Np ;) I totally agree with you. I¹m even deploying an ³internal² least-privilege ISA box between my internal clients and servers. And to Steve¹s post, do you mean ³on the domain² or ³on the internal network?² The CAS box has to be a domain member, but it does not have to be (and should not be) on the internal network. t On 1/10/07 4:35 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to all: > Sorry t - the quote in my last post should have been from you, and not Steve. > Thought I was going mad until you posted! > Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 > (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: > jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: 11 January 2007 00:26 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Because it¹s safer that way, that¹s why... That¹s what an authenticated access > DMZ perimeter is for? with a CAS server that presents logon services to any > Internet user, I would (and, in fact, require) that the server be in a > least-privileged authenticated access perimeter network that limits that > servers communications to the minimum required for required functionality > and only to the hosts it needs to talk to. > > Let¹s say there is a front-end implementation issue or coding vulnerability: > the CAS on the internal network would allow unfettered, full-stack access to > the internal network. A CAS in a perimeter DMZ would mitigate potential > exposure in the event of a 0day or configuration issue. > > ³Safer on the internal network² is a complete misnomer when it comes to > servers presenting services to an untrusted network. > > t > > > On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > >> Why would you want to place a member of your internal domain in your DMZ, >> fer chrissakes?!? >> Hosting any domain member in the DMZ is a difficult proposition; especially >> where NAT is the order of the day. >> You can either use a network shotgun at your firewall or attempt to use your >> facvorite VPN tunnel across the firewall to the domain. >> >> Jim >> >> >> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones >> Sent: Wed 1/10/2007 2:35 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> From what I can gather, the new CAS role now uses RPC to communicate with >> the back-end (not sure of new name!) servers so I am guessing that this is >> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, >> is a pretty true statement. >> >> Just think how much safer the world will be when firewalls can understand >> dynamic protocols like RPC...maybe one day firewalls will even be able to >> understand and filter based upon RPC interface...maybe one day... :-D ;-) >> >> Shame the Exchange team can't see how much ISA changes the traditional >> approach to DMZ thinking...kinda makes you think that both teams work for a >> different company :-( >> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Greg Mulholland >> Sent: 10 January 2007 22:07 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> I seriously hope that they have take different paths and these are not >> limitations on the software or it is going to mean a nice little redesign >> and break from custom.. >> >> Greg >> >>> ----- Original Message ----- >>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> >>> To: isapros@xxxxxxxxxxxxx >>> Sent: Thursday, January 11, 2007 8:25 AM >>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks >>> >>> >>> Hi All, >>> >>> I heard today from an Exchange MVP colleague that members of the Exchange >>> team (Scott Schnoll) are saying that they (Microsoft) do not support >>> placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE >>> role) role into a perimeter network. Has anyone else heard the same? This >>> sounds very similar to Exchange admins of old when they didn't really >>> understand modern application firewalls like ISA could do - RPC filter >>> anyone??? >>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl= >>> en#4db165c21599cf9b >>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r >>> num=2&hl=en#4db165c21599cf9b> >>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r >>> num=2&hl=en#4db165c21599cf9b> >>> >>> I have just about managed to convince Exchange colleagues (and customers) >>> of the value of placing Exchange FE servers in a separate security zone >>> from BE servers, DC's etc and now I here this? >>> >>> Are the Exchange team confusing the old traditional DMZ's with what ISA can >>> achieve with perimeter networks? >>> >>> From what I believe, it is good perimeter security practice to place >>> servers which are Internet accessible into different security zones than >>> servers that are purely internal. Therefore, the idea of placing Exchange >>> 2003 FE servers in an ISA auth access perimeter network with Exchange 2003 >>> BE servers on the internal network has always seemed like a good approach. >>> It also follows a good least privilege model. >>> >>> Is this another example of the Exchange and ISA teams following different >>> paths???? >>> >>> Please tell me that I am wrong and that I am not going to have to start >>> putting all Exchange roles, irrespective of security risk, on the same >>> network again!!!! >>> >>> Comments? >>> >>> Cheers >>> >>> JJ >>> >> >> All mail to and from this domain is GFI-scanned. >> > >