[isalist] Re: New Articles on Tales
- From: Andrew Hodgson <Andrew.Hodgson@xxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Aug 2009 19:28:23 +0100
http://www.ISAserver.org
-------------------------------------------------------
Hi,
If the Hub Transport server has the anti-spam agents installed, then it can
validate email addresses against the AD in realtime when users send messages
via SMTP.
I understand why the sync process is there in the edge workgroup configuration,
but not if deployed on a DM joined TMG box, where it would be more efficient to
look up records from the AD to which the machine was already a member :).
I am an Exchange guy rather than ISA, just use ISA to get the Exchange and a
couple of other web publishing scenarios working, so am waring my flame proof
gear :).
Andrew.
________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: 17 August 2009 17:29
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
While I know of no way to "bypass" the edge functionality of the Edge role and
directly validate email addresses from an AD connection as opposed to the local
ADAM, I'm not sure why you would want to, or why you would bother configuring
Edge if you do so. Part of the purpose of edge is to provide the functionality
of validating organization email addresses in an isolated environment before
forwarding to your Exchange (or other) SMTP server, both from a traffic and
performance standpoint. That being said, I'm sure that there is some hork
option in POSH built in to "appease" the user as the Exchange team is
apparently known to provide.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Monday, August 17, 2009 9:12 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
Hi,
One thing I can't work out with this is that in Exchange 2007 with the edge in
a workgroup, ADLDS and edge sync subscriptions are used to populate the edge
server with AD specific information. If the edge server is domain joined (as
part of the TMG system), will that still be required?
Thanks.
Andrew (who is counting the days until I can get my edge servers on TMG).
Andrew Hodgson
Senior Systems Administrator/Projects Engineer
Direct Line Tel: 01432 852332
Email: andrew.hodgson@xxxxxxxxxx
Please do not print this email unless absolutely necessary.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Han Valk
Sent: 17 August 2009 17:04
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
I understand what you are telling, I perfectly understand your point. However
to people who don't follow this list things probably are not so clear. So I
would suggest that here and there some documentation needs to be updated/added.
All docs/books/articles on E2k7 that I've read state that this role should be
installed in a workgroup server in a perimeter network. The words chosen in
these documents i.m.h.o. suggest that this is THE only correct method. With the
arrival of TMG this changes...
Han.
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Monday, August 17, 2009 15:59
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You have it.
> When deployed alone, the Exch team recommends deploying in a WG.
> When deployed concurrent with TMG, we generally recommend deploying as a
> DM.
>
> ..of course, this will also depend on whether you deploy TMG strictly
> for publishing or for publishing & protected Internet access.
> You _can_ publish Exch services without TMG being a DM, and you _can_
> provide protected Internet access with TMG as a WG, and you can even
> deploy TMG for Exch web publishing as a WG, but if you want strong
> authentication for either case, you should deploy TMG as a DM.
> If you decide to deploy TMG as a DM and you want Exch Edge on the same
> machine, then you have by extension decided to deploy Exch Edge as a DM.
> If you can't tolerate that, separate them to different machines.
> ..and we haven't even begun to discuss the fun that compliance
> requirements incur.
>
> Recommendations are exactly that - recommendations.
> You still have to perform your own threat modeling and business needs
> analysis to arrive at a reasonable solution for your own needs.
>
> Jim
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Sunday, August 16, 2009 10:37 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok I understand, that still leaves the point that some 'official'
> guidance from Microsoft would be nice.
>
> Han.
>
> ________________________________
> From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx]
> Sent: Sunday, August 16, 2009 4:32 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
>
> There is no "always" or "never" to either of them. It's situational and
> requires that the deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the
> "no domain members at the edge" tinfoil hat crowd, but when you combine
> it with TMG, the attack surface and thus the perceived threat of having
> the Exch edge role as a domain member is greatly reduced; even over that
> offered by Windows Firewall policies.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org<http://www.isaserver.org/>
> -------------------------------------------------------
>
> As far as I know Exchange Edge is to be installed on a workgroup server
> while TMG does its best job when domain joined. So this is a bit of a
> contradiction to me. I would love to see guidance from Microsoft on
> that. Maybe this can be added to the Q&A in Understanding Email
> Protection on TMG.
>
> Han.
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-
> the-
> > edge-articles.aspx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
allpay achieved PCI DSS and ISO 27001 certification in 2008
Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.
Telephone: 0844 225 5729, Fax: 0844 557 8350.
Website: www.allpay.net Email: enquiries@xxxxxxxxxx
This email, and any files transmitted with it, is confidential and intended
solely for the use of the individual or entity
to whom it is addressed. If you have received this email in error please notify
the allpay Information Security
Manager at the number above.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
