[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 09:54:18 -0800
Conflicting info, then.  I was told by a source that non-MSFT lists were
poo-poo'ed on for liability and NDA reasons.

And while I totally understand the "bottom line" thinking, it seems like a
huge waste to initiate something like the MVP program and to go through all
the motions only to do it half-assed.

t


On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> In fact, ISA product team members are strongly encouraged to participate
> in lists, NG, blogs and all other manner of public communication
> efforts.
> The sad fact is; the time available for such endeavors is woefully
> small.
> MS, like many profit-making businesses, operates with the smallest teams
> required to produce product "X".
> Unfortunately, with software engineering being what it is, and the
> pressures of the marketing "old boy club", the teams are too small to
> cover all the "nice to do" bases and still leave folks time for
> themselves.
> 
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Monday, February 26, 2007 9:07 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I never really saw much from the PM's over there- just that one stint
> about SQL logging, and to be honest, there wasn't much valuable content
> sourced from the MSFT side... In fact, as I understand it, the PM and
> product support people (other than Jim) are apparently not pushed to
> participate (and may be asked not to) because of the fact that it is NOT
> an official MSFT site, and that NDA and product liability may be an
> issue.
> 
> I'm going to draft up a "suggestions for the MVP program" and submit
> them to the powers that be, just so that things like this can be
> addressed.
> 
> t
> 
> 
> On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
> all:
> 
> 
> 
> It's been a real problem for the ISA PG to work with the ISA
> MVPs, because they think that the ISA MVPs are still involved with the
> ISA MVP mailing list. I explained to them that because of "issues" with
> that list that there was less than optimal participation and that they
> needed to get a MS managed solution. At the very least, they could
> create their own DL and send mail to people on that list. I hate missing
> out on the ISA PGs communications on that "other" list, but my life is
> so much better not having to listen to the ****** that happens over
> there.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> 
> 
> 
> 
> 
> 
> ________________________________
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of  God)
> Sent: Monday, February 26, 2007 8:56 AM
> To:  isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter
> Networks
> 
> 
> I spoke with Melissa Travers, the MVP Lead for both  ISA
> and Exchange, and she said the Exchange group's MVP site was really,
> really good, and that the Exchange group themselves is quite active.
> Being they are the Exchange group, I can see why they would have a
> decent portal. ;)
> 
> I suggested that if there were a single sourced,
> Microsoft controlled MVP site where we could "browse through" other MVP
> list  content, that issues like this (the perceptions surrounding what
> Exchange will  and won't support and why) would be much easier to
> manage, and that "the right  people" from both sides could engage each
> other in a positive way when two  technologies collide like this.  To
> me, this is a major shortcoming in  the MVP program overall.  Given the
> fact that the MVP program was created  in order to provide a
> collaborative environment for various technologies, it  seems like a
> horrible waste of a perfect opportunity to expand that  environment out
> to the MVP's and product teams in other product competencies.    The
> fate of the ISA-MVP list is testament to that.
> 
> So, in  the absence of a coordinated effort on
> Microsoft's part to wrap it's  collective arms around the MVP's and
> product teams, I'll see if I can get on  the Exchange MVP list and begin
> a dialog of exactly what is going on here.   But I'll need to get
> immersed in Ex2007 first, which I've just not had  the time to do.   The
> promise of true unified messaging in 2007 was  a major draw to me, but
> given the apparent narrow PBX support and lack of  official
> functionality documentation, the rush to explore has lost it's  luster.
> 
> t
> 
> 
> On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx>
> spoketh to all:
> 
> 
> 
> 
> Documentation always follows the  product, which
> is barely on the streets.
> I've seen some regarding WM6,  but the basic
> concepts are the same.
> ..coming soon to a website near  you...
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
> Sent: Monday, February 26, 2007  3:31 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re:  ISA, Exchange 2007 and
> Perimeter Networks
> 
> Hi All,
> 
> Anyone (Tim?) had chance to look at the least
> privilige approach with Exchange 2007 yet?
> 
> From what I am hearing the "CAS not supported in
> perimeter" statement is based more on "we haven't tested it yet" more
> than  "we don't think it is a good idea".
> 
> I have a few customers looking at placing the
> entire  Exchange architecture behind ISA (very untrusted LANs) - I have
> done this  with Exch2k3, but has anyone looked at this for  Exch2k7?
> 
> I am guessing this is not supported either, but
> documentation is very thin on the ground with reference to 2k7 and
> periemeter networking....
> 
> Cheers
> 
> JJ
> 
> 
> 
> 
>  
> 
> 
> 
> ________________________________
> 
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of God)
> Sent: 15 January 2007  15:27
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re:  ISA, Exchange 2007 and
> Perimeter Networks
> Right you are...  The analogy fits when you use
> "comparative logic" as opposed to just thinking of the zone in
> singularity... Compared to the areas on either side of the DMZ, it
> should be  easy to discern any activity at all in the DMZ itself-
> particularly hostile  activities.  There are strict policies about what
> can go on in the  Korean DMZ, as there should be in one's network DMZ.
> Internet  traffic is chaotic, and I don't even bother trying to
> determine what is  going on out on my Internet segment- I can't control
> it anyway (other than  my policy of implementing router ACL's to match
> inbound/outbound traffic  policies at my border router).  Internal
> traffic isn't chaotic, but it  is  hard to monitor for "hostile" packets
> given the sheer volume and  type of traffic being generated by internal
> users, servers, services, etc to  any number of different hosts and
> clients.  But in the DMZ, you should  be able to immediately notice when
> something out of the ordinary is going  on.  For instance, if I see POP3
> logon traffic, I know something is  FUBAR, as I don't support POP3 in my
> DMZ at all.  If I see modal  enumeration by way of a null session, I
> know something is going on.   And etc, etc.
> 
> So, to me, it fits, and that is the term I
> choose to use.  I won't be changing ;)
> 
> t
> 
> 
> On 1/15/07  6:40 AM, "Gerald G. Young"
> <g.young@xxxxxxxx> spoketh to  all:
> The DMZ in Korea itself isn't crawling with
> military.  Either side of it is, ensuring that the definition of a
> demilitarized zone is observed and maintained.  Before the advent of
> DMZs in networking, a DMZ meant an area from which military forces,
> operations, and installations were prohibited.  Essentially, it's a
> wide empty area that constitutes a border with forces on either side
> pointing guns into it.
> 
> I've always thought the adaptation of  the
> acronym to the world of networking a bit strange.  "Oh!  We  got
> activity in our networked DMZ!  Kill it!"  :-)
> 
> 
> Cordially  yours,
> Jerry G. Young  II
> Product  Engineer - Senior
> Platform Engineering, Enterprise Hosting
> NTT  America, an NTT Communications Company
> 
> 22451 Shaw  Rd.
> Sterling, VA 20166
> 
> Office: 571-434-1319
> Fax:  703-333-6749
> Email:  g.young@xxxxxxxx
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy Babinchak
> Sent: Sunday, January 14, 2007  7:08 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: RE: [isapros]  Re: ISA, Exchange 2007
> and Perimeter Networks
> 
> 
> That's what it means to me too. Can't see the
> Korean  no mans' land as qualifying as a DMZ when it's crawling with
> military.  
> 
> 
> 
> In this conversation we have to take into
> consideration that CAS also includes the capability to provide access to
> folders and files right in OWA. This may be the thing that the Exchange
> team  thinks throws a monkey wrench into the secure deployment of CAS in
> a a DMZ.  
> 
>      
> 
> 
> 
> ________________________________
> 
>  
> 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
> Jason Jones
> Sent: Sat 1/13/2007 6:46 PM
> To:  isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007  and
> Perimeter Networks
> 
> For me, DMZ means scary place completely
> untrusted,  perimeter network means less scary place trusted to a
> degree, but strongly  controlled
> 
> 
> 
> 
> ________________________________
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of God)
> Sent: 12 January 2007  23:51
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re:  ISA, Exchange 2007 and
> Perimeter Networks
> Interesting... Probably a good idea for us to
> actually articulate what we really mean when we say DMZ.
> 
> I guess to  some it means "free for all network"
> but for me, it should be the network  where you have the most
> restrictive policies controlling each service so  that it is obvious
> when malicious traffic hits the wire.   Thoughts>
> t
> 
> 
> On 1/12/07 3:30 PM, "Steve Moffat"
> <steve@xxxxxxxxxx> spoketh to all:
> That's what I thought, now it's what I  know....
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
> Sent: Friday, January 12, 2007  6:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re:  ISA, Exchange 2007 and
> Perimeter Networks
> 
> Aside from normal router & switch ACLs, ISA is
> the single line of defense.
> "..we don't need no stinking  DMZs"
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
> Sent: Friday, January 12, 2007  12:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros]  Re: ISA, Exchange 2007 and
> Perimeter Networks
> 
> Ahh...just had a thought.
> 
> It's all  labeling.
> 
> Jason, and others (not Jason's fault), have been
> using the term DMZ.
> 
> Historically, is the term DMZ not taken
> literally as being completely firewalled off from the trusted networks,
> and  what Jason is talking about is trusted network segmentation.
> 
> I  betcha that's why the Exchange team don't
> support it...they think it's a  typical run of the mill DMZ...
> 
> Jim, isn't MS's Internal network  segmented by
> usin ISA?? Including your mail servers?
> 
> S  
> 
> 
> All mail to and  from this domain is
> GFI-scanned. 
> 
> 
> 
> 
> 
> 
> 
>     
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
