[isalist] Re: New Articles on Tales

  • From: Han Valk <han.valk@xxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 17 Aug 2009 18:03:52 +0200

http://www.ISAserver.org
-------------------------------------------------------

I understand what you are telling, I perfectly understand your point. However 
to people who don't follow this list things probably are not so clear. So I 
would suggest that here and there some documentation needs to be updated/added. 
All docs/books/articles on E2k7 that I've read state that this role should be 
installed in a workgroup server in a perimeter network. The words chosen in 
these documents i.m.h.o. suggest that this is THE only correct method. With the 
arrival of TMG this changes...

Han.



> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Monday, August 17, 2009 15:59
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> You have it.
> When deployed alone, the Exch team recommends deploying in a WG.
> When deployed concurrent with TMG, we generally recommend deploying as a
> DM.
> 
> ..of course, this will also depend on whether you deploy TMG strictly
> for publishing or for publishing & protected Internet access.
> You _can_ publish Exch services without TMG being a DM, and you _can_
> provide protected Internet access with TMG as a WG, and you can even
> deploy TMG for Exch web publishing as a WG, but if you want strong
> authentication for either case, you should deploy TMG as a DM.
> If you decide to deploy TMG as a DM and you want Exch Edge on the same
> machine, then you have by extension decided to deploy Exch Edge as a DM.
> If you can't tolerate that, separate them to different machines.
> ..and we haven't even begun to discuss the fun that compliance
> requirements incur.
> 
> Recommendations are exactly that - recommendations.
> You still have to perform your own threat modeling and business needs
> analysis to arrive at a reasonable solution for your own needs.
> 
> Jim
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Sunday, August 16, 2009 10:37 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Ok I understand, that still leaves the point that some 'official'
> guidance from Microsoft would be nice.
> 
> Han.
> 
> ________________________________
> From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx]
> Sent: Sunday, August 16, 2009 4:32 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
> 
> There is no "always" or "never" to either of them. It's situational and
> requires that the deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the
> "no domain members at the edge" tinfoil hat crowd, but when you combine
> it with TMG, the attack surface and thus the perceived threat of having
> the Exch edge role as a domain member is greatly reduced; even over that
> offered by Windows Firewall policies.
> 
> Jim
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
> 
> As far as I know Exchange Edge is to be installed on a workgroup server
> while TMG does its best job when domain joined. So this is a bit of a
> contradiction to me. I would love to see guidance from Microsoft on
> that. Maybe this can be added to the Q&A in Understanding Email
> Protection on TMG.
> 
> Han.
> 
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-
> the-
> > edge-articles.aspx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2009