[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Steve Moffat" <steve@xxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 18:48:46 -0400

Well, if it's behind ISA, then where's the security risk whether it's in
the domain, or in a DMZ.

 

I would say it's more secure in the domain.

 

S

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Wednesday, January 10, 2007 5:25 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks

 

Hi All, 

I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not
support placing the new Exchange 2007 Client Access Server (like the old
Exch2k3 FE role) role into a perimeter network. Has anyone else heard
the same? This sounds very similar to Exchange admins of old when they
didn't really understand modern application firewalls like ISA could do
- RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate
security zone from BE servers, DC's etc and now I here this...

Are the Exchange team confusing the old traditional DMZ's with what ISA
can achieve with perimeter networks? 

From what I believe, it is good perimeter security practice to place
servers which are Internet accessible into different security zones than
servers that are purely internal. Therefore, the idea of placing
Exchange 2003 FE servers in an ISA auth access perimeter network with
Exchange 2003 BE servers on the internal network has always seemed like
a good approach. It also follows a good least privilege model. 

Is this another example of the Exchange and ISA teams following
different paths???? 

Please tell me that I am wrong and that I am not going to have to start
putting all Exchange roles, irrespective of security risk, on the same
network again!!!!

Comments? 

Cheers 

JJ 

 

Other related posts: