[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 11 Jan 2007 09:51:44 +1100

ISA, Exchange 2007 and Perimeter Networksone day.. :p
  ----- Original Message ----- 
  From: Jason Jones 
  To: isapros@xxxxxxxxxxxxx 
  Sent: Thursday, January 11, 2007 9:35 AM
  Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


  From what I can gather, the new CAS role now uses RPC to communicate with the 
back-end (not sure of new name!) servers so I am guessing that this is an "RPC 
isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty 
true statement.

  Just think how much safer the world will be when firewalls can understand 
dynamic protocols like RPC...maybe one day firewalls will even be able to 
understand and filter based upon RPC interface...maybe one day... :-D ;-)

  Shame the Exchange team can't see how much ISA changes the traditional 
approach to DMZ thinking...kinda makes you think that both teams work for a 
different company :-(
  Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx





------------------------------------------------------------------------------
  From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Greg Mulholland
  Sent: 10 January 2007 22:07
  To: isapros@xxxxxxxxxxxxx
  Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


  I seriously hope that they have take different paths and these are not 
limitations on the software or it is going to mean a nice little redesign and 
break from custom..

  Greg
    ----- Original Message ----- 
    From: Jason Jones 
    To: isapros@xxxxxxxxxxxxx 
    Sent: Thursday, January 11, 2007 8:25 AM
    Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


    Hi All, 

    I heard today from an Exchange MVP colleague that members of the Exchange 
team (Scott Schnoll) are saying that they (Microsoft) do not support placing 
the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role 
into a perimeter network. Has anyone else heard the same? This sounds very 
similar to Exchange admins of old when they didn't really understand modern 
application firewalls like ISA could do - RPC filter anyone??? 
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b

    I have just about managed to convince Exchange colleagues (and customers) 
of the value of placing Exchange FE servers in a separate security zone from BE 
servers, DC's etc and now I here this.

    Are the Exchange team confusing the old traditional DMZ's with what ISA can 
achieve with perimeter networks? 

    From what I believe, it is good perimeter security practice to place 
servers which are Internet accessible into different security zones than 
servers that are purely internal. Therefore, the idea of placing Exchange 2003 
FE servers in an ISA auth access perimeter network with Exchange 2003 BE 
servers on the internal network has always seemed like a good approach. It also 
follows a good least privilege model. 

    Is this another example of the Exchange and ISA teams following different 
paths???? 

    Please tell me that I am wrong and that I am not going to have to start 
putting all Exchange roles, irrespective of security risk, on the same network 
again!!!!

    Comments? 

    Cheers 

    JJ

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007