To the ³core question² here, note that I¹ll be testing the CAS DMZ deployment and analyzing what ³modes² require what minimum protocols and publishing my results. The 64 bit requirement kinda puts a dent in my virtualization capabilities, but I¹ll get it done. Regarding PSS, I¹m with you on that. I¹m not sure who it is in the background that gets to set the criteria for what is ³supported² or not, but after what happened again this morning for the 3rd time, I swear I would strangle them in their office chair. Yet again, a ³security update² has broken the functionality of an extensively used ³Kodak² image control when instantiated via Access. The Kodak control was originally shipped with Office, but now, for whatever reason, some ass hole has said ³oh, that¹s not on our list of supported controls.² This only happens with Access, and it is an absolute bug on Microsoft¹s end, yet they won¹t take responsibility for it. Instantiating the object via VB works just fine after the OS update. So I am left having to uninstall a critical security update on *all* of my users¹ systems, then mark it for bypass on WSUS, and leave the damn thing uninstalled until I now re-convert 250,000 document images to PDF so that I can get out from under the very control that I got (and paid for) from Microsoft that they now won¹t support on their own product (that I bought and paid for). It is ludicrous, and as Tom said, when these recommendations are made out of some department¹s ignorance, an extremely frustrating thing indeed. I guess the best to hope for is to push the PSS rep that says ³It¹s not supported² into answering ³Why not?² t On 1/11/07 2:46 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to all: > Wish I had never asked now...sometimes, some of you guys really don't make it > easy for new people to try express their views and pose questions for comment > without being slapped down. One minute I am being labelled as an "idiot" for > my comments/views, the next minute someone else who says the same thing as me > is now right and not challenged. What gives? > > I know many of you guys don't know me from Adam, but kinda unfair to just > assume I know jack about ISA and secure network design just because I'm not > "part of the club". > > Anyhow, thanks to Tim and Tom for seeming to share my disappointment with the > decision made by the Exchange 2007 team...I think I need to try and find out > how "official" their lack of support with 2k7 is going to be before I can > continue recommending the least privilege model I have been using for Exchange > 2003. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: 11 January 2007 04:30 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > ..maybe I¹m just tired? > I spent two hours trying to get home tonight and I¹m clearly not in my mind > (right or otherwise). > Forget I wrote and we¹ll start over tomorrow? > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Wednesday, January 10, 2007 8:18 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > That¹s exactly what I¹m talking about. And precisely the configuration I > deploy: > > My FE is in the authenticated segment of the DMZ and a member of my internal > domain; however, the ³recommended protocols² the Exchange group recommends are > not necessary- and thus, Steve¹s contention that ³CIFS and all that other > stuff... Might as well just be internal² I reject. I only allow Kerberos-Sec, > LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC¹s. And only > HTTP to the BE¹s. > > Even if the other prots WERE required, it would still be far smarter to deploy > the FE in the authenticated DMZ with limited access than to just give full > stack access to the ENTIRE internal network. This is a deployment of a > services made available (initially) to a global, anonymous, untrusted network. > > Maybe I¹m not properly articulating my point, but I have to say I¹m really > surprised that we are having this conversation... > > t > > > On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it. > He wants to extend his domain via ³remote membership²; not create a separate > domain. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Wednesday, January 10, 2007 4:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Because it¹s safer that way, that¹s why... That¹s what an authenticated access > DMZ perimeter is for? with a CAS server that presents logon services to any > Internet user, I would (and, in fact, require) that the server be in a > least-privileged authenticated access perimeter network that limits that > servers communications to the minimum required for required functionality > and only to the hosts it needs to talk to. > > Let¹s say there is a front-end implementation issue or coding vulnerability: > the CAS on the internal network would allow unfettered, full-stack access to > the internal network. A CAS in a perimeter DMZ would mitigate potential > exposure in the event of a 0day or configuration issue. > > ³Safer on the internal network² is a complete misnomer when it comes to > servers presenting services to an untrusted network. > > t > > > On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > Why would you want to place a member of your internal domain in your DMZ, fer > chrissakes?!? > Hosting any domain member in the DMZ is a difficult proposition; especially > where NAT is the order of the day. > You can either use a network shotgun at your firewall or attempt to use your > facvorite VPN tunnel across the firewall to the domain. > > Jim > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones > Sent: Wed 1/10/2007 2:35 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > From what I can gather, the new CAS role now uses RPC to communicate with the > back-end (not sure of new name!) servers so I am guessing that this is an "RPC > isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty > true statement. > > Just think how much safer the world will be when firewalls can understand > dynamic protocols like RPC...maybe one day firewalls will even be able to > understand and filter based upon RPC interface...maybe one day... :-D ;-) > > Shame the Exchange team can't see how much ISA changes the traditional > approach to DMZ thinking...kinda makes you think that both teams work for a > different company :-( > Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 > (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: > jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Greg Mulholland > Sent: 10 January 2007 22:07 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > I seriously hope that they have take different paths and these are not > limitations on the software or it is going to mean a nice little redesign and > break from custom.. > > Greg > ----- Original Message ----- > From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > Sent: Thursday, January 11, 2007 8:25 AM > Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks > > > Hi All, > > I heard today from an Exchange MVP colleague that members of the Exchange team > (Scott Schnoll) are saying that they (Microsoft) do not support placing the > new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role > into a perimeter network. Has anyone else heard the same? This sounds very > similar to Exchange admins of old when they didn't really understand modern > application firewalls like ISA could do - RPC filter anyone??? > http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_threa > d/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4 > db165c21599cf9b > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre > ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum= > 2&hl=en#4db165c21599cf9b> > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre > ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum= > 2&hl=en#4db165c21599cf9b> > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre > ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum= > 2&hl=en#4db165c21599cf9b> > > I have just about managed to convince Exchange colleagues (and customers) of > the value of placing Exchange FE servers in a separate security zone from BE > servers, DC's etc and now I here this? > > Are the Exchange team confusing the old traditional DMZ's with what ISA can > achieve with perimeter networks? > > From what I believe, it is good perimeter security practice to place servers > which are Internet accessible into different security zones than servers that > are purely internal. Therefore, the idea of placing Exchange 2003 FE servers > in an ISA auth access perimeter network with Exchange 2003 BE servers on the > internal network has always seemed like a good approach. It also follows a > good least privilege model. > > Is this another example of the Exchange and ISA teams following different > paths???? > > Please tell me that I am wrong and that I am not going to have to start > putting all Exchange roles, irrespective of security risk, on the same network > again!!!! > > Comments? > > Cheers > > JJ > > All mail to and from this domain is GFI-scanned. > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > All mail to and from this domain is GFI-scanned. >