[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Fri, 12 Jan 2007 10:30:33 -0800
If your FE doesn¹t have a store, it¹s not a problem.  Not that I have seen,
anyway.

t


On 1/12/07 6:27 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:

> If it¹s participating in the domain, add the subnet to AD, especially if you
> have more than one AD site (I consider this a best practice).  A lot of funny
> things can occur with Active Directory aware applications when they can¹t tell
> which site they belong to.  Exchange (2003), for instance, won¹t start an
> information store.
>  
> 
> Cordially yours,
> Jerry G. Young II
> Product Engineer - Senior
> Platform Engineering, Enterprise Hosting
> NTT America, an NTT Communications Company
>  
> 22451 Shaw Rd.
> Sterling, VA 20166
>  
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Friday, January 12, 2007 6:53 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Either way, I think the idea of an intranet CAS and extranet CAS is probably a
> good approach - the extranet CAS one would assume could then go into the auth
> access perimeter network whilst the intranet one could stay on the LAN. In
> this model, each CAS has a different security risk and hence could be put into
> different security zones.
> 
>  
> 
> Would it be such a bad thing to add the perimeter subnet to the AD site? It
> will have domain members in it after all...
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>  
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: 12 January 2007 05:35
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> doing a little bit more reading the only thing i can think might be the reason
> is that apparently each mailbox server needs to have a CAS server in its AD
> site. Therefore they recommend you keep the cas box on the same lan. Also in
> multi domain environments this would add more design considerations. Also in
> larger environments you might need 2 CAS boxes, one for internal users and one
> for external users, for the sake of keeping outbound lan access out of the dmz
> or better design.
> 
>  
> 
> but im not sure about the whole idea of the "swiss cheese" argument. seems a
> bit like flogging a dead horse to me..i dont see how or why it wouldn't work
> in the dmz environment.
> 
>  
> 
> greg
> 
>  
> 
>  
>> 
>> ----- Original Message -----
>> 
>> From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
>> 
>> To: isapros@xxxxxxxxxxxxx
>> 
>> Sent: Friday, January 12, 2007 3:22 PM
>> 
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>>  
>> WORD!
>>  
>> I¹ll gladly joining you in that public nut-kicking when the time comes. What
>> I want to understand first is what are the protocol requirements for the CAS
>> to the back-end components, and what their rationale is for making the
>> statements that have been reported so far. They might have a good point, and
>> if they have it, I want to hear it. But if the point is ?it¹s too hard² or ³I
>> don¹t understand network security, I just say what my boss tells me to say²
>> or ³I¹m on the take with Syphco² then those aren¹t valid and body parts will
>> deserve some shaking up in the public square. The least they can do is state
>> ³we don¹t have the time or inclination to show you have to provide the
>> highest level of network security, but it is possible to do it right, we¹re
>> just not going to show you how to do it² as a disclaimer. With that, we can
>> then go ahead and help those who want to be helped J
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Thursday, January 11, 2007 6:40 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>  
>> It may be just this type of ³beating it to death² that is required to get the
>> Exchange group¹s attention.  I don¹t really care if they don¹t support
>> ³perimeter network² deployments as long as ISA is an exception.  I have every
>> intention to ensure that an ISA authenticated perimeter network DMZ segment
>> ³in front² of the CAS server is fully supported if the proper protocols are
>> allowed.  I will make sure to press them into officially stating why it is
>> not supported.  Even so, if they try that, I will publicly kick them in the
>> nuts. 
>> 
>> t
>> 
>> 
>> On 1/11/07 4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
>> all:
>> Hi Amy,
>> 
>> I am not really sure for their reasoning, but think it is based around the
>> "Swiss cheese", don't pass intradomain traffic across a normal firewall
>> argument.
>> 
>> Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is
>> "It's true. The Client Access Server (CAS), which among other things includes
>> the OWA feature, is not supported in a perimeter network (aka a DMZ).
>> Instead you'll deploy one or more CASs inside your organization and put a
>> robust firewall such as ISA 2006 in front of it." I am guessing from
>> experience of other Exchange team recommendations that when they say
>> perimeter network they really mean a traditional DMZ which is created using
>> traditional packet filter firewalls. The recommended deployment is to put the
>> CAS on the internal network e.g. on the same network as the Exchange back-end
>> servers. Once the CAS is on the internal network, it should then be published
>> to the Internet using ISA.
>> 
>> This design if fine if you want a simple open network where all servers exist
>> in the same security zone and hence all trust each other, but many people are
>> now trying to better this design by placing different types of servers into
>> different security zones based upon their risk level and internet presence -
>> say hello to the ISA auth access perimeter network! ;-)
>> 
>> Basically I think it all harks back to the "don't put domain members in a
>> DMZ" mantra which is a pretty fair statement when using PF firewalls like
>> PIX, but things have moved on as least privilege authenticated access
>> perimeter networks with ISA are now getting advanced enough to challenge this
>> argument. Maybe the difference between a PIX firewall and ISA firewall is
>> just too subtle for some people???
>> 
>> Think we have now done this to death now!! - be very surprised if the
>> Exchange team go back on these type of statements though. I remember Tom
>> banging his head against a brick wall with Henrik based upon one of his
>> MSExchange.org articles which said "not in the DMZ" type statements.
>> 
>> JJ 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Amy Babinchak
>> Sent: 11 January 2007 23:15
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Jason,
>>  
>> What¹s the reasoning behind CAS not in the DMZ? Where to they want it?
>> Handing nude off the router? Behind a firewall?
>>  
>> If the later, then just drop the out dated DMZ language. Most firewall admins
>> think that DMZ means nude off the other port on my nat box. Your least priv
>> design puts CAS safely behind a firewall.
>>  
>> 
>> Amy Babinchak
>> Harbor Computer Services
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jason Jones
>> Sent: Thursday, January 11, 2007 5:58 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Thanks Amy - maybe I am being a little oversensitive, just didn't expect some
>> of the initial responses.
>> 
>> I tend to avoid most of the main mailing lists, probably for similar reasons
>> as others, and I tend to hang out at isaserver.org 95% of the time. Hence
>> maybe why only Tom (and Stefan) tend to see my input and views on stuff.
>> 
>> Tom invited me to this list as he felt it would be a good place for me to
>> pose all the questions that he can't answer or go unreplied on isaserver.org
>> 
>> I really do value the combined "ISA brain power" here, but just think it
>> could be a little more forgiving and friendly at times...having said that I
>> have found answers here that I just couldn't get elsewhere, so don't
>> misunderstand me as ungrateful.
>> 
>> Anyhow back to the "core issue", from what I hearing from Exchange MVP
>> contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune very
>> strongly. This is a real shame as it looks like I will never be able to
>> deploy the existing least privilege design with Exchange 2007 without fear of
>> customers coming back to us after trying to log PSS calls or getting other
>> non-ISA firewall guys in who slate the design...oh well, at least ISA will
>> still involved to some degree, just not as cool as it could be...
>> 
>> JJ  
>> 
>> 
>>   
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Amy Babinchak
>> Sent: 11 January 2007 15:09
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> Jason don¹t get discouraged. The changes in Exchange are monumental so there
>> are bound to be disagreements and changes of opinion on how to best secure
>> it. The concept of an authenticated access DMZ in a separate security zone
>> allowing only a very minimal set of protocols is a completely foreign concept
>> to 99% of firewall admins out there. That fact you are even thinking about
>> this stuff put you in an elite class. The rest are still poking holes and
>> setting up VLANs.
>>  
>> Tom, Thor and Jim can be a bit clubby and a little overly poky to new comers.
>> It¹s a twitch they developed after participating on the ISA server mailing
>> list. It got worse when they decided to join a general purpose SBS list. I¹m
>> not sure that they¹ll ever completely recover.
>>  
>> 
>> Amy 
>>  
>> 
>>  
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jason Jones
>> Sent: Thursday, January 11, 2007 5:47 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> Wish I had never asked now...sometimes, some of you guys really don't make it
>> easy for new people to try express their views and pose questions for comment
>> without being slapped down. One minute I am being labelled as an "idiot" for
>> my comments/views, the next minute someone else who says the same thing as me
>> is now right and not challenged. What gives?
>> 
>> I know many of you guys don't know me from Adam, but kinda unfair to just
>> assume I know jack about ISA and secure network design just because I'm not
>> "part of the club".
>> 
>> 
>> Anyhow, thanks to Tim and Tom for seeming to share my disappointment with the
>> decision made by the Exchange 2007 team...I think I need to try and find out
>> how "official" their lack of support with 2k7 is going to be before I can
>> continue recommending the least privilege model I have been using for
>> Exchange 2003.
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jim Harrison
>> Sent: 11 January 2007 04:30
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> ..maybe I¹m just tired?
>> I spent two hours trying to get home tonight and I¹m clearly not in my mind
>> (right or otherwise).
>> Forget I wrote and we¹ll start over tomorrow?
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, January 10, 2007 8:18 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> That¹s exactly what I¹m talking about.  And precisely the configuration I
>> deploy:
>> 
>> My FE is in the authenticated segment of the DMZ  and a member of my
>> internal domain; however, the ³recommended protocols² the Exchange group
>> recommends are not necessary- and thus, Steve¹s contention that ³CIFS and all
>> that other stuff... Might as well just be internal² I reject.  I only allow
>> Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the internal
>> DC¹s.  And only HTTP to the BE¹s.
>> 
>> Even if the other prots WERE required, it would still be far smarter to
>> deploy the FE in the authenticated DMZ with limited access than to just give
>> full stack access to the ENTIRE internal network.   This is a deployment of a
>> services made available (initially) to a global, anonymous, untrusted
>> network. 
>> 
>> Maybe I¹m not properly articulating my point, but I have to say I¹m really
>> surprised that we are having this conversation...
>> 
>> t
>> 
>> 
>> On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it.
>> He wants to extend his domain via ³remote membership²; not create a separate
>> domain.
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, January 10, 2007 4:26 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>  
>> Because it¹s safer that way, that¹s why... That¹s what an authenticated
>> access DMZ perimeter is for? with a CAS server that presents logon services
>> to any Internet user, I would (and, in fact, require) that the server be in a
>> least-privileged authenticated access perimeter network that limits that
>> servers communications to the minimum required for required functionality 
>> and only to the hosts it needs to talk to.
>> 
>> Let¹s say there is a front-end implementation issue or coding vulnerability:
>> the CAS on the internal network would allow unfettered, full-stack access to
>> the internal network.  A CAS in a perimeter DMZ would mitigate potential
>> exposure in the event of a 0day or configuration issue.
>> 
>> ³Safer on the internal network² is a complete misnomer when it comes to
>> servers presenting services to an untrusted network.
>> 
>> t
>> 
>> 
>> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>> Why would you want to place a member of your internal domain in your DMZ, fer
>> chrissakes?!?
>> Hosting any domain member in the DMZ is a difficult proposition; especially
>> where NAT is the order of the day.
>> You can either use a network shotgun at your firewall or attempt to use your
>> facvorite VPN tunnel across the firewall to the domain.
>> 
>> Jim 
>> 
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
>> Sent: Wed 1/10/2007 2:35 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> From what I can gather, the new CAS role now uses RPC to communicate with the
>> back-end (not sure of new name!) servers so I am guessing that this is an
>> "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, is a
>> pretty true statement.
>> 
>> Just think how much safer the world will be when firewalls can understand
>> dynamic protocols like RPC...maybe one day firewalls will even be able to
>> understand and filter based upon RPC interface...maybe one day... :-D ;-)
>> 
>> Shame the Exchange team can't see how much ISA changes the traditional
>> approach to DMZ thinking...kinda makes you think that both teams work for a
>> different company :-(
>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>> 
>>   
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Greg Mulholland
>> Sent: 10 January 2007 22:07
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> I seriously hope that they have take different paths and these are not
>> limitations on the software or it is going to mean a nice little redesign and
>> break from custom..
>> 
>> Greg
>> ----- Original Message -----
>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>> To: isapros@xxxxxxxxxxxxx
>> Sent: Thursday, January 11, 2007 8:25 AM
>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
>> 
>> 
>> Hi All, 
>> 
>> I heard today from an Exchange MVP colleague that members of the Exchange
>> team (Scott Schnoll) are saying that they (Microsoft) do not support placing
>> the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role)
>> role into a perimeter network. Has anyone else heard the same? This sounds
>> very similar to Exchange admins of old when they didn't really understand
>> modern application firewalls like ISA could do - RPC filter anyone???
>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
>> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en
>> #4db165c21599cf9b
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> 
>> I have just about managed to convince Exchange colleagues (and customers) of
>> the value of placing Exchange FE servers in a separate security zone from BE
>> servers, DC's etc and now I here this?
>> 
>> Are the Exchange team confusing the old traditional DMZ's with what ISA can
>> achieve with perimeter networks?
>> 
>> From what I believe, it is good perimeter security practice to place servers
>> which are Internet accessible into different security zones than servers that
>> are purely internal. Therefore, the idea of placing Exchange 2003 FE servers
>> in an ISA auth access perimeter network with Exchange 2003 BE servers on the
>> internal network has always seemed like a good approach. It also follows a
>> good least privilege model.
>> 
>> Is this another example of the Exchange and ISA teams following different
>> paths???? 
>> 
>> Please tell me that I am wrong and that I am not going to have to start
>> putting all Exchange roles, irrespective of security risk, on the same
>> network again!!!!
>> 
>> Comments? 
>> 
>> Cheers 
>> 
>> JJ 
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> 
>> 
>>  
>> 
>>   
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>>  
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>>  
>> 
>>  
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jason Jones
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
