You only get out twice a year.... S -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, February 26, 2007 3:10 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks If I got paid for my natural talents, I wouldn't leave the house! Doh! t On 2/26/07 10:47 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > <blushing brightly> > See; now you've gone and got me all embarrassed 'n stuff... > > As I told Tim, I'm both an oddity and a typical case among Microsofties > - I'm a tester who has no testing responsibilities, but I'm encouraged > to "chart my own course" a a MS employee (so long as it serves the team, > of course). > Thus, my job is unevenly split between helping PSS and internal folks > solve their ISA deployment and troubleshooting efforts (70%) and > responding in the two ISA lists and 10 ISA newsgroups (10%) and > professional growth (20%). Luckily, both of the former assist in the > latter. > > As was it during my Navy years, I'm blessed with the chance to use and > grow my natural talents (troubleshooter) and get paid for it. > ..oh, damn... > :-) > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Amy Babinchak > Sent: Monday, February 26, 2007 9:56 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > And yet other teams and you somehow manage. I'm told not all teams > communicate with MVP's. But I'm on 4 MVP lists and it's impossible to me > to participate in all of the opportunities I'm offered. Between events, > live meetings, chats, betas, taps, survey's, etc it's overwhelming. So > far as I can tell it's only the ISA team that has this communication > problem. You are of course the exception and a beloved one at that. > > Amy Babinchak > Harbor Computer Services > ISA MVP, Small Business Specialist, MCP > > ISA: http://isainsbs.blogspot.com > for Clients: http://smalltechnotes.blogspot.com > Website: http://www.harborcomputerservices.net > > > > > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Monday, February 26, 2007 12:35 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > In fact, ISA product team members are strongly encouraged to participate > in lists, NG, blogs and all other manner of public communication > efforts. > The sad fact is; the time available for such endeavors is woefully > small. > MS, like many profit-making businesses, operates with the smallest teams > required to produce product "X". > Unfortunately, with software engineering being what it is, and the > pressures of the marketing "old boy club", the teams are too small to > cover all the "nice to do" bases and still leave folks time for > themselves. > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Monday, February 26, 2007 9:07 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > I never really saw much from the PM's over there- just that one stint > about SQL logging, and to be honest, there wasn't much valuable content > sourced from the MSFT side... In fact, as I understand it, the PM and > product support people (other than Jim) are apparently not pushed to > participate (and may be asked not to) because of the fact that it is NOT > an official MSFT site, and that NDA and product liability may be an > issue. > > I'm going to draft up a "suggestions for the MVP program" and submit > them to the powers that be, just so that things like this can be > addressed. > > t > > > On 2/26/07 8:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to > all: > > > > It's been a real problem for the ISA PG to work with the ISA > MVPs, because they think that the ISA MVPs are still involved with the > ISA MVP mailing list. I explained to them that because of "issues" with > that list that there was less than optimal participation and that they > needed to get a MS managed solution. At the very least, they could > create their own DL and send mail to people on that list. I hate missing > out on the ISA PGs communications on that "other" list, but my life is > so much better not having to listen to the ****** that happens over > there. > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > <http://tinyurl.com/3xqb7> > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: Monday, February 26, 2007 8:56 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter > Networks > > > I spoke with Melissa Travers, the MVP Lead for both ISA > and Exchange, and she said the Exchange group's MVP site was really, > really good, and that the Exchange group themselves is quite active. > Being they are the Exchange group, I can see why they would have a > decent portal. ;) > > I suggested that if there were a single sourced, > Microsoft controlled MVP site where we could "browse through" other MVP > list content, that issues like this (the perceptions surrounding what > Exchange will and won't support and why) would be much easier to > manage, and that "the right people" from both sides could engage each > other in a positive way when two technologies collide like this. To > me, this is a major shortcoming in the MVP program overall. Given the > fact that the MVP program was created in order to provide a > collaborative environment for various technologies, it seems like a > horrible waste of a perfect opportunity to expand that environment out > to the MVP's and product teams in other product competencies. The > fate of the ISA-MVP list is testament to that. > > So, in the absence of a coordinated effort on > Microsoft's part to wrap it's collective arms around the MVP's and > product teams, I'll see if I can get on the Exchange MVP list and begin > a dialog of exactly what is going on here. But I'll need to get > immersed in Ex2007 first, which I've just not had the time to do. The > promise of true unified messaging in 2007 was a major draw to me, but > given the apparent narrow PBX support and lack of official > functionality documentation, the rush to explore has lost it's luster. > > t > > > On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > spoketh to all: > > > > > Documentation always follows the product, which > is barely on the streets. > I've seen some regarding WM6, but the basic > concepts are the same. > ..coming soon to a website near you... > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Monday, February 26, 2007 3:31 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > > Hi All, > > Anyone (Tim?) had chance to look at the least > privilige approach with Exchange 2007 yet? > > From what I am hearing the "CAS not supported in > perimeter" statement is based more on "we haven't tested it yet" more > than "we don't think it is a good idea". > > I have a few customers looking at placing the > entire Exchange architecture behind ISA (very untrusted LANs) - I have > done this with Exch2k3, but has anyone looked at this for Exch2k7? > > I am guessing this is not supported either, but > documentation is very thin on the ground with reference to 2k7 and > periemeter networking.... > > Cheers > > JJ > > > > > > > > > ________________________________ > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: 15 January 2007 15:27 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > Right you are... The analogy fits when you use > "comparative logic" as opposed to just thinking of the zone in > singularity... Compared to the areas on either side of the DMZ, it > should be easy to discern any activity at all in the DMZ itself- > particularly hostile activities. There are strict policies about what > can go on in the Korean DMZ, as there should be in one's network DMZ. > Internet traffic is chaotic, and I don't even bother trying to > determine what is going on out on my Internet segment- I can't control > it anyway (other than my policy of implementing router ACL's to match > inbound/outbound traffic policies at my border router). Internal > traffic isn't chaotic, but it is hard to monitor for "hostile" packets > given the sheer volume and type of traffic being generated by internal > users, servers, services, etc to any number of different hosts and > clients. But in the DMZ, you should be able to immediately notice when > something out of the ordinary is going on. For instance, if I see POP3 > logon traffic, I know something is FUBAR, as I don't support POP3 in my > DMZ at all. If I see modal enumeration by way of a null session, I > know something is going on. And etc, etc. > > So, to me, it fits, and that is the term I > choose to use. I won't be changing ;) > > t > > > On 1/15/07 6:40 AM, "Gerald G. Young" > <g.young@xxxxxxxx> spoketh to all: > The DMZ in Korea itself isn't crawling with > military. Either side of it is, ensuring that the definition of a > demilitarized zone is observed and maintained. Before the advent of > DMZs in networking, a DMZ meant an area from which military forces, > operations, and installations were prohibited. Essentially, it's a > wide empty area that constitutes a border with forces on either side > pointing guns into it. > > I've always thought the adaptation of the > acronym to the world of networking a bit strange. "Oh! We got > activity in our networked DMZ! Kill it!" :-) > > > Cordially yours, > Jerry G. Young II > Product Engineer - Senior > Platform Engineering, Enterprise Hosting > NTT America, an NTT Communications Company > > 22451 Shaw Rd. > Sterling, VA 20166 > > Office: 571-434-1319 > Fax: 703-333-6749 > Email: g.young@xxxxxxxx > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Sunday, January 14, 2007 7:08 PM > To: isapros@xxxxxxxxxxxxx > Subject: RE: [isapros] Re: ISA, Exchange 2007 > and Perimeter Networks > > > That's what it means to me too. Can't see the > Korean no mans' land as qualifying as a DMZ when it's crawling with > military. > > > > In this conversation we have to take into > consideration that CAS also includes the capability to provide access to > folders and files right in OWA. This may be the thing that the Exchange > team thinks throws a monkey wrench into the secure deployment of CAS in > a a DMZ. > > > > > > ________________________________ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of > Jason Jones > Sent: Sat 1/13/2007 6:46 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > > For me, DMZ means scary place completely > untrusted, perimeter network means less scary place trusted to a > degree, but strongly controlled > > > > > ________________________________ > > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: 12 January 2007 23:51 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > Interesting... Probably a good idea for us to > actually articulate what we really mean when we say DMZ. > > I guess to some it means "free for all network" > but for me, it should be the network where you have the most > restrictive policies controlling each service so that it is obvious > when malicious traffic hits the wire. Thoughts> > t > > > On 1/12/07 3:30 PM, "Steve Moffat" > <steve@xxxxxxxxxx> spoketh to all: > That's what I thought, now it's what I know.... > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, January 12, 2007 6:35 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > > Aside from normal router & switch ACLs, ISA is > the single line of defense. > "..we don't need no stinking DMZs" > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat > Sent: Friday, January 12, 2007 12:12 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and > Perimeter Networks > > Ahh...just had a thought. > > It's all labeling. > > Jason, and others (not Jason's fault), have been > using the term DMZ. > > Historically, is the term DMZ not taken > literally as being completely firewalled off from the trusted networks, > and what Jason is talking about is trusted network segmentation. > > I betcha that's why the Exchange team don't > support it...they think it's a typical run of the mill DMZ... > > Jim, isn't MS's Internal network segmented by > usin ISA?? Including your mail servers? > > S > > > All mail to and from this domain is > GFI-scanned. > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > All mail to and from this domain is GFI-scanned. > > > >