That's what I said ;) t On 2/26/07 10:26 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > NDA is a completely different point and Amy has it right - non-MS lists > are verboten to NDA material. > I'm an "odd duck" in this context (for more than one reason - ha! - beat > ya to it!), because it's actually a large part of my job to "keep my > finger on the pulse", as it were. This is why you see me doing trips > like tech Ready & Black Hat. Unfortunately, fiscal limitations curtail > any further involvement, but such is corporate life. > > I agree that the ISA team hasn't exactly kept pace with teams like > Exchange (we don't even have a silly motto like "you had me at ehlo"), > but it still comes back to the "effort priorities". I've been working > with the right folks to make this a better experience all around > (especially for the MVPs), but these things tend to move slowly... > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Monday, February 26, 2007 9:54 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Conflicting info, then. I was told by a source that non-MSFT lists were > poo-poo'ed on for liability and NDA reasons. > > And while I totally understand the "bottom line" thinking, it seems like > a > huge waste to initiate something like the MVP program and to go through > all > the motions only to do it half-assed. > > t > > > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > >> In fact, ISA product team members are strongly encouraged to > participate >> in lists, NG, blogs and all other manner of public communication >> efforts. >> The sad fact is; the time available for such endeavors is woefully >> small. >> MS, like many profit-making businesses, operates with the smallest > teams >> required to produce product "X". >> Unfortunately, with software engineering being what it is, and the >> pressures of the marketing "old boy club", the teams are too small to >> cover all the "nice to do" bases and still leave folks time for >> themselves. >> >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thor (Hammer of God) >> Sent: Monday, February 26, 2007 9:07 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> I never really saw much from the PM's over there- just that one stint >> about SQL logging, and to be honest, there wasn't much valuable > content >> sourced from the MSFT side... In fact, as I understand it, the PM and >> product support people (other than Jim) are apparently not pushed to >> participate (and may be asked not to) because of the fact that it is > NOT >> an official MSFT site, and that NDA and product liability may be an >> issue. >> >> I'm going to draft up a "suggestions for the MVP program" and submit >> them to the powers that be, just so that things like this can be >> addressed. >> >> t >> >> >> On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh > to >> all: >> >> >> >> It's been a real problem for the ISA PG to work with the ISA >> MVPs, because they think that the ISA MVPs are still involved with the >> ISA MVP mailing list. I explained to them that because of "issues" > with >> that list that there was less than optimal participation and that they >> needed to get a MS managed solution. At the very least, they could >> create their own DL and send mail to people on that list. I hate > missing >> out on the ISA PGs communications on that "other" list, but my life is >> so much better not having to listen to the ****** that happens over >> there. >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org <http://www.isaserver.org/> >> <http://www.isaserver.org/> >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> <http://tinyurl.com/3xqb7> >> MVP -- Microsoft Firewalls (ISA) >> >> >> >> >> >> >> >> >> ________________________________ >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) >> Sent: Monday, February 26, 2007 8:56 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter >> Networks >> >> >> I spoke with Melissa Travers, the MVP Lead for both ISA >> and Exchange, and she said the Exchange group's MVP site was really, >> really good, and that the Exchange group themselves is quite active. >> Being they are the Exchange group, I can see why they would have a >> decent portal. ;) >> >> I suggested that if there were a single sourced, >> Microsoft controlled MVP site where we could "browse through" other > MVP >> list content, that issues like this (the perceptions surrounding what >> Exchange will and won't support and why) would be much easier to >> manage, and that "the right people" from both sides could engage each >> other in a positive way when two technologies collide like this. To >> me, this is a major shortcoming in the MVP program overall. Given > the >> fact that the MVP program was created in order to provide a >> collaborative environment for various technologies, it seems like a >> horrible waste of a perfect opportunity to expand that environment > out >> to the MVP's and product teams in other product competencies. The >> fate of the ISA-MVP list is testament to that. >> >> So, in the absence of a coordinated effort on >> Microsoft's part to wrap it's collective arms around the MVP's and >> product teams, I'll see if I can get on the Exchange MVP list and > begin >> a dialog of exactly what is going on here. But I'll need to get >> immersed in Ex2007 first, which I've just not had the time to do. > The >> promise of true unified messaging in 2007 was a major draw to me, but >> given the apparent narrow PBX support and lack of official >> functionality documentation, the rush to explore has lost it's > luster. >> >> t >> >> >> On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> >> spoketh to all: >> >> >> >> >> Documentation always follows the product, which >> is barely on the streets. >> I've seen some regarding WM6, but the basic >> concepts are the same. >> ..coming soon to a website near you... >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >> Sent: Monday, February 26, 2007 3:31 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> >> Hi All, >> >> Anyone (Tim?) had chance to look at the least >> privilige approach with Exchange 2007 yet? >> >> From what I am hearing the "CAS not supported in >> perimeter" statement is based more on "we haven't tested it yet" more >> than "we don't think it is a good idea". >> >> I have a few customers looking at placing the >> entire Exchange architecture behind ISA (very untrusted LANs) - I > have >> done this with Exch2k3, but has anyone looked at this for Exch2k7? >> >> I am guessing this is not supported either, but >> documentation is very thin on the ground with reference to 2k7 and >> periemeter networking.... >> >> Cheers >> >> JJ >> >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) >> Sent: 15 January 2007 15:27 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> Right you are... The analogy fits when you use >> "comparative logic" as opposed to just thinking of the zone in >> singularity... Compared to the areas on either side of the DMZ, it >> should be easy to discern any activity at all in the DMZ itself- >> particularly hostile activities. There are strict policies about > what >> can go on in the Korean DMZ, as there should be in one's network DMZ. >> Internet traffic is chaotic, and I don't even bother trying to >> determine what is going on out on my Internet segment- I can't > control >> it anyway (other than my policy of implementing router ACL's to match >> inbound/outbound traffic policies at my border router). Internal >> traffic isn't chaotic, but it is hard to monitor for "hostile" > packets >> given the sheer volume and type of traffic being generated by > internal >> users, servers, services, etc to any number of different hosts and >> clients. But in the DMZ, you should be able to immediately notice > when >> something out of the ordinary is going on. For instance, if I see > POP3 >> logon traffic, I know something is FUBAR, as I don't support POP3 in > my >> DMZ at all. If I see modal enumeration by way of a null session, I >> know something is going on. And etc, etc. >> >> So, to me, it fits, and that is the term I >> choose to use. I won't be changing ;) >> >> t >> >> >> On 1/15/07 6:40 AM, "Gerald G. Young" >> <g.young@xxxxxxxx> spoketh to all: >> The DMZ in Korea itself isn't crawling with >> military. Either side of it is, ensuring that the definition of a >> demilitarized zone is observed and maintained. Before the advent of >> DMZs in networking, a DMZ meant an area from which military forces, >> operations, and installations were prohibited. Essentially, it's a >> wide empty area that constitutes a border with forces on either side >> pointing guns into it. >> >> I've always thought the adaptation of the >> acronym to the world of networking a bit strange. "Oh! We got >> activity in our networked DMZ! Kill it!" :-) >> >> >> Cordially yours, >> Jerry G. Young II >> Product Engineer - Senior >> Platform Engineering, Enterprise Hosting >> NTT America, an NTT Communications Company >> >> 22451 Shaw Rd. >> Sterling, VA 20166 >> >> Office: 571-434-1319 >> Fax: 703-333-6749 >> Email: g.young@xxxxxxxx >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak >> Sent: Sunday, January 14, 2007 7:08 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: RE: [isapros] Re: ISA, Exchange 2007 >> and Perimeter Networks >> >> >> That's what it means to me too. Can't see the >> Korean no mans' land as qualifying as a DMZ when it's crawling with >> military. >> >> >> >> In this conversation we have to take into >> consideration that CAS also includes the capability to provide access > to >> folders and files right in OWA. This may be the thing that the > Exchange >> team thinks throws a monkey wrench into the secure deployment of CAS > in >> a a DMZ. >> >> >> >> >> >> ________________________________ >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx on behalf of >> Jason Jones >> Sent: Sat 1/13/2007 6:46 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> >> For me, DMZ means scary place completely >> untrusted, perimeter network means less scary place trusted to a >> degree, but strongly controlled >> >> >> >> >> ________________________________ >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) >> Sent: 12 January 2007 23:51 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> Interesting... Probably a good idea for us to >> actually articulate what we really mean when we say DMZ. >> >> I guess to some it means "free for all network" >> but for me, it should be the network where you have the most >> restrictive policies controlling each service so that it is obvious >> when malicious traffic hits the wire. Thoughts> >> t >> >> >> On 1/12/07 3:30 PM, "Steve Moffat" >> <steve@xxxxxxxxxx> spoketh to all: >> That's what I thought, now it's what I know.... >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Friday, January 12, 2007 6:35 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> >> Aside from normal router & switch ACLs, ISA is >> the single line of defense. >> "..we don't need no stinking DMZs" >> >> >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat >> Sent: Friday, January 12, 2007 12:12 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and >> Perimeter Networks >> >> Ahh...just had a thought. >> >> It's all labeling. >> >> Jason, and others (not Jason's fault), have been >> using the term DMZ. >> >> Historically, is the term DMZ not taken >> literally as being completely firewalled off from the trusted > networks, >> and what Jason is talking about is trusted network segmentation. >> >> I betcha that's why the Exchange team don't >> support it...they think it's a typical run of the mill DMZ... >> >> Jim, isn't MS's Internal network segmented by >> usin ISA?? Including your mail servers? >> >> S >> >> >> All mail to and from this domain is >> GFI-scanned. >> >> >> >> >> >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> > > > > > All mail to and from this domain is GFI-scanned. > > > >