How about: "ISA Firewall Rules!" Get it? Firewall rules? Like in firewall ruleset? You know, sort of a double entendre sort of thingie :)) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Monday, February 26, 2007 2:27 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Ok - it's official - let's get an "ISABlog motto" contest going. > Basic rules: > - no derogatory comments about CheckPix or similar (makes the lawyers > tremble) > - no marketing spew > - keep it short (10 words max) > - must use ISA behavior or feature (like "wpad") > - should abuse a common phrase (like "does a nautical pimp keep his > 'oars' in the water?") > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Monday, February 26, 2007 12:23 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > You had me at WPAD? :) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Monday, February 26, 2007 12:26 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > NDA is a completely different point and Amy has it right - > > non-MS lists > > are verboten to NDA material. > > I'm an "odd duck" in this context (for more than one reason - > > ha! - beat > > ya to it!), because it's actually a large part of my job to "keep my > > finger on the pulse", as it were. This is why you see me > doing trips > > like tech Ready & Black Hat. Unfortunately, fiscal > > limitations curtail > > any further involvement, but such is corporate life. > > > > I agree that the ISA team hasn't exactly kept pace with teams like > > Exchange (we don't even have a silly motto like "you had me > at ehlo"), > > but it still comes back to the "effort priorities". I've > been working > > with the right folks to make this a better experience all around > > (especially for the MVPs), but these things tend to move slowly... > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Monday, February 26, 2007 9:54 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > Conflicting info, then. I was told by a source that non-MSFT > > lists were > > poo-poo'ed on for liability and NDA reasons. > > > > And while I totally understand the "bottom line" thinking, it > > seems like > > a > > huge waste to initiate something like the MVP program and to > > go through > > all > > the motions only to do it half-assed. > > > > t > > > > > > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > spoketh to all: > > > > > In fact, ISA product team members are strongly encouraged to > > participate > > > in lists, NG, blogs and all other manner of public communication > > > efforts. > > > The sad fact is; the time available for such endeavors is woefully > > > small. > > > MS, like many profit-making businesses, operates with the smallest > > teams > > > required to produce product "X". > > > Unfortunately, with software engineering being what it is, and the > > > pressures of the marketing "old boy club", the teams are > > too small to > > > cover all the "nice to do" bases and still leave folks time for > > > themselves. > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thor (Hammer of God) > > > Sent: Monday, February 26, 2007 9:07 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > > > I never really saw much from the PM's over there- just that > > one stint > > > about SQL logging, and to be honest, there wasn't much valuable > > content > > > sourced from the MSFT side... In fact, as I understand it, > > the PM and > > > product support people (other than Jim) are apparently > not pushed to > > > participate (and may be asked not to) because of the fact > that it is > > NOT > > > an official MSFT site, and that NDA and product liability > may be an > > > issue. > > > > > > I'm going to draft up a "suggestions for the MVP program" > and submit > > > them to the powers that be, just so that things like this can be > > > addressed. > > > > > > t > > > > > > > > > On 2/26/07 8:50 AM, "Thomas W Shinder" > > <tshinder@xxxxxxxxxxx> spoketh > > to > > > all: > > > > > > > > > > > > It's been a real problem for the ISA PG to work with the ISA > > > MVPs, because they think that the ISA MVPs are still > > involved with the > > > ISA MVP mailing list. I explained to them that because of "issues" > > with > > > that list that there was less than optimal participation > > and that they > > > needed to get a MS managed solution. At the very least, they could > > > create their own DL and send mail to people on that list. I hate > > missing > > > out on the ISA PGs communications on that "other" list, but > > my life is > > > so much better not having to listen to the ****** that > happens over > > > there. > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org <http://www.isaserver.org/> > > > <http://www.isaserver.org/> > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > > <http://tinyurl.com/3xqb7> > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > > God) > > > Sent: Monday, February 26, 2007 8:56 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter > > > Networks > > > > > > > > > I spoke with Melissa Travers, the MVP Lead for both ISA > > > and Exchange, and she said the Exchange group's MVP site > was really, > > > really good, and that the Exchange group themselves is > quite active. > > > Being they are the Exchange group, I can see why they would have a > > > decent portal. ;) > > > > > > I suggested that if there were a single sourced, > > > Microsoft controlled MVP site where we could "browse > through" other > > MVP > > > list content, that issues like this (the perceptions > > surrounding what > > > Exchange will and won't support and why) would be much easier to > > > manage, and that "the right people" from both sides could > > engage each > > > other in a positive way when two technologies collide like > > this. To > > > me, this is a major shortcoming in the MVP program > overall. Given > > the > > > fact that the MVP program was created in order to provide a > > > collaborative environment for various technologies, it > seems like a > > > horrible waste of a perfect opportunity to expand that > environment > > out > > > to the MVP's and product teams in other product > competencies. The > > > fate of the ISA-MVP list is testament to that. > > > > > > So, in the absence of a coordinated effort on > > > Microsoft's part to wrap it's collective arms around the > MVP's and > > > product teams, I'll see if I can get on the Exchange MVP list and > > begin > > > a dialog of exactly what is going on here. But I'll need to get > > > immersed in Ex2007 first, which I've just not had the time to do. > > The > > > promise of true unified messaging in 2007 was a major draw > > to me, but > > > given the apparent narrow PBX support and lack of official > > > functionality documentation, the rush to explore has lost it's > > luster. > > > > > > t > > > > > > > > > On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > > > spoketh to all: > > > > > > > > > > > > > > > Documentation always follows the product, which > > > is barely on the streets. > > > I've seen some regarding WM6, but the basic > > > concepts are the same. > > > ..coming soon to a website near you... > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Monday, February 26, 2007 3:31 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > > > > Hi All, > > > > > > Anyone (Tim?) had chance to look at the least > > > privilige approach with Exchange 2007 yet? > > > > > > From what I am hearing the "CAS not supported in > > > perimeter" statement is based more on "we haven't tested it > > yet" more > > > than "we don't think it is a good idea". > > > > > > I have a few customers looking at placing the > > > entire Exchange architecture behind ISA (very untrusted LANs) - I > > have > > > done this with Exch2k3, but has anyone looked at this > for Exch2k7? > > > > > > I am guessing this is not supported either, but > > > documentation is very thin on the ground with reference to 2k7 and > > > periemeter networking.... > > > > > > Cheers > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of > > God) > > > Sent: 15 January 2007 15:27 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > Right you are... The analogy fits when you use > > > "comparative logic" as opposed to just thinking of the zone in > > > singularity... Compared to the areas on either side of the DMZ, it > > > should be easy to discern any activity at all in the DMZ itself- > > > particularly hostile activities. There are strict policies about > > what > > > can go on in the Korean DMZ, as there should be in one's > > network DMZ. > > > Internet traffic is chaotic, and I don't even bother trying to > > > determine what is going on out on my Internet segment- I can't > > control > > > it anyway (other than my policy of implementing router > > ACL's to match > > > inbound/outbound traffic policies at my border router). Internal > > > traffic isn't chaotic, but it is hard to monitor for "hostile" > > packets > > > given the sheer volume and type of traffic being generated by > > internal > > > users, servers, services, etc to any number of different > hosts and > > > clients. But in the DMZ, you should be able to > immediately notice > > when > > > something out of the ordinary is going on. For > instance, if I see > > POP3 > > > logon traffic, I know something is FUBAR, as I don't > > support POP3 in > > my > > > DMZ at all. If I see modal enumeration by way of a null > session, I > > > know something is going on. And etc, etc. > > > > > > So, to me, it fits, and that is the term I > > > choose to use. I won't be changing ;) > > > > > > t > > > > > > > > > On 1/15/07 6:40 AM, "Gerald G. Young" > > > <g.young@xxxxxxxx> spoketh to all: > > > The DMZ in Korea itself isn't crawling with > > > military. Either side of it is, ensuring that the definition of a > > > demilitarized zone is observed and maintained. Before > the advent of > > > DMZs in networking, a DMZ meant an area from which > military forces, > > > operations, and installations were prohibited. > Essentially, it's a > > > wide empty area that constitutes a border with forces on > either side > > > pointing guns into it. > > > > > > I've always thought the adaptation of the > > > acronym to the world of networking a bit strange. "Oh! We got > > > activity in our networked DMZ! Kill it!" :-) > > > > > > > > > Cordially yours, > > > Jerry G. Young II > > > Product Engineer - Senior > > > Platform Engineering, Enterprise Hosting > > > NTT America, an NTT Communications Company > > > > > > 22451 Shaw Rd. > > > Sterling, VA 20166 > > > > > > Office: 571-434-1319 > > > Fax: 703-333-6749 > > > Email: g.young@xxxxxxxx > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > > Sent: Sunday, January 14, 2007 7:08 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: RE: [isapros] Re: ISA, Exchange 2007 > > > and Perimeter Networks > > > > > > > > > That's what it means to me too. Can't see the > > > Korean no mans' land as qualifying as a DMZ when it's > crawling with > > > military. > > > > > > > > > > > > In this conversation we have to take into > > > consideration that CAS also includes the capability to > > provide access > > to > > > folders and files right in OWA. This may be the thing that the > > Exchange > > > team thinks throws a monkey wrench into the secure > > deployment of CAS > > in > > > a a DMZ. > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of > > > Jason Jones > > > Sent: Sat 1/13/2007 6:46 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > > > > For me, DMZ means scary place completely > > > untrusted, perimeter network means less scary place trusted to a > > > degree, but strongly controlled > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of > > God) > > > Sent: 12 January 2007 23:51 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > Interesting... Probably a good idea for us to > > > actually articulate what we really mean when we say DMZ. > > > > > > I guess to some it means "free for all network" > > > but for me, it should be the network where you have the most > > > restrictive policies controlling each service so that it > is obvious > > > when malicious traffic hits the wire. Thoughts> > > > t > > > > > > > > > On 1/12/07 3:30 PM, "Steve Moffat" > > > <steve@xxxxxxxxxx> spoketh to all: > > > That's what I thought, now it's what I know.... > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Friday, January 12, 2007 6:35 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > > > > Aside from normal router & switch ACLs, ISA is > > > the single line of defense. > > > "..we don't need no stinking DMZs" > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat > > > Sent: Friday, January 12, 2007 12:12 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > Perimeter Networks > > > > > > Ahh...just had a thought. > > > > > > It's all labeling. > > > > > > Jason, and others (not Jason's fault), have been > > > using the term DMZ. > > > > > > Historically, is the term DMZ not taken > > > literally as being completely firewalled off from the trusted > > networks, > > > and what Jason is talking about is trusted network segmentation. > > > > > > I betcha that's why the Exchange team don't > > > support it...they think it's a typical run of the mill DMZ... > > > > > > Jim, isn't MS's Internal network segmented by > > > usin ISA?? Including your mail servers? > > > > > > S > > > > > > > > > All mail to and from this domain is > > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > >