[isalist] Re: New Articles on Tales
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Aug 2009 12:41:30 -0400
http://www.ISAserver.org
-------------------------------------------------------
Not sure if this totally relates, but we don't use Edge on our 2007. However,
we do contract with Google Security (former Postini) for SPAM/Virus filtering.
All email must pass through them (redirected MX records) and we do a dir-sync
automatically at night (or manually if needed instantly). If an email address
doesn't exist, it doesn't get through to us if Google doesn't have it in their
database for us. Saves us bandwidth, disk space, and crunching w/much less
SPAM. ISA is not on the domain and configured only to pass SMTP coming from
Google's IPs.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Monday, August 17, 2009 12:30 PM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
While I know of no way to "bypass" the edge functionality of the Edge role and
directly validate email addresses from an AD connection as opposed to the local
ADAM, I'm not sure why you would want to, or why you would bother configuring
Edge if you do so. Part of the purpose of edge is to provide the functionality
of validating organization email addresses in an isolated environment before
forwarding to your Exchange (or other) SMTP server, both from a traffic and
performance standpoint. That being said, I'm sure that there is some hork
option in POSH built in to "appease" the user as the Exchange team is
apparently known to provide.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Monday, August 17, 2009 9:12 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
Hi,
One thing I can't work out with this is that in Exchange 2007 with the edge in
a workgroup, ADLDS and edge sync subscriptions are used to populate the edge
server with AD specific information. If the edge server is domain joined (as
part of the TMG system), will that still be required?
Thanks.
Andrew (who is counting the days until I can get my edge servers on TMG).
Andrew Hodgson
Senior Systems Administrator/Projects Engineer
Direct Line Tel: 01432 852332
Email: andrew.hodgson@xxxxxxxxxx
Please do not print this email unless absolutely necessary.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Han Valk
Sent: 17 August 2009 17:04
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
I understand what you are telling, I perfectly understand your point. However
to people who don't follow this list things probably are not so clear. So I
would suggest that here and there some documentation needs to be updated/added.
All docs/books/articles on E2k7 that I've read state that this role should be
installed in a workgroup server in a perimeter network. The words chosen in
these documents i.m.h.o. suggest that this is THE only correct method. With the
arrival of TMG this changes...
Han.
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Monday, August 17, 2009 15:59
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You have it.
> When deployed alone, the Exch team recommends deploying in a WG.
> When deployed concurrent with TMG, we generally recommend deploying as a
> DM.
>
> ..of course, this will also depend on whether you deploy TMG strictly
> for publishing or for publishing & protected Internet access.
> You _can_ publish Exch services without TMG being a DM, and you _can_
> provide protected Internet access with TMG as a WG, and you can even
> deploy TMG for Exch web publishing as a WG, but if you want strong
> authentication for either case, you should deploy TMG as a DM.
> If you decide to deploy TMG as a DM and you want Exch Edge on the same
> machine, then you have by extension decided to deploy Exch Edge as a DM.
> If you can't tolerate that, separate them to different machines.
> ..and we haven't even begun to discuss the fun that compliance
> requirements incur.
>
> Recommendations are exactly that - recommendations.
> You still have to perform your own threat modeling and business needs
> analysis to arrive at a reasonable solution for your own needs.
>
> Jim
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Sunday, August 16, 2009 10:37 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok I understand, that still leaves the point that some 'official'
> guidance from Microsoft would be nice.
>
> Han.
>
> ________________________________
> From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx]
> Sent: Sunday, August 16, 2009 4:32 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
>
> There is no "always" or "never" to either of them. It's situational and
> requires that the deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the
> "no domain members at the edge" tinfoil hat crowd, but when you combine
> it with TMG, the attack surface and thus the perceived threat of having
> the Exch edge role as a domain member is greatly reduced; even over that
> offered by Windows Firewall policies.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
>
> As far as I know Exchange Edge is to be installed on a workgroup server
> while TMG does its best job when domain joined. So this is a bit of a
> contradiction to me. I would love to see guidance from Microsoft on
> that. Maybe this can be added to the Q&A in Understanding Email
> Protection on TMG.
>
> Han.
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-
> the-
> > edge-articles.aspx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
allpay achieved PCI DSS and ISO 27001 certification in 2008
Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.
Telephone: 0844 225 5729, Fax: 0844 557 8350.
Website: www.allpay.net Email: enquiries@xxxxxxxxxx
This email, and any files transmitted with it, is confidential and intended
solely for the use of the individual or entity
to whom it is addressed. If you have received this email in error please notify
the allpay Information Security
Manager at the number above.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
