[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Thu, 11 Jan 2007 16:42:15 +1100

Re: [isapros] Re: ISA, Exchange 2007 and Perimeter Networksa pinch of both i'd
say. congrats!
----- Original Message -----
From: Jim Harrison
To: isapros@xxxxxxxxxxxxx
Sent: Thursday, January 11, 2007 4:40 PM
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Not all bad; I celebrated 4 years on the ISA SE team today.

..yes, Tom; it's really been that long.

That doesn't count the two years I spent supporting ISA 2000 out of the
kindness of my heart (or the emptiness of my brains; not sure which).

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Wednesday, January 10, 2007 9:14 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Now that is a bad day :) dont ya hate that when ya leave stuff at work..

----- Original Message -----

From: Jim Harrison

To: isapros@xxxxxxxxxxxxx

Sent: Thursday, January 11, 2007 4:09 PM

Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I hear ya - I'm supposed to oversee our lab move tomorrow, but I don't see
that happening.

To top it off, I left work in such a hurry that I left the PS for *my*
laptop on my desk and my work laptop is beside it in the dock.

..and I just finished rebuilding *my* laptop with Vista Ultimate & all the
toys I wanted.

Now I can't even use it for more than an hour (it's a beast).

<sigh>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Wednesday, January 10, 2007 9:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

lol ill keep an eye out for you tonight on the news.. :)

----- Original Message -----

From: Thomas W Shinder

To: isapros@xxxxxxxxxxxxx

Sent: Thursday, January 11, 2007 3:55 PM

Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I know what you're saying. Been fighting the CES crowd here in Vegas all
week and feel like it's close to Texas Chain Saw Massacre time.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

------------------------------------------------------------------------

From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 8:43 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Crap. I totally forgot about your issues up there today. I'm sorry I
was such a prick. Didn't mean to be - hard day myself. We'll pick it up in
the morning.
t

On 1/10/07 8:30 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

..maybe I'm just tired.
I spent two hours trying to get home tonight and I'm clearly not in my
mind (right or otherwise).
Forget I wrote and we'll start over tomorrow.

From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 8:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

That's exactly what I'm talking about. And precisely the configuration
I deploy:

My FE is in the authenticated segment of the DMZ - and a member of my
internal domain; however, the "recommended protocols" the Exchange group
recommends are not necessary- and thus, Steve's contention that "CIFS and all
that other stuff... Might as well just be internal" I reject. I only allow
Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC's.
And only HTTP to the BE's.

Even if the other prots WERE required, it would still be far smarter to
deploy the FE in the authenticated DMZ with limited access than to just give
full stack access to the ENTIRE internal network. This is a deployment of a
services made available (initially) to a global, anonymous, untrusted network.

Maybe I'm not properly articulating my point, but I have to say I'm
really surprised that we are having this conversation...

On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
C'mon, Tim; I know what your deployment recommendations are; this isn't
it.
He wants to extend his domain via "remote membership"; not create a
separate domain.

From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 4:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Because it's safer that way, that's why... That's what an authenticated
access DMZ perimeter is for- with a CAS server that presents logon services to
any Internet user, I would (and, in fact, require) that the server be in a
least-privileged authenticated access perimeter network that limits that
servers communications to the minimum required for required functionality - and
only to the hosts it needs to talk to.

Let's say there is a front-end implementation issue or coding
vulnerability: the CAS on the internal network would allow unfettered,
full-stack access to the internal network. A CAS in a perimeter DMZ would
mitigate potential exposure in the event of a 0day or configuration issue.

"Safer on the internal network" is a complete misnomer when it comes to
servers presenting services to an untrusted network.

On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
Why would you want to place a member of your internal domain in your
DMZ, fer chrissakes?!?
Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.
You can either use a network shotgun at your firewall or attempt to use
your facvorite VPN tunnel across the firewall to the domain.

Jim

------------------------------------------------------------------------

From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From what I can gather, the new CAS role now uses RPC to communicate
with the back-end (not sure of new name!) servers so I am guessing that this is
an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, is a
pretty true statement.

Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will even be
able to understand and filter based upon RPC interface...maybe one day... :-D
;-)

Shame the Exchange team can't see how much ISA changes the traditional
approach to DMZ thinking...kinda makes you think that both teams work for a
different company :-(
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>

------------------------------------------------------------------------

From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I seriously hope that they have take different paths and these are not
limitations on the software or it is going to mean a nice little redesign and
break from custom..

Greg
----- Original Message -----
From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
Sent: Thursday, January 11, 2007 8:25 AM
Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks

Hi All,

I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not support
placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE
role) role into a perimeter network. Has anyone else heard the same? This
sounds very similar to Exchange admins of old when they didn't really
understand modern application firewalls like ISA could do - RPC filter
anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b

<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>

I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate security
zone from BE servers, DC's etc and now I here this.

Are the Exchange team confusing the old traditional DMZ's with what ISA
can achieve with perimeter networks?

From what I believe, it is good perimeter security practice to place
servers which are Internet accessible into different security zones than
servers that are purely internal. Therefore, the idea of placing Exchange 2003
FE servers in an ISA auth access perimeter network with Exchange 2003 BE
servers on the internal network has always seemed like a good approach. It also
follows a good least privilege model.

Is this another example of the Exchange and ISA teams following
different paths????

Please tell me that I am wrong and that I am not going to have to start
putting all Exchange roles, irrespective of security risk, on the same network
again!!!!

Comments?

Cheers

All mail to and from this domain is GFI-scanned.

References:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Thomas W Shinder
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Greg Mulholland
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Greg Mulholland
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison

[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts: