[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 17:05:03 -0500

Pinholes? We don't need no stinkin' pinholes.

Amy 
 
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Monday, February 26, 2007 4:15 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I caught a CARP, this big! (extends arms)

 
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: 26 February 2007 20:41
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Go Ahead, It's Filtered
 
 
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 26, 2007 3:27 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Ok - it's official - let's get an "ISABlog motto" contest going.
Basic rules:
- no derogatory comments about CheckPix or similar (makes the lawyers
tremble)
- no marketing spew
- keep it short (10 words max)
- must use ISA behavior or feature (like "wpad")
- should abuse a common phrase (like "does a nautical pimp keep his
'oars' in the water?")

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, February 26, 2007 12:23 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

You had me at WPAD? :)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, February 26, 2007 12:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> NDA is a completely different point and Amy has it right - non-MS 
> lists are verboten to NDA material.
> I'm an "odd duck" in this context (for more than one reason - ha! - 
> beat ya to it!), because it's actually a large part of my job to "keep

> my finger on the pulse", as it were.  This is why you see me doing 
> trips like tech Ready & Black Hat.  Unfortunately, fiscal limitations 
> curtail any further involvement, but such is corporate life.
> 
> I agree that the ISA team hasn't exactly kept pace with teams like 
> Exchange (we don't even have a silly motto like "you had me at ehlo"),

> but it still comes back to the "effort priorities".  I've been working

> with the right folks to make this a better experience all around 
> (especially for the MVPs), but these things tend to move slowly...
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Monday, February 26, 2007 9:54 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Conflicting info, then.  I was told by a source that non-MSFT lists 
> were poo-poo'ed on for liability and NDA reasons.
> 
> And while I totally understand the "bottom line" thinking, it seems 
> like a huge waste to initiate something like the MVP program and to go

> through all the motions only to do it half-assed.
> 
> t
> 
> 
> On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> 
> > In fact, ISA product team members are strongly encouraged to
> participate
> > in lists, NG, blogs and all other manner of public communication 
> > efforts.
> > The sad fact is; the time available for such endeavors is woefully 
> > small.
> > MS, like many profit-making businesses, operates with the smallest
> teams
> > required to produce product "X".
> > Unfortunately, with software engineering being what it is, and the 
> > pressures of the marketing "old boy club", the teams are
> too small to
> > cover all the "nice to do" bases and still leave folks time for 
> > themselves.
> > 
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Monday, February 26, 2007 9:07 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > I never really saw much from the PM's over there- just that
> one stint
> > about SQL logging, and to be honest, there wasn't much valuable
> content
> > sourced from the MSFT side... In fact, as I understand it,
> the PM and
> > product support people (other than Jim) are apparently not pushed to

> > participate (and may be asked not to) because of the fact that it is
> NOT
> > an official MSFT site, and that NDA and product liability may be an 
> > issue.
> > 
> > I'm going to draft up a "suggestions for the MVP program" and submit

> > them to the powers that be, just so that things like this can be 
> > addressed.
> > 
> > t
> > 
> > 
> > On 2/26/07 8:50 AM, "Thomas W Shinder" 
> <tshinder@xxxxxxxxxxx> spoketh
> to
> > all:
> > 
> > 
> > 
> > It's been a real problem for the ISA PG to work with the ISA MVPs, 
> > because they think that the ISA MVPs are still
> involved with the
> > ISA MVP mailing list. I explained to them that because of "issues"
> with
> > that list that there was less than optimal participation
> and that they
> > needed to get a MS managed solution. At the very least, they could 
> > create their own DL and send mail to people on that list. I hate
> missing
> > out on the ISA PGs communications on that "other" list, but
> my life is
> > so much better not having to listen to the ****** that happens over 
> > there.
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/> 
> > <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> > <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA)
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ________________________________
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> > Sent: Monday, February 26, 2007 8:56 AM
> > To:  isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
> > 
> > 
> > I spoke with Melissa Travers, the MVP Lead for both  ISA and 
> > Exchange, and she said the Exchange group's MVP site was really, 
> > really good, and that the Exchange group themselves is quite active.
> > Being they are the Exchange group, I can see why they would have a 
> > decent portal. ;)
> > 
> > I suggested that if there were a single sourced, Microsoft 
> > controlled MVP site where we could "browse through" other
> MVP
> > list  content, that issues like this (the perceptions
> surrounding what
> > Exchange will  and won't support and why) would be much easier to 
> > manage, and that "the right  people" from both sides could
> engage each
> > other in a positive way when two  technologies collide like
> this.  To
> > me, this is a major shortcoming in  the MVP program overall.  Given
> the
> > fact that the MVP program was created  in order to provide a 
> > collaborative environment for various technologies, it  seems like a

> > horrible waste of a perfect opportunity to expand that  environment
> out
> > to the MVP's and product teams in other product competencies.    The
> > fate of the ISA-MVP list is testament to that.
> > 
> > So, in  the absence of a coordinated effort on Microsoft's part to 
> > wrap it's  collective arms around the MVP's and product teams, I'll 
> > see if I can get on  the Exchange MVP list and
> begin
> > a dialog of exactly what is going on here.   But I'll need to get
> > immersed in Ex2007 first, which I've just not had  the time to do.
> The
> > promise of true unified messaging in 2007 was  a major draw
> to me, but
> > given the apparent narrow PBX support and lack of  official 
> > functionality documentation, the rush to explore has lost it's
> luster.
> > 
> > t
> > 
> > 
> > On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx> spoketh to 
> > all:
> > 
> > 
> > 
> > 
> > Documentation always follows the  product, which is barely on the 
> > streets.
> > I've seen some regarding WM6,  but the basic concepts are the same.
> > ..coming soon to a website near  you...
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
> > Sent: Monday, February 26, 2007  3:31 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
> > 
> > Hi All,
> > 
> > Anyone (Tim?) had chance to look at the least privilige approach 
> > with Exchange 2007 yet?
> > 
> > From what I am hearing the "CAS not supported in perimeter" 
> > statement is based more on "we haven't tested it
> yet" more
> > than  "we don't think it is a good idea".
> > 
> > I have a few customers looking at placing the entire  Exchange 
> > architecture behind ISA (very untrusted LANs) - I
> have
> > done this  with Exch2k3, but has anyone looked at this for  Exch2k7?
> > 
> > I am guessing this is not supported either, but documentation is 
> > very thin on the ground with reference to 2k7 and periemeter 
> > networking....
> > 
> > Cheers
> > 
> > JJ
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
> > Sent: 15 January 2007  15:27
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks 
> > Right you are...  The analogy fits when you use "comparative logic" 
> > as opposed to just thinking of the zone in singularity... Compared 
> > to the areas on either side of the DMZ, it should be  easy to 
> > discern any activity at all in the DMZ itself- particularly hostile

> > activities.  There are strict policies about
> what
> > can go on in the  Korean DMZ, as there should be in one's
> network DMZ.
> > Internet  traffic is chaotic, and I don't even bother trying to 
> > determine what is  going on out on my Internet segment- I can't
> control
> > it anyway (other than  my policy of implementing router
> ACL's to match
> > inbound/outbound traffic  policies at my border router).  Internal 
> > traffic isn't chaotic, but it  is  hard to monitor for "hostile"
> packets
> > given the sheer volume and  type of traffic being generated by
> internal
> > users, servers, services, etc to  any number of different hosts and 
> > clients.  But in the DMZ, you should  be able to immediately notice
> when
> > something out of the ordinary is going  on.  For instance, if I see
> POP3
> > logon traffic, I know something is  FUBAR, as I don't
> support POP3 in
> my
> > DMZ at all.  If I see modal  enumeration by way of a null session, I
> > know something is going on.   And etc, etc.
> > 
> > So, to me, it fits, and that is the term I choose to use.  I won't 
> > be changing ;)
> > 
> > t
> > 
> > 
> > On 1/15/07  6:40 AM, "Gerald G. Young"
> > <g.young@xxxxxxxx> spoketh to  all:
> > The DMZ in Korea itself isn't crawling with military.  Either side 
> > of it is, ensuring that the definition of a demilitarized zone is 
> > observed and maintained.  Before the advent of DMZs in networking, a

> > DMZ meant an area from which military forces, operations, and 
> > installations were prohibited.  Essentially, it's a wide empty area 
> > that constitutes a border with forces on either side pointing guns 
> > into it.
> > 
> > I've always thought the adaptation of  the acronym to the world of 
> > networking a bit strange.  "Oh!  We  got activity in our networked 
> > DMZ!  Kill it!"  :-)
> > 
> > 
> > Cordially  yours,
> > Jerry G. Young  II
> > Product  Engineer - Senior
> > Platform Engineering, Enterprise Hosting NTT  America, an NTT 
> > Communications Company
> > 
> > 22451 Shaw  Rd.
> > Sterling, VA 20166
> > 
> > Office: 571-434-1319
> > Fax:  703-333-6749
> > Email:  g.young@xxxxxxxx
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy Babinchak
> > Sent: Sunday, January 14, 2007  7:08 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: RE: [isapros]  Re: ISA, Exchange 2007 and Perimeter 
> > Networks
> > 
> > 
> > That's what it means to me too. Can't see the Korean  no mans' land 
> > as qualifying as a DMZ when it's crawling with military.
> > 
> > 
> > 
> > In this conversation we have to take into
> > consideration that CAS also includes the capability to 
> provide access
> to
> > folders and files right in OWA. This may be the thing that the
> Exchange
> > team  thinks throws a monkey wrench into the secure 
> deployment of CAS
> in
> > a a DMZ.  
> > 
> >      
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
> > Jason Jones
> > Sent: Sat 1/13/2007 6:46 PM
> > To:  isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007  and
> > Perimeter Networks
> > 
> > For me, DMZ means scary place completely
> > untrusted,  perimeter network means less scary place trusted to a
> > degree, but strongly  controlled
> > 
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
> > Sent: 12 January 2007  23:51
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > Perimeter Networks
> > Interesting... Probably a good idea for us to
> > actually articulate what we really mean when we say DMZ.
> > 
> > I guess to  some it means "free for all network"
> > but for me, it should be the network  where you have the most
> > restrictive policies controlling each service so  that it is obvious
> > when malicious traffic hits the wire.   Thoughts>
> > t
> > 
> > 
> > On 1/12/07 3:30 PM, "Steve Moffat"
> > <steve@xxxxxxxxxx> spoketh to all:
> > That's what I thought, now it's what I  know....
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
> > Sent: Friday, January 12, 2007  6:35 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > Perimeter Networks
> > 
> > Aside from normal router & switch ACLs, ISA is
> > the single line of defense.
> > "..we don't need no stinking  DMZs"
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
> > Sent: Friday, January 12, 2007  12:12 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros]  Re: ISA, Exchange 2007 and
> > Perimeter Networks
> > 
> > Ahh...just had a thought.
> > 
> > It's all  labeling.
> > 
> > Jason, and others (not Jason's fault), have been
> > using the term DMZ.
> > 
> > Historically, is the term DMZ not taken
> > literally as being completely firewalled off from the trusted
> networks,
> > and  what Jason is talking about is trusted network segmentation.
> > 
> > I  betcha that's why the Exchange team don't
> > support it...they think it's a  typical run of the mill DMZ...
> > 
> > Jim, isn't MS's Internal network  segmented by
> > usin ISA?? Including your mail servers?
> > 
> > S  
> > 
> > 
> > All mail to and  from this domain is
> > GFI-scanned. 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >     
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 


All mail to and from this domain is GFI-scanned.






Other related posts: