[isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 26 Feb 2007 12:56:06 -0500
And yet other teams and you somehow manage. I'm told not all teams
communicate with MVP's. But I'm on 4 MVP lists and it's impossible to me
to participate in all of the opportunities I'm offered. Between events,
live meetings, chats, betas, taps, survey's, etc it's overwhelming. So
far as I can tell it's only the ISA team that has this communication
problem. You are of course the exception and a beloved one at that.
Amy Babinchak
Harbor Computer Services
ISA MVP, Small Business Specialist, MCP
ISA: http://isainsbs.blogspot.com
for Clients: http://smalltechnotes.blogspot.com
Website: http://www.harborcomputerservices.net
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 26, 2007 12:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
In fact, ISA product team members are strongly encouraged to participate
in lists, NG, blogs and all other manner of public communication
efforts.
The sad fact is; the time available for such endeavors is woefully
small.
MS, like many profit-making businesses, operates with the smallest teams
required to produce product "X".
Unfortunately, with software engineering being what it is, and the
pressures of the marketing "old boy club", the teams are too small to
cover all the "nice to do" bases and still leave folks time for
themselves.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, February 26, 2007 9:07 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
I never really saw much from the PM's over there- just that one stint
about SQL logging, and to be honest, there wasn't much valuable content
sourced from the MSFT side... In fact, as I understand it, the PM and
product support people (other than Jim) are apparently not pushed to
participate (and may be asked not to) because of the fact that it is NOT
an official MSFT site, and that NDA and product liability may be an
issue.
I'm going to draft up a "suggestions for the MVP program" and submit
them to the powers that be, just so that things like this can be
addressed.
t
On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
It's been a real problem for the ISA PG to work with the ISA
MVPs, because they think that the ISA MVPs are still involved with the
ISA MVP mailing list. I explained to them that because of "issues" with
that list that there was less than optimal participation and that they
needed to get a MS managed solution. At the very least, they could
create their own DL and send mail to people on that list. I hate missing
out on the ISA PGs communications on that "other" list, but my life is
so much better not having to listen to the ****** that happens over
there.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
<http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, February 26, 2007 8:56 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
I spoke with Melissa Travers, the MVP Lead for both ISA
and Exchange, and she said the Exchange group's MVP site was really,
really good, and that the Exchange group themselves is quite active.
Being they are the Exchange group, I can see why they would have a
decent portal. ;)
I suggested that if there were a single sourced,
Microsoft controlled MVP site where we could "browse through" other MVP
list content, that issues like this (the perceptions surrounding what
Exchange will and won't support and why) would be much easier to
manage, and that "the right people" from both sides could engage each
other in a positive way when two technologies collide like this. To
me, this is a major shortcoming in the MVP program overall. Given the
fact that the MVP program was created in order to provide a
collaborative environment for various technologies, it seems like a
horrible waste of a perfect opportunity to expand that environment out
to the MVP's and product teams in other product competencies. The
fate of the ISA-MVP list is testament to that.
So, in the absence of a coordinated effort on
Microsoft's part to wrap it's collective arms around the MVP's and
product teams, I'll see if I can get on the Exchange MVP list and begin
a dialog of exactly what is going on here. But I'll need to get
immersed in Ex2007 first, which I've just not had the time to do. The
promise of true unified messaging in 2007 was a major draw to me, but
given the apparent narrow PBX support and lack of official
functionality documentation, the rush to explore has lost it's luster.
t
On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
spoketh to all:
Documentation always follows the product, which
is barely on the streets.
I've seen some regarding WM6, but the basic
concepts are the same.
..coming soon to a website near you...
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Monday, February 26, 2007 3:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Hi All,
Anyone (Tim?) had chance to look at the least
privilige approach with Exchange 2007 yet?
From what I am hearing the "CAS not supported in
perimeter" statement is based more on "we haven't tested it yet" more
than "we don't think it is a good idea".
I have a few customers looking at placing the
entire Exchange architecture behind ISA (very untrusted LANs) - I have
done this with Exch2k3, but has anyone looked at this for Exch2k7?
I am guessing this is not supported either, but
documentation is very thin on the ground with reference to 2k7 and
periemeter networking....
Cheers
JJ
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: 15 January 2007 15:27
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Right you are... The analogy fits when you use
"comparative logic" as opposed to just thinking of the zone in
singularity... Compared to the areas on either side of the DMZ, it
should be easy to discern any activity at all in the DMZ itself-
particularly hostile activities. There are strict policies about what
can go on in the Korean DMZ, as there should be in one's network DMZ.
Internet traffic is chaotic, and I don't even bother trying to
determine what is going on out on my Internet segment- I can't control
it anyway (other than my policy of implementing router ACL's to match
inbound/outbound traffic policies at my border router). Internal
traffic isn't chaotic, but it is hard to monitor for "hostile" packets
given the sheer volume and type of traffic being generated by internal
users, servers, services, etc to any number of different hosts and
clients. But in the DMZ, you should be able to immediately notice when
something out of the ordinary is going on. For instance, if I see POP3
logon traffic, I know something is FUBAR, as I don't support POP3 in my
DMZ at all. If I see modal enumeration by way of a null session, I
know something is going on. And etc, etc.
So, to me, it fits, and that is the term I
choose to use. I won't be changing ;)
t
On 1/15/07 6:40 AM, "Gerald G. Young"
<g.young@xxxxxxxx> spoketh to all:
The DMZ in Korea itself isn't crawling with
military. Either side of it is, ensuring that the definition of a
demilitarized zone is observed and maintained. Before the advent of
DMZs in networking, a DMZ meant an area from which military forces,
operations, and installations were prohibited. Essentially, it's a
wide empty area that constitutes a border with forces on either side
pointing guns into it.
I've always thought the adaptation of the
acronym to the world of networking a bit strange. "Oh! We got
activity in our networked DMZ! Kill it!" :-)
Cordially yours,
Jerry G. Young II
Product Engineer - Senior
Platform Engineering, Enterprise Hosting
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Sunday, January 14, 2007 7:08 PM
To: isapros@xxxxxxxxxxxxx
Subject: RE: [isapros] Re: ISA, Exchange 2007
and Perimeter Networks
That's what it means to me too. Can't see the
Korean no mans' land as qualifying as a DMZ when it's crawling with
military.
In this conversation we have to take into
consideration that CAS also includes the capability to provide access to
folders and files right in OWA. This may be the thing that the Exchange
team thinks throws a monkey wrench into the secure deployment of CAS in
a a DMZ.
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of
Jason Jones
Sent: Sat 1/13/2007 6:46 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
For me, DMZ means scary place completely
untrusted, perimeter network means less scary place trusted to a
degree, but strongly controlled
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: 12 January 2007 23:51
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Interesting... Probably a good idea for us to
actually articulate what we really mean when we say DMZ.
I guess to some it means "free for all network"
but for me, it should be the network where you have the most
restrictive policies controlling each service so that it is obvious
when malicious traffic hits the wire. Thoughts>
t
On 1/12/07 3:30 PM, "Steve Moffat"
<steve@xxxxxxxxxx> spoketh to all:
That's what I thought, now it's what I know....
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Friday, January 12, 2007 6:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Aside from normal router & switch ACLs, ISA is
the single line of defense.
"..we don't need no stinking DMZs"
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Friday, January 12, 2007 12:12 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Ahh...just had a thought.
It's all labeling.
Jason, and others (not Jason's fault), have been
using the term DMZ.
Historically, is the term DMZ not taken
literally as being completely firewalled off from the trusted networks,
and what Jason is talking about is trusted network segmentation.
I betcha that's why the Exchange team don't
support it...they think it's a typical run of the mill DMZ...
Jim, isn't MS's Internal network segmented by
usin ISA?? Including your mail servers?
S
All mail to and from this domain is
GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
- » [isapros] ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
