[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Gerald G. Young" <g.young@xxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Fri, 12 Jan 2007 14:41:08 -0500

Yeah, but I thought Jason was asking Tim which ports were required in ISA for  
an RPC proxy sitting in a DMZ to chat with a BE server in the internal network.

 

Cordially yours,

Jerry G. Young II

Product Engineer - Senior

Platform Engineering, Enterprise Hosting

NTT America, an NTT Communications Company

 

22451 Shaw Rd.

Sterling, VA 20166

 

Office: 571-434-1319

Fax: 703-333-6749

Email: g.young@xxxxxxxx

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, January 12, 2007 2:29 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

“publish an internal RPC proxy through ISA” is exactly what RPC/HTTP 
publishing is.

The Exch FE (CAS) is running the RPC Proxy dll in IIS.

“the ports” are dependent on the resources being “proxied”. In the case 
of Exch, all that’s required is 6001, 6004.

Fortunately, Exch RPC/HTTP weirdzards handle this for the uninitiated.

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gerald G. Young
Sent: Friday, January 12, 2007 10:38 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

For RPC/HTTP(S) traffic, is there real concern that there will be a in-protocol 
vulnerability discovered and then an exploit written for it?  If there’s not, 
why not just publish an internal RPC proxy through ISA sitting in the DMZ and 
be done with it?  When dealing with RPC proxies, it’s important to leave the 
System Attendant service running so that when new RPC back-ends are stood up, 
it will know about them.  I don’t think I’ve ever seen the ports used for 
that communication documented and trying to figure it out doesn’t sound like 
fun.

 

Cordially yours,

Jerry G. Young II

Product Engineer - Senior

Platform Engineering, Enterprise Hosting

NTT America, an NTT Communications Company

 

22451 Shaw Rd.

Sterling, VA 20166

 

Office: 571-434-1319

Fax: 703-333-6749

Email: g.young@xxxxxxxx

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Friday, January 12, 2007 12:40 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Tim,

 

Does this "limited intradomain traffic" approach work for other FE services 
like RPC/HTTP, POP, IMAP etc or is it a OWA only thing? 

 

I am guessing that RPC/HTTP should be ok as it uses the 6001, 6002 and 6004 
ports but just wondered if the RPC proxy threw a spanner in the works without 
CIFS or RPC???

 

Are you guys also aware that in addition to FE=>BE & DC rules you also need to 
create BE=>FE rules to allow for Direct Push? Guess this is still needed for 
the CAS roles???

 

Definitely time for a lab exercise! 

 

JJ

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx 
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: 12 January 2007 17:22
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I can’t yet comment on what protocols will be necessary for CAS to perform 
particular functions as I have not yet analyzed the required traffic, but even 
with Ex2k3, “full time” intradomain protocol support is totally unnecessary 
for the FE to act as the OWA front end once it has been properly initiated into 
the Exchange organization – I mentioned this in a past post, but as part of 
my “least privileged” configuration, CIFS and RPC (All interfaces) are 
disabled, and only Kerberos-UDP, LDAP, LDAP GC, Ping and DNS are enabled from 
the FE to my DC’s object, and only HTTP from the FE to the BE.  This works 
perfectly.  But, if I need to log on to the FE perimeter box box or use System 
Manager from that box, then I enable the CIFS/RPC rule to the DC’s, get ‘er 
done, and disable again.  This is completely different than the “official” 
Exchange documentation, but it is about as secure as you could hope for in such 
an easily maintained configuration.  This is because I think the Exchange group 
is not necessarily explicitly aware of the authentication negotiation process, 
and just assumes that CIFS is required for authentication – but, if the 
client can’t establish a standard SMB channel, it will fall back to Kerberos 
UDP.  Given what one can do with an established authenticated CIFS connection, 
I choose to disable it for security reasons.  

My guess (again, I’m not sure) is that different operations will require 
different protocol support.  For standard OWA access, I’m sure we can get 
away with similar limited protocols.  If you want to be able to map drives via 
the OWA interface (which CAS will let you do) you’ll most probably need to 
allow CIFS to the host (but ONLY to that host).  Even so, it’s a far better 
configuration considering the “universal access” to the FE. 

When I deploy this, I’ll know better.  And even if PSS gives me crap about it 
not being supported, I just won’t tell them.  I’ll put the CAS “behind 
ISA” like they say and keep my perimeter DMZ configuration to myself. 

t


On 1/12/07 3:56 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to 
all:

From what I have read, the CAS is similar to the FE but with the addition some 
new features - I would *imagine* it would use very similar protocols, and if 
anything hopefully it will use less protocols for more efficient 
communications. I am sure it will still need to core intradomain protocols as 
it will be a domain member, but I think they have moved away from the FE>BE 
HTTP, POP3, IMAP model.

Need to lab it really to get a good idea.
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx 
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> <mailto:jason.jones@xxxxxxxxxxxxxxxxx>  

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: 12 January 2007 04:23
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

WORD!
 
I’ll gladly joining you in that public nut-kicking when the time comes. What 
I want to understand first is what are the protocol requirements for the CAS to 
the back-end components, and what their rationale is for making the statements 
that have been reported so far. They might have a good point, and if they have 
it, I want to hear it. But if the point is ‘it’s too hard” or “I 
don’t understand network security, I just say what my boss tells me to say” 
or “I’m on the take with Syphco” then those aren’t valid and body parts 
will deserve some shaking up in the public square. The least they can do is 
state “we don’t have the time or inclination to show you have to provide 
the highest level of network security, but it is possible to do it right, 
we’re just not going to show you how to do it” as a disclaimer. With that, 
we can then go ahead and help those who want to be helped J
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Thursday, January 11, 2007 6:40 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

It may be just this type of “beating it to death” that is required to get 
the Exchange group’s attention.  I don’t really care if they don’t 
support “perimeter network” deployments as long as ISA is an exception.  I 
have every intention to ensure that an ISA authenticated perimeter network DMZ 
segment “in front” of the CAS server is fully supported if the proper 
protocols are allowed.  I will make sure to press them into officially stating 
why it is not supported.  Even so, if they try that, I will publicly kick them 
in the nuts. 

t


On 1/11/07 4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to 
all:
Hi Amy,

I am not really sure for their reasoning, but think it is based around the 
"Swiss cheese", don't pass intradomain traffic across a normal firewall 
argument.

Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is "It's 
true. The Client Access Server (CAS), which among other things includes the OWA 
feature, is not supported in a perimeter network (aka a DMZ).  Instead you'll 
deploy one or more CASs inside your organization and put a robust firewall such 
as ISA 2006 in front of it." I am guessing from experience of other Exchange 
team recommendations that when they say perimeter network they really mean a 
traditional DMZ which is created using traditional packet filter firewalls. The 
recommended deployment is to put the CAS on the internal network e.g. on the 
same network as the Exchange back-end servers. Once the CAS is on the internal 
network, it should then be published to the Internet using ISA.

This design if fine if you want a simple open network where all servers exist 
in the same security zone and hence all trust each other, but many people are 
now trying to better this design by placing different types of servers into 
different security zones based upon their risk level and internet presence - 
say hello to the ISA auth access perimeter network! ;-) 

Basically I think it all harks back to the "don't put domain members in a DMZ" 
mantra which is a pretty fair statement when using PF firewalls like PIX, but 
things have moved on as least privilege authenticated access perimeter networks 
with ISA are now getting advanced enough to challenge this argument. Maybe the 
difference between a PIX firewall and ISA firewall is just too subtle for some 
people???

Think we have now done this to death now!! - be very surprised if the Exchange 
team go back on these type of statements though. I remember Tom banging his 
head against a brick wall with Henrik based upon one of his MSExchange.org 
articles which said "not in the DMZ" type statements.

JJ 

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: 11 January 2007 23:15
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Jason,
 
What’s the reasoning behind CAS not in the DMZ? Where to they want it? 
Handing nude off the router? Behind a firewall?
 
If the later, then just drop the out dated DMZ language. Most firewall admins 
think that DMZ means nude off the other port on my nat box. Your least priv 
design puts CAS safely behind a firewall.
 

Amy Babinchak
Harbor Computer Services 

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Thursday, January 11, 2007 5:58 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Thanks Amy - maybe I am being a little oversensitive, just didn't expect some 
of the initial responses.

I tend to avoid most of the main mailing lists, probably for similar reasons as 
others, and I tend to hang out at isaserver.org 95% of the time. Hence maybe 
why only Tom (and Stefan) tend to see my input and views on stuff.

Tom invited me to this list as he felt it would be a good place for me to pose 
all the questions that he can't answer or go unreplied on isaserver.org

I really do value the combined "ISA brain power" here, but just think it could 
be a little more forgiving and friendly at times...having said that I have 
found answers here that I just couldn't get elsewhere, so don't misunderstand 
me as ungrateful.

Anyhow back to the "core issue", from what I hearing from Exchange MVP 
contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune very 
strongly. This is a real shame as it looks like I will never be able to deploy 
the existing least privilege design with Exchange 2007 without fear of 
customers coming back to us after trying to log PSS calls or getting other 
non-ISA firewall guys in who slate the design...oh well, at least ISA will 
still involved to some degree, just not as cool as it could be...

JJ  


  

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: 11 January 2007 15:09
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
Jason don’t get discouraged. The changes in Exchange are monumental so there 
are bound to be disagreements and changes of opinion on how to best secure it. 
The concept of an authenticated access DMZ in a separate security zone allowing 
only a very minimal set of protocols is a completely foreign concept to 99% of 
firewall admins out there. That fact you are even thinking about this stuff put 
you in an elite class. The rest are still poking holes and setting up VLANs. 
 
Tom, Thor and Jim can be a bit clubby and a little overly poky to new comers. 
It’s a twitch they developed after participating on the ISA server mailing 
list. It got worse when they decided to join a general purpose SBS list. I’m 
not sure that they’ll ever completely recover.  
 

Amy 
 

 
 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Thursday, January 11, 2007 5:47 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Wish I had never asked now...sometimes, some of you guys really don't make it 
easy for new people to try express their views and pose questions for comment 
without being slapped down. One minute I am being labelled as an "idiot" for my 
comments/views, the next minute someone else who says the same thing as me is 
now right and not challenged. What gives?  

I know many of you guys don't know me from Adam, but kinda unfair to just 
assume I know jack about ISA and secure network design just because I'm not 
"part of the club".


Anyhow, thanks to Tim and Tom for seeming to share my disappointment with the 
decision made by the Exchange 2007 team...I think I need to try and find out 
how "official" their lack of support with 2k7 is going to be before I can 
continue recommending the least privilege model I have been using for Exchange 
2003.

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: 11 January 2007 04:30
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
..maybe I’m just tired…
I spent two hours trying to get home tonight and I’m clearly not in my mind 
(right or otherwise).
Forget I wrote and we’ll start over tomorrow…


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 8:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

That’s exactly what I’m talking about.  And precisely the configuration I 
deploy:

My FE is in the authenticated segment of the DMZ – and a member of my 
internal domain; however, the “recommended protocols” the Exchange group 
recommends are not necessary- and thus, Steve’s contention that “CIFS and 
all that other stuff... Might as well just be internal” I reject.  I only 
allow Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the internal 
DC’s.  And only HTTP to the BE’s.  

Even if the other prots WERE required, it would still be far smarter to deploy 
the FE in the authenticated DMZ with limited access than to just give full 
stack access to the ENTIRE internal network.   This is a deployment of a 
services made available (initially) to a global, anonymous, untrusted network. 

Maybe I’m not properly articulating my point, but I have to say I’m really 
surprised that we are having this conversation...

t


On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
C’mon, Tim; I know what your deployment recommendations are; this isn’t it.
He wants to extend his domain via “remote membership”; not create a 
separate domain.
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 4:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
 
Because it’s safer that way, that’s why... That’s what an authenticated 
access DMZ perimeter is for— with a CAS server that presents logon services 
to any Internet user, I would (and, in fact, require) that the server be in a 
least-privileged authenticated access perimeter network that limits that 
servers communications to the minimum required for required functionality – 
and only to the hosts it needs to talk to.

Let’s say there is a front-end implementation issue or coding vulnerability: 
the CAS on the internal network would allow unfettered, full-stack access to 
the internal network.  A CAS in a perimeter DMZ would mitigate potential 
exposure in the event of a 0day or configuration issue. 

“Safer on the internal network” is a complete misnomer when it comes to 
servers presenting services to an untrusted network. 

t


On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
Why would you want to place a member of your internal domain in your DMZ, fer 
chrissakes?!?
Hosting any domain member in the DMZ is a difficult proposition; especially 
where NAT is the order of the day.
You can either use a network shotgun at your firewall or attempt to use your 
facvorite VPN tunnel across the firewall to the domain.

Jim 

________________________________



From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From what I can gather, the new CAS role now uses RPC to communicate with the 
back-end (not sure of new name!) servers so I am guessing that this is an "RPC 
isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty 
true statement.

Just think how much safer the world will be when firewalls can understand 
dynamic protocols like RPC...maybe one day firewalls will even be able to 
understand and filter based upon RPC interface...maybe one day... :-D ;-)

Shame the Exchange team can't see how much ISA changes the traditional approach 
to DMZ thinking...kinda makes you think that both teams work for a different 
company :-(
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx 
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> <mailto:jason.jones@xxxxxxxxxxxxxxxxx>  

  

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I seriously hope that they have take different paths and these are not 
limitations on the software or it is going to mean a nice little redesign and 
break from custom..

Greg
----- Original Message ----- 
From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> 
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>   
To: isapros@xxxxxxxxxxxxx 
Sent: Thursday, January 11, 2007 8:25 AM
Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


Hi All, 

I heard today from an Exchange MVP colleague that members of the Exchange team 
(Scott Schnoll) are saying that they (Microsoft) do not support placing the new 
Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role into a 
perimeter network. Has anyone else heard the same? This sounds very similar to 
Exchange admins of old when they didn't really understand modern application 
firewalls like ISA could do - RPC filter anyone??? 
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b>
   
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b>
   
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b>
  
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b>
  

I have just about managed to convince Exchange colleagues (and customers) of 
the value of placing Exchange FE servers in a separate security zone from BE 
servers, DC's etc and now I here this…

Are the Exchange team confusing the old traditional DMZ's with what ISA can 
achieve with perimeter networks? 

From what I believe, it is good perimeter security practice to place servers 
which are Internet accessible into different security zones than servers that 
are purely internal. Therefore, the idea of placing Exchange 2003 FE servers in 
an ISA auth access perimeter network with Exchange 2003 BE servers on the 
internal network has always seemed like a good approach. It also follows a good 
least privilege model. 

Is this another example of the Exchange and ISA teams following different 
paths???? 

Please tell me that I am wrong and that I am not going to have to start putting 
all Exchange roles, irrespective of security risk, on the same network again!!!!

Comments? 

Cheers 

JJ 

All mail to and from this domain is GFI-scanned. 




 

  

All mail to and from this domain is GFI-scanned. 

 

All mail to and from this domain is GFI-scanned. 


 

 

 

All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007