[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 10:50:14 -0800
That's what I said ;)

t


On 2/26/07 10:26 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> NDA is a completely different point and Amy has it right - non-MS lists
> are verboten to NDA material.
> I'm an "odd duck" in this context (for more than one reason - ha! - beat
> ya to it!), because it's actually a large part of my job to "keep my
> finger on the pulse", as it were.  This is why you see me doing trips
> like tech Ready & Black Hat.  Unfortunately, fiscal limitations curtail
> any further involvement, but such is corporate life.
> 
> I agree that the ISA team hasn't exactly kept pace with teams like
> Exchange (we don't even have a silly motto like "you had me at ehlo"),
> but it still comes back to the "effort priorities".  I've been working
> with the right folks to make this a better experience all around
> (especially for the MVPs), but these things tend to move slowly...
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Monday, February 26, 2007 9:54 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Conflicting info, then.  I was told by a source that non-MSFT lists were
> poo-poo'ed on for liability and NDA reasons.
> 
> And while I totally understand the "bottom line" thinking, it seems like
> a
> huge waste to initiate something like the MVP program and to go through
> all
> the motions only to do it half-assed.
> 
> t
> 
> 
> On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> 
>> In fact, ISA product team members are strongly encouraged to
> participate
>> in lists, NG, blogs and all other manner of public communication
>> efforts.
>> The sad fact is; the time available for such endeavors is woefully
>> small.
>> MS, like many profit-making businesses, operates with the smallest
> teams
>> required to produce product "X".
>> Unfortunately, with software engineering being what it is, and the
>> pressures of the marketing "old boy club", the teams are too small to
>> cover all the "nice to do" bases and still leave folks time for
>> themselves.
>> 
>> 
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thor (Hammer of God)
>> Sent: Monday, February 26, 2007 9:07 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> I never really saw much from the PM's over there- just that one stint
>> about SQL logging, and to be honest, there wasn't much valuable
> content
>> sourced from the MSFT side... In fact, as I understand it, the PM and
>> product support people (other than Jim) are apparently not pushed to
>> participate (and may be asked not to) because of the fact that it is
> NOT
>> an official MSFT site, and that NDA and product liability may be an
>> issue.
>> 
>> I'm going to draft up a "suggestions for the MVP program" and submit
>> them to the powers that be, just so that things like this can be
>> addressed.
>> 
>> t
>> 
>> 
>> On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh
> to
>> all:
>> 
>> 
>> 
>> It's been a real problem for the ISA PG to work with the ISA
>> MVPs, because they think that the ISA MVPs are still involved with the
>> ISA MVP mailing list. I explained to them that because of "issues"
> with
>> that list that there was less than optimal participation and that they
>> needed to get a MS managed solution. At the very least, they could
>> create their own DL and send mail to people on that list. I hate
> missing
>> out on the ISA PGs communications on that "other" list, but my life is
>> so much better not having to listen to the ****** that happens over
>> there.
>> 
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> <http://tinyurl.com/3xqb7>
>> MVP -- Microsoft Firewalls (ISA)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ________________________________
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
>> Sent: Monday, February 26, 2007 8:56 AM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter
>> Networks
>> 
>> 
>> I spoke with Melissa Travers, the MVP Lead for both  ISA
>> and Exchange, and she said the Exchange group's MVP site was really,
>> really good, and that the Exchange group themselves is quite active.
>> Being they are the Exchange group, I can see why they would have a
>> decent portal. ;)
>> 
>> I suggested that if there were a single sourced,
>> Microsoft controlled MVP site where we could "browse through" other
> MVP
>> list  content, that issues like this (the perceptions surrounding what
>> Exchange will  and won't support and why) would be much easier to
>> manage, and that "the right  people" from both sides could engage each
>> other in a positive way when two  technologies collide like this.  To
>> me, this is a major shortcoming in  the MVP program overall.  Given
> the
>> fact that the MVP program was created  in order to provide a
>> collaborative environment for various technologies, it  seems like a
>> horrible waste of a perfect opportunity to expand that  environment
> out
>> to the MVP's and product teams in other product competencies.    The
>> fate of the ISA-MVP list is testament to that.
>> 
>> So, in  the absence of a coordinated effort on
>> Microsoft's part to wrap it's  collective arms around the MVP's and
>> product teams, I'll see if I can get on  the Exchange MVP list and
> begin
>> a dialog of exactly what is going on here.   But I'll need to get
>> immersed in Ex2007 first, which I've just not had  the time to do.
> The
>> promise of true unified messaging in 2007 was  a major draw to me, but
>> given the apparent narrow PBX support and lack of  official
>> functionality documentation, the rush to explore has lost it's
> luster.
>> 
>> t
>> 
>> 
>> On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx>
>> spoketh to all:
>> 
>> 
>> 
>> 
>> Documentation always follows the  product, which
>> is barely on the streets.
>> I've seen some regarding WM6,  but the basic
>> concepts are the same.
>> ..coming soon to a website near  you...
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
>> Sent: Monday, February 26, 2007  3:31 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and
>> Perimeter Networks
>> 
>> Hi All,
>> 
>> Anyone (Tim?) had chance to look at the least
>> privilige approach with Exchange 2007 yet?
>> 
>> From what I am hearing the "CAS not supported in
>> perimeter" statement is based more on "we haven't tested it yet" more
>> than  "we don't think it is a good idea".
>> 
>> I have a few customers looking at placing the
>> entire  Exchange architecture behind ISA (very untrusted LANs) - I
> have
>> done this  with Exch2k3, but has anyone looked at this for  Exch2k7?
>> 
>> I am guessing this is not supported either, but
>> documentation is very thin on the ground with reference to 2k7 and
>> periemeter networking....
>> 
>> Cheers
>> 
>> JJ
>> 
>> 
>> 
>> 
>>  
>> 
>> 
>> 
>> ________________________________
>> 
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
>> Sent: 15 January 2007  15:27
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and
>> Perimeter Networks
>> Right you are...  The analogy fits when you use
>> "comparative logic" as opposed to just thinking of the zone in
>> singularity... Compared to the areas on either side of the DMZ, it
>> should be  easy to discern any activity at all in the DMZ itself-
>> particularly hostile  activities.  There are strict policies about
> what
>> can go on in the  Korean DMZ, as there should be in one's network DMZ.
>> Internet  traffic is chaotic, and I don't even bother trying to
>> determine what is  going on out on my Internet segment- I can't
> control
>> it anyway (other than  my policy of implementing router ACL's to match
>> inbound/outbound traffic  policies at my border router).  Internal
>> traffic isn't chaotic, but it  is  hard to monitor for "hostile"
> packets
>> given the sheer volume and  type of traffic being generated by
> internal
>> users, servers, services, etc to  any number of different hosts and
>> clients.  But in the DMZ, you should  be able to immediately notice
> when
>> something out of the ordinary is going  on.  For instance, if I see
> POP3
>> logon traffic, I know something is  FUBAR, as I don't support POP3 in
> my
>> DMZ at all.  If I see modal  enumeration by way of a null session, I
>> know something is going on.   And etc, etc.
>> 
>> So, to me, it fits, and that is the term I
>> choose to use.  I won't be changing ;)
>> 
>> t
>> 
>> 
>> On 1/15/07  6:40 AM, "Gerald G. Young"
>> <g.young@xxxxxxxx> spoketh to  all:
>> The DMZ in Korea itself isn't crawling with
>> military.  Either side of it is, ensuring that the definition of a
>> demilitarized zone is observed and maintained.  Before the advent of
>> DMZs in networking, a DMZ meant an area from which military forces,
>> operations, and installations were prohibited.  Essentially, it's a
>> wide empty area that constitutes a border with forces on either side
>> pointing guns into it.
>> 
>> I've always thought the adaptation of  the
>> acronym to the world of networking a bit strange.  "Oh!  We  got
>> activity in our networked DMZ!  Kill it!"  :-)
>> 
>> 
>> Cordially  yours,
>> Jerry G. Young  II
>> Product  Engineer - Senior
>> Platform Engineering, Enterprise Hosting
>> NTT  America, an NTT Communications Company
>> 
>> 22451 Shaw  Rd.
>> Sterling, VA 20166
>> 
>> Office: 571-434-1319
>> Fax:  703-333-6749
>> Email:  g.young@xxxxxxxx
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy Babinchak
>> Sent: Sunday, January 14, 2007  7:08 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: RE: [isapros]  Re: ISA, Exchange 2007
>> and Perimeter Networks
>> 
>> 
>> That's what it means to me too. Can't see the
>> Korean  no mans' land as qualifying as a DMZ when it's crawling with
>> military.  
>> 
>> 
>> 
>> In this conversation we have to take into
>> consideration that CAS also includes the capability to provide access
> to
>> folders and files right in OWA. This may be the thing that the
> Exchange
>> team  thinks throws a monkey wrench into the secure deployment of CAS
> in
>> a a DMZ.  
>> 
>>      
>> 
>> 
>> 
>> ________________________________
>> 
>>  
>> 
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
>> Jason Jones
>> Sent: Sat 1/13/2007 6:46 PM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007  and
>> Perimeter Networks
>> 
>> For me, DMZ means scary place completely
>> untrusted,  perimeter network means less scary place trusted to a
>> degree, but strongly  controlled
>> 
>> 
>> 
>> 
>> ________________________________
>> 
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
>> Sent: 12 January 2007  23:51
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and
>> Perimeter Networks
>> Interesting... Probably a good idea for us to
>> actually articulate what we really mean when we say DMZ.
>> 
>> I guess to  some it means "free for all network"
>> but for me, it should be the network  where you have the most
>> restrictive policies controlling each service so  that it is obvious
>> when malicious traffic hits the wire.   Thoughts>
>> t
>> 
>> 
>> On 1/12/07 3:30 PM, "Steve Moffat"
>> <steve@xxxxxxxxxx> spoketh to all:
>> That's what I thought, now it's what I  know....
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
>> Sent: Friday, January 12, 2007  6:35 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and
>> Perimeter Networks
>> 
>> Aside from normal router & switch ACLs, ISA is
>> the single line of defense.
>> "..we don't need no stinking  DMZs"
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
>> Sent: Friday, January 12, 2007  12:12 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros]  Re: ISA, Exchange 2007 and
>> Perimeter Networks
>> 
>> Ahh...just had a thought.
>> 
>> It's all  labeling.
>> 
>> Jason, and others (not Jason's fault), have been
>> using the term DMZ.
>> 
>> Historically, is the term DMZ not taken
>> literally as being completely firewalled off from the trusted
> networks,
>> and  what Jason is talking about is trusted network segmentation.
>> 
>> I  betcha that's why the Exchange team don't
>> support it...they think it's a  typical run of the mill DMZ...
>> 
>> Jim, isn't MS's Internal network  segmented by
>> usin ISA?? Including your mail servers?
>> 
>> S  
>> 
>> 
>> All mail to and  from this domain is
>> GFI-scanned. 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>     
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> 
>> 
>> 
> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
>
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
