[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 06:56:20 -0800
I spoke with Melissa Travers, the MVP Lead for both ISA and Exchange, and
she said the Exchange group¹s MVP site was really, really good, and that the
Exchange group themselves is quite active.  Being they are the Exchange
group, I can see why they would have a decent portal. ;)

I suggested that if there were a single sourced, Microsoft controlled MVP
site where we could ³browse through² other MVP list content, that issues
like this (the perceptions surrounding what Exchange will and won¹t support
and why) would be much easier to manage, and that ³the right people² from
both sides could engage each other in a positive way when two technologies
collide like this.  To me, this is a major shortcoming in the MVP program
overall.  Given the fact that the MVP program was created in order to
provide a collaborative environment for various technologies, it seems like
a horrible waste of a perfect opportunity to expand that environment out to
the MVP¹s and product teams in other product competencies.   The fate of the
ISA-MVP list is testament to that.

So, in the absence of a coordinated effort on Microsoft¹s part to wrap it¹s
collective arms around the MVP¹s and product teams, I¹ll see if I can get on
the Exchange MVP list and begin a dialog of exactly what is going on here.
But I¹ll need to get immersed in Ex2007 first, which I¹ve just not had the
time to do.   The promise of true unified messaging in 2007 was a major draw
to me, but given the apparent narrow PBX support and lack of official
functionality documentation, the rush to explore has lost it¹s luster.

t


On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> Documentation always follows the product, which is barely on the streets.
> I¹ve seen some regarding WM6, but the basic concepts are the same.
> ..coming soon to a website near you?
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Monday, February 26, 2007 3:31 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Hi All,
>  
> Anyone (Tim?) had chance to look at the least privilige approach with Exchange
> 2007 yet?
>  
> From what I am hearing the "CAS not supported in perimeter" statement is based
> more on "we haven't tested it yet" more than "we don't think it is a good
> idea".
>  
> I have a few customers looking at placing the entire Exchange architecture
> behind ISA (very untrusted LANs) - I have done this with Exch2k3, but has
> anyone looked at this for Exch2k7?
>  
> I am guessing this is not supported either, but documentation is very thin on
> the ground with reference to 2k7 and periemeter networking....
>  
> Cheers
>  
> JJ
> 
>  
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: 15 January 2007 15:27
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> Right you are...  The analogy fits when you use ³comparative logic² as opposed
> to just thinking of the zone in singularity... Compared to the areas on either
> side of the DMZ, it should be easy to discern any activity at all in the DMZ
> itself- particularly hostile activities.  There are strict policies about what
> can go on in the Korean DMZ, as there should be in one¹s network DMZ.
> Internet traffic is chaotic, and I don¹t even bother trying to determine what
> is going on out on my Internet segment- I can¹t control it anyway (other than
> my policy of implementing router ACL¹s to match inbound/outbound traffic
> policies at my border router).  Internal traffic isn¹t chaotic, but it is
> hard to monitor for ³hostile² packets given the sheer volume and type of
> traffic being generated by internal users, servers, services, etc to any
> number of different hosts and clients.  But in the DMZ, you should be able to
> immediately notice when something out of the ordinary is going on.  For
> instance, if I see POP3 logon traffic, I know something is FUBAR, as I don¹t
> support POP3 in my DMZ at all.  If I see modal enumeration by way of a null
> session, I know something is going on.  And etc, etc.
> 
> So, to me, it fits, and that is the term I choose to use.  I won¹t be changing
> ;)
> 
> t
> 
> 
> On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:
> The DMZ in Korea itself isn¹t crawling with military.  Either side of it is,
> ensuring that the definition of a demilitarized zone is observed and
> maintained.  Before the advent of DMZs in networking, a DMZ meant an area from
> which military forces, operations, and installations were prohibited.
> Essentially, it¹s a wide empty area that constitutes a border with forces on
> either side pointing guns into it.
>  
> I¹ve always thought the adaptation of the acronym to the world of networking a
> bit strange.  ³Oh!  We got activity in our networked DMZ!  Kill it!² J
> 
> 
> Cordially yours,
> Jerry G. Young II
> Product Engineer - Senior
> Platform Engineering, Enterprise Hosting
> NTT America, an NTT Communications Company
>  
> 22451 Shaw Rd.
> Sterling, VA 20166
>  
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Amy Babinchak
> Sent: Sunday, January 14, 2007 7:08 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> 
> That's what it means to me too. Can't see the Korean no mans' land as
> qualifying as a DMZ when it's crawling with military.
> 
>  
> 
> In this conversation we have to take into consideration that CAS also includes
> the capability to provide access to folders and files right in OWA. This may
> be the thing that the Exchange team thinks throws a monkey wrench into the
> secure deployment of CAS in a a DMZ.
> 
>   
> 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
> Sent: Sat 1/13/2007 6:46 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> For me, DMZ means scary place completely untrusted, perimeter network means
> less scary place trusted to a degree, but strongly controlled
> 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: 12 January 2007 23:51
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> Interesting... Probably a good idea for us to actually articulate what we
> really mean when we say DMZ.
> 
> I guess to some it means ³free for all network² but for me, it should be the
> network where you have the most restrictive policies controlling each service
> so that it is obvious when malicious traffic hits the wire.  Thoughts>
> t
> 
> 
> On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
> That¹s what I thought, now it¹s what I know?.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: Friday, January 12, 2007 6:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Aside from normal router & switch ACLs, ISA is the single line of defense.
> ³..we don¹t need no stinking DMZs²
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Steve Moffat
> Sent: Friday, January 12, 2007 12:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Ahh?just had a thought.
>  
> It¹s all labeling.
>  
> Jason, and others (not Jason¹s fault), have been using the term DMZ.
>  
> Historically, is the term DMZ not taken literally as being completely
> firewalled off from the trusted networks, and what Jason is talking about is
> trusted network segmentation.
>  
> I betcha that¹s why the Exchange team don¹t support it?they think it¹s a
> typical run of the mill DMZ?
>  
> Jim, isn¹t MS¹s Internal network segmented by usin ISA?? Including your mail
> servers?
>  
> S 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
>  
> 
>  
> 
>  
> All mail to and from this domain is GFI-scanned.
>
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
