http://www.ISAserver.org ------------------------------------------------------- Ah, but just because idgets work in the enterprise and enforce their ill-informed opinion doensn't make it "right" or "better". From what I've seen, they have a checkbox in which to place a checkmark, and that's about it. If you try to enter a discussion about how domain members at the edge aren't the security issue their collective incubi scared them about, you get a blank face. There are lots of things I see in the "real world" that don't qualify was thoughtful, best practices or otherwise outright thoughtless. Sure, if there's no reason to make something a domain member don't. But if you improve your *overall* security posture by doing so, then do it. It's just a matter of looking at all the pieces, not just the checkbox. In spite of all this, you're still kind of a big deal ;) ____________________________________________ TOM SHINDER | Sr. Consultant/Technical Writer 206.443.1117 | SHINDER@xxxxxxxxxxxxxxx 5701 Sixth Avenue South | Seattle, WA 98108 PROWESS | WWW.PROWESSCORP.COM ____________________________________________ > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of > Thor (Hammer of God) > Sent: Sunday, August 16, 2009 10:14 AM > To: ISA Mailing List > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org > ------------------------------------------------------- > > It is *hardly* a tinfoil hat crowd. It's called "security in depth" and > "least privilege." > The local ADAM instance provides the necessary functionality to the edge role > server, > thus reducing some of the REAL threats and the perceived benefit of making it > a > domain member. Exchange Edge doesn't "support" WG membership, it is > specifically > designed to provide that functionality based on "real word" issues that are > present in > true enterprise topologies. > > Do whatever you want to do to suit your needs, but don't call people who have > to > consider the security ramifications of infrastructure designs beyond "mom and > pop" > as "tinfoil hat crowd." It's insulting. > > t > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of > Jim Harrison > Sent: Sunday, August 16, 2009 7:32 AM > To: ISA Mailing List > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org > ------------------------------------------------------- > > There is no "always" or "never" to either of them. It's situational and > requires that the > deployment team perform their own threat modeling. > Exchange supports placing the edge role on a WG server to appease the "no > domain > members at the edge" tinfoil hat crowd, but when you combine it with TMG, the > attack > surface and thus the perceived threat of having the Exch edge role as a domain > member is greatly reduced; even over that offered by Windows Firewall > policies. > > Jim > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of > Han Valk > Sent: Saturday, August 15, 2009 11:54 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: New Articles on Tales > > http://www.ISAserver.org > ------------------------------------------------------- > > As far as I know Exchange Edge is to be installed on a workgroup server while > TMG > does its best job when domain joined. So this is a bit of a contradiction to > me. I would > love to see guidance from Microsoft on that. Maybe this can be added to the > Q&A in > Understanding Email Protection on TMG. > > Han. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Sunday, August 16, 2009 00:35 > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] New Articles on Tales > > > > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the- > > edge-articles.aspx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx