http://www.ISAserver.org ------------------------------------------------------- I understand what you are telling, I perfectly understand your point. However to people who don't follow this list things probably are not so clear. So I would suggest that here and there some documentation needs to be updated/added. All docs/books/articles on E2k7 that I've read state that this role should be installed in a workgroup server in a perimeter network. The words chosen in these documents i.m.h.o. suggest that this is THE only correct method. With the arrival of TMG this changes... Han. > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Monday, August 17, 2009 15:59 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org > ------------------------------------------------------- > > You have it. > When deployed alone, the Exch team recommends deploying in a WG. > When deployed concurrent with TMG, we generally recommend deploying as a > DM. > > ..of course, this will also depend on whether you deploy TMG strictly > for publishing or for publishing & protected Internet access. > You _can_ publish Exch services without TMG being a DM, and you _can_ > provide protected Internet access with TMG as a WG, and you can even > deploy TMG for Exch web publishing as a WG, but if you want strong > authentication for either case, you should deploy TMG as a DM. > If you decide to deploy TMG as a DM and you want Exch Edge on the same > machine, then you have by extension decided to deploy Exch Edge as a DM. > If you can't tolerate that, separate them to different machines. > ..and we haven't even begun to discuss the fun that compliance > requirements incur. > > Recommendations are exactly that - recommendations. > You still have to perform your own threat modeling and business needs > analysis to arrive at a reasonable solution for your own needs. > > Jim > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Han Valk > Sent: Sunday, August 16, 2009 10:37 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org > ------------------------------------------------------- > > Ok I understand, that still leaves the point that some 'official' > guidance from Microsoft would be nice. > > Han. > > ________________________________ > From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx] > Sent: Sunday, August 16, 2009 4:32 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org<http://www.isaserver.org/> > ------------------------------------------------------- > > There is no "always" or "never" to either of them. It's situational and > requires that the deployment team perform their own threat modeling. > Exchange supports placing the edge role on a WG server to appease the > "no domain members at the edge" tinfoil hat crowd, but when you combine > it with TMG, the attack surface and thus the perceived threat of having > the Exch edge role as a domain member is greatly reduced; even over that > offered by Windows Firewall policies. > > Jim > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Han Valk > Sent: Saturday, August 15, 2009 11:54 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org<http://www.isaserver.org/> > ------------------------------------------------------- > > As far as I know Exchange Edge is to be installed on a workgroup server > while TMG does its best job when domain joined. So this is a bit of a > contradiction to me. I would love to see guidance from Microsoft on > that. Maybe this can be added to the Q&A in Understanding Email > Protection on TMG. > > Han. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Sunday, August 16, 2009 00:35 > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] New Articles on Tales > > > > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from- > the- > > edge-articles.aspx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com<http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com<http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx