT does not control, own, or moderate anything on the list.

And even if the PM¹s for ISA don¹t participate, the entire thing should
still roll up under MSFT in a single-point-of-contact portal where one can
easily navigate through the different areas of competency.

t


On 2/26/07 9:25 AM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh
to all:

> You do recall that Susan is no longer involved with that list and that I am
> now the moderator? All members of the list are under signed NDA with
> Microsoft. 
>  
> Microsoft¹s stance is that product groups can post but should  not post NDA
> information to any non-Microsoft owned list. Even so, neither the ISA or IAG
> groups post to the Microsoft private MVP newsgroups. They are a quiet bunch.
> Other MVP lists that I¹m on get lots of posts, questions, and response from
> the PM¹s and from PSS. The communication from this team is seriously lacking.
> I brought this up with several people and the response I get is essentially
> that communicating with the community isn¹t in their job description and they
> see no reason to change it. After all MVP¹s are customers. We¹re just
> champions; what ever that means.
>  
> 
> Amy Babinchak
> Harbor Computer Services
> ISA MVP, Small Business Specialist, MCP
>  
> ISA: http://isainsbs.blogspot.com
> for Clients: http://smalltechnotes.blogspot.com
> Website: http://www.harborcomputerservices.net
>  
>  
>  
>  
>  
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Monday, February 26, 2007 11:51 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> It's been a real problem for the ISA PG to work with the ISA MVPs, because
> they think that the ISA MVPs are still involved with the ISA MVP mailing list.
> I explained to them that because of "issues" with that list that there was
> less than optimal participation and that they needed to get a MS managed
> solution. At the very least, they could create their own DL and send mail to
> people on that list. I hate missing out on the ISA PGs communications on that
> "other" list, but my life is so much better not having to listen to the ******
> that happens over there.
> 
>  
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Monday, February 26, 2007 8:56 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> I spoke with Melissa Travers, the MVP Lead for both ISA and Exchange, and she
>> said the Exchange group¹s MVP site was really, really good, and that the
>> Exchange group themselves is quite active.  Being they are the Exchange
>> group, I can see why they would have a decent portal. ;)
>> 
>> I suggested that if there were a single sourced, Microsoft controlled MVP
>> site where we could ³browse through² other MVP list content, that issues like
>> this (the perceptions surrounding what Exchange will and won¹t support and
>> why) would be much easier to manage, and that ³the right people² from both
>> sides could engage each other in a positive way when two technologies collide
>> like this.  To me, this is a major shortcoming in the MVP program overall.
>> Given the fact that the MVP program was created in order to provide a
>> collaborative environment for various technologies, it seems like a horrible
>> waste of a perfect opportunity to expand that environment out to the MVP¹s
>> and product teams in other product competencies.   The fate of the ISA-MVP
>> list is testament to that.
>> 
>> So, in the absence of a coordinated effort on Microsoft¹s part to wrap it¹s
>> collective arms around the MVP¹s and product teams, I¹ll see if I can get on
>> the Exchange MVP list and begin a dialog of exactly what is going on here.
>> But I¹ll need to get immersed in Ex2007 first, which I¹ve just not had the
>> time to do.   The promise of true unified messaging in 2007 was a major draw
>> to me, but given the apparent narrow PBX support and lack of official
>> functionality documentation, the rush to explore has lost it¹s luster.
>> 
>> t
>> 
>> 
>> On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>> Documentation always follows the product, which is barely on the streets.
>> I¹ve seen some regarding WM6, but the basic concepts are the same.
>> ..coming soon to a website near you?
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jason Jones
>> Sent: Monday, February 26, 2007 3:31 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Hi All,
>> 
>> Anyone (Tim?) had chance to look at the least privilige approach with
>> Exchange 2007 yet?
>> 
>> From what I am hearing the "CAS not supported in perimeter" statement is
>> based more on "we haven't tested it yet" more than "we don't think it is a
>> good idea".
>> 
>> I have a few customers looking at placing the entire Exchange architecture
>> behind ISA (very untrusted LANs) - I have done this with Exch2k3, but has
>> anyone looked at this for Exch2k7?
>> 
>> I am guessing this is not supported either, but documentation is very thin on
>> the ground with reference to 2k7 and periemeter networking....
>> 
>> Cheers
>> 
>> JJ
>> 
>> 
>> 
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
>> Sent: 15 January 2007 15:27
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> Right you are...  The analogy fits when you use ³comparative logic² as
>> opposed to just thinking of the zone in singularity... Compared to the areas
>> on either side of the DMZ, it should be easy to discern any activity at all
>> in the DMZ itself- particularly hostile activities.  There are strict
>> policies about what can go on in the Korean DMZ, as there should be in one¹s
>> network DMZ.   Internet traffic is chaotic, and I don¹t even bother trying to
>> determine what is going on out on my Internet segment- I can¹t control it
>> anyway (other than my policy of implementing router ACL¹s to match
>> inbound/outbound traffic policies at my border router).  Internal traffic
>> isn¹t chaotic, but it is  hard to monitor for ³hostile² packets given the
>> sheer volume and type of traffic being generated by internal users, servers,
>> services, etc to any number of different hosts and clients.  But in the DMZ,
>> you should be able to immediately notice when something out of the ordinary
>> is going on.  For instance, if I see POP3 logon traffic, I know something is
>> FUBAR, as I don¹t support POP3 in my DMZ at all.  If I see modal enumeration
>> by way of a null session, I know something is going on.  And etc, etc.
>> 
>> So, to me, it fits, and that is the term I choose to use.  I won¹t be
>> changing ;)
>> 
>> t
>> 
>> 
>> On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:
>> The DMZ in Korea itself isn¹t crawling with military.  Either side of it is,
>> ensuring that the definition of a demilitarized zone is observed and
>> maintained.  Before the advent of DMZs in networking, a DMZ meant an area
>> from which military forces, operations, and installations were prohibited.
>> Essentially, it¹s a wide empty area that constitutes a border with forces on
>> either side pointing guns into it.
>>  
>> I¹ve always thought the adaptation of the acronym to the world of networking
>> a bit strange.  ³Oh!  We got activity in our networked DMZ!  Kill it!² J
>> 
>> 
>> Cordially yours,
>> Jerry G. Young II
>> Product Engineer - Senior
>> Platform Engineering, Enterprise Hosting
>> NTT America, an NTT Communications Company
>>  
>> 22451 Shaw Rd.
>> Sterling, VA 20166
>>  
>> Office: 571-434-1319
>> Fax: 703-333-6749
>> Email: g.young@xxxxxxxx
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Amy Babinchak
>> Sent: Sunday, January 14, 2007 7:08 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> 
>> That's what it means to me too. Can't see the Korean no mans' land as
>> qualifying as a DMZ when it's crawling with military.
>> 
>>  
>> 
>> In this conversation we have to take into consideration that CAS also
>> includes the capability to provide access to folders and files right in OWA.
>> This may be the thing that the Exchange team thinks throws a monkey wrench
>> into the secure deployment of CAS in a a DMZ.
>> 
>>    
>> 
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
>> Sent: Sat 1/13/2007 6:46 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> For me, DMZ means scary place completely untrusted, perimeter network means
>> less scary place trusted to a degree, but strongly controlled
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
>> Sent: 12 January 2007 23:51
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> Interesting... Probably a good idea for us to actually articulate what we
>> really mean when we say DMZ.
>> 
>> I guess to some it means ³free for all network² but for me, it should be the
>> network where you have the most restrictive policies controlling each service
>> so that it is obvious when malicious traffic hits the wire.  Thoughts>
>> t
>> 
>> 
>> On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
>> That¹s what I thought, now it¹s what I know?.
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
>> Sent: Friday, January 12, 2007 6:35 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Aside from normal router & switch ACLs, ISA is the single line of defense.
>> ³..we don¹t need no stinking DMZs²
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
>> Sent: Friday, January 12, 2007 12:12 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Ahh?just had a thought.
>>  
>> It¹s all labeling.
>>  
>> Jason, and others (not Jason¹s fault), have been using the term DMZ.
>>  
>> Historically, is the term DMZ not taken literally as being completely
>> firewalled off from the trusted networks, and what Jason is talking about is
>> trusted network segmentation.
>>  
>> I betcha that¹s why the Exchange team don¹t support it?they think it¹s a
>> typical run of the mill DMZ?
>>  
>> Jim, isn¹t MS¹s Internal network segmented by usin ISA?? Including your mail
>> servers?
>>  
>> S 
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> 
>> 
>>  
>> 
>>  
>> 
>>   
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>>  
>> 
>>  
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Amy Babinchak
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
