[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>,<isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 15:04:16 -0800

Why would you want to place a member of your internal domain in your DMZ, fer 
chrissakes?!?
Hosting any domain member in the DMZ is a difficult proposition; especially 
where NAT is the order of the day.
You can either use a network shotgun at your firewall or attempt to use your 
facvorite VPN tunnel across the firewall to the domain.
 
Jim

________________________________

From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


From what I can gather, the new CAS role now uses RPC to communicate with the 
back-end (not sure of new name!) servers so I am guessing that this is an "RPC 
isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty 
true statement.
 
Just think how much safer the world will be when firewalls can understand 
dynamic protocols like RPC...maybe one day firewalls will even be able to 
understand and filter based upon RPC interface...maybe one day... :-D ;-)
 
Shame the Exchange team can't see how much ISA changes the traditional approach 
to DMZ thinking...kinda makes you think that both teams work for a different 
company :-(

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx 
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


I seriously hope that they have take different paths and these are not 
limitations on the software or it is going to mean a nice little redesign and 
break from custom..
 
Greg

        ----- Original Message ----- 
        From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  
        To: isapros@xxxxxxxxxxxxx 
        Sent: Thursday, January 11, 2007 8:25 AM
        Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


        Hi All, 

        I heard today from an Exchange MVP colleague that members of the 
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not support 
placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE 
role) role into a perimeter network. Has anyone else heard the same? This 
sounds very similar to Exchange admins of old when they didn't really 
understand modern application firewalls like ISA could do - RPC filter 
anyone??? 
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b>
 

        I have just about managed to convince Exchange colleagues (and 
customers) of the value of placing Exchange FE servers in a separate security 
zone from BE servers, DC's etc and now I here this...

        Are the Exchange team confusing the old traditional DMZ's with what ISA 
can achieve with perimeter networks? 

        From what I believe, it is good perimeter security practice to place 
servers which are Internet accessible into different security zones than 
servers that are purely internal. Therefore, the idea of placing Exchange 2003 
FE servers in an ISA auth access perimeter network with Exchange 2003 BE 
servers on the internal network has always seemed like a good approach. It also 
follows a good least privilege model. 

        Is this another example of the Exchange and ISA teams following 
different paths???? 

        Please tell me that I am wrong and that I am not going to have to start 
putting all Exchange roles, irrespective of security risk, on the same network 
again!!!!

        Comments? 

        Cheers 

        JJ 



All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007