[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 13:04:22 -0500

That would be nice. Right now Susan owns all of the MVP lists, as
Microsoft didn't want to do it. (and she pays for it out of her own
pocket, for some reason) MS has the MVP newsgroups and that's it. I
asked Melissa when we might see something and she told me the problem is
no one at Microsoft wants to own it.

 

Amy Babinchak

Harbor Computer Services

ISA MVP, Small Business Specialist, MCP

 

ISA: http://isainsbs.blogspot.com

for Clients: http://smalltechnotes.blogspot.com

Website: http://www.harborcomputerservices.net

 

 

 

 

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, February 26, 2007 12:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Yes, I recall it well- but with ISAPro's around, there's not need to go
back, particularly if you are saying that no one participates.

I was told that since the list is NOT controlled by MS, though we are
all under NDA, we cannot discuss anything that may be considered NDA on
that list at all. The "treat it as NDA" meant "do not discuss anything
on the list" as MSFT does not control, own, or moderate anything on the
list.

And even if the PM's for ISA don't participate, the entire thing should
still roll up under MSFT in a single-point-of-contact portal where one
can easily navigate through the different areas of competency. 

t


On 2/26/07 9:25 AM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
spoketh to all:

You do recall that Susan is no longer involved with that list and that I
am now the moderator? All members of the list are under signed NDA with
Microsoft. 
 
Microsoft's stance is that product groups can post but should  not post
NDA information to any non-Microsoft owned list. Even so, neither the
ISA or IAG groups post to the Microsoft private MVP newsgroups. They are
a quiet bunch. Other MVP lists that I'm on get lots of posts, questions,
and response from the PM's and from PSS. The communication from this
team is seriously lacking. I brought this up with several people and the
response I get is essentially that communicating with the community
isn't in their job description and they see no reason to change it.
After all MVP's are customers. We're just champions; what ever that
means.
 

Amy Babinchak
Harbor Computer Services
ISA MVP, Small Business Specialist, MCP

ISA: http://isainsbs.blogspot.com
for Clients: http://smalltechnotes.blogspot.com
Website: http://www.harborcomputerservices.net
 



 
 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thomas W Shinder
Sent: Monday, February 26, 2007 11:51 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

It's been a real problem for the ISA PG to work with the ISA MVPs,
because they think that the ISA MVPs are still involved with the ISA MVP
mailing list. I explained to them that because of "issues" with that
list that there was less than optimal participation and that they needed
to get a MS managed solution. At the very least, they could create their
own DL and send mail to people on that list. I hate missing out on the
ISA PGs communications on that "other" list, but my life is so much
better not having to listen to the ****** that happens over there.


Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>  
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)



        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
        Sent: Monday, February 26, 2007 8:56 AM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        I spoke with Melissa Travers, the MVP Lead for both ISA and
Exchange, and she said the Exchange group's MVP site was really, really
good, and that the Exchange group themselves is quite active.  Being
they are the Exchange group, I can see why they would have a decent
portal. ;)
        
        I suggested that if there were a single sourced, Microsoft
controlled MVP site where we could "browse through" other MVP list
content, that issues like this (the perceptions surrounding what
Exchange will and won't support and why) would be much easier to manage,
and that "the right people" from both sides could engage each other in a
positive way when two technologies collide like this.  To me, this is a
major shortcoming in the MVP program overall.  Given the fact that the
MVP program was created in order to provide a collaborative environment
for various technologies, it seems like a horrible waste of a perfect
opportunity to expand that environment out to the MVP's and product
teams in other product competencies.   The fate of the ISA-MVP list is
testament to that. 
        
        So, in the absence of a coordinated effort on Microsoft's part
to wrap it's collective arms around the MVP's and product teams, I'll
see if I can get on the Exchange MVP list and begin a dialog of exactly
what is going on here.  But I'll need to get immersed in Ex2007 first,
which I've just not had the time to do.   The promise of true unified
messaging in 2007 was a major draw to me, but given the apparent narrow
PBX support and lack of official functionality documentation, the rush
to explore has lost it's luster. 
        
        t
        
        
        On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
        Documentation always follows the product, which is barely on the
streets.
        I've seen some regarding WM6, but the basic concepts are the
same.
        ..coming soon to a website near you...
         
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jason Jones
        Sent: Monday, February 26, 2007 3:31 AM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Hi All,
        
        Anyone (Tim?) had chance to look at the least privilige approach
with Exchange 2007 yet?
        
        From what I am hearing the "CAS not supported in perimeter"
statement is based more on "we haven't tested it yet" more than "we
don't think it is a good idea".
        
        I have a few customers looking at placing the entire Exchange
architecture behind ISA (very untrusted LANs) - I have done this with
Exch2k3, but has anyone looked at this for Exch2k7?
        
        I am guessing this is not supported either, but documentation is
very thin on the ground with reference to 2k7 and periemeter
networking....
        
        Cheers
        
        JJ
        
        
        
          

        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
        Sent: 15 January 2007 15:27
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        Right you are...  The analogy fits when you use "comparative
logic" as opposed to just thinking of the zone in singularity...
Compared to the areas on either side of the DMZ, it should be easy to
discern any activity at all in the DMZ itself- particularly hostile
activities.  There are strict policies about what can go on in the
Korean DMZ, as there should be in one's network DMZ.   Internet traffic
is chaotic, and I don't even bother trying to determine what is going on
out on my Internet segment- I can't control it anyway (other than my
policy of implementing router ACL's to match inbound/outbound traffic
policies at my border router).  Internal traffic isn't chaotic, but it
is  hard to monitor for "hostile" packets given the sheer volume and
type of traffic being generated by internal users, servers, services,
etc to any number of different hosts and clients.  But in the DMZ, you
should be able to immediately notice when something out of the ordinary
is going on.  For instance, if I see POP3 logon traffic, I know
something is FUBAR, as I don't support POP3 in my DMZ at all.  If I see
modal enumeration by way of a null session, I know something is going
on.  And etc, etc. 
        
        So, to me, it fits, and that is the term I choose to use.  I
won't be changing ;)
        
        t
        
        
        On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh
to all:
        The DMZ in Korea itself isn't crawling with military.  Either
side of it is, ensuring that the definition of a demilitarized zone is
observed and maintained.  Before the advent of DMZs in networking, a DMZ
meant an area from which military forces, operations, and installations
were prohibited.  Essentially, it's a wide empty area that constitutes a
border with forces on either side pointing guns into it.
         
        I've always thought the adaptation of the acronym to the world
of networking a bit strange.  "Oh!  We got activity in our networked
DMZ!  Kill it!" :-)
        
        
        Cordially yours,
        Jerry G. Young II
        Product Engineer - Senior
        Platform Engineering, Enterprise Hosting
        NTT America, an NTT Communications Company
         
        22451 Shaw Rd.
        Sterling, VA 20166
         
        Office: 571-434-1319
        Fax: 703-333-6749
        Email: g.young@xxxxxxxx
         
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Amy Babinchak
        Sent: Sunday, January 14, 2007 7:08 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
        
        
        That's what it means to me too. Can't see the Korean no mans'
land as qualifying as a DMZ when it's crawling with military. 
        
         
        
        In this conversation we have to take into consideration that CAS
also includes the capability to provide access to folders and files
right in OWA. This may be the thing that the Exchange team thinks throws
a monkey wrench into the secure deployment of CAS in a a DMZ. 
        
           

        
________________________________


        
        
        From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
        Sent: Sat 1/13/2007 6:46 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        For me, DMZ means scary place completely untrusted, perimeter
network means less scary place trusted to a degree, but strongly
controlled

        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
        Sent: 12 January 2007 23:51
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        Interesting... Probably a good idea for us to actually
articulate what we really mean when we say DMZ.
        
        I guess to some it means "free for all network" but for me, it
should be the network where you have the most restrictive policies
controlling each service so that it is obvious when malicious traffic
hits the wire.  Thoughts>
        t
        
        
        On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to
all:
        That's what I thought, now it's what I know....
         
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jim Harrison
        Sent: Friday, January 12, 2007 6:35 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Aside from normal router & switch ACLs, ISA is the single line
of defense.
        "..we don't need no stinking DMZs"
         
        
        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Steve Moffat
        Sent: Friday, January 12, 2007 12:12 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Ahh...just had a thought.
         
        It's all labeling.
         
        Jason, and others (not Jason's fault), have been using the term
DMZ.
         
        Historically, is the term DMZ not taken literally as being
completely firewalled off from the trusted networks, and what Jason is
talking about is trusted network segmentation.
         
        I betcha that's why the Exchange team don't support it...they
think it's a typical run of the mill DMZ...
         
        Jim, isn't MS's Internal network segmented by usin ISA??
Including your mail servers?
         
        S 

        All mail to and from this domain is GFI-scanned. 

        
        
        
         
        
         
        
          

        All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 02-2007