[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 14:52:41 -0600
How about:

"ISA Firewall Rules!"

Get it? Firewall rules? Like in firewall ruleset? You know, sort of a
double entendre sort of thingie :))

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, February 26, 2007 2:27 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Ok - it's official - let's get an "ISABlog motto" contest going.
> Basic rules:
> - no derogatory comments about CheckPix or similar (makes the lawyers
> tremble)
> - no marketing spew
> - keep it short (10 words max)
> - must use ISA behavior or feature (like "wpad")
> - should abuse a common phrase (like "does a nautical pimp keep his
> 'oars' in the water?")
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Monday, February 26, 2007 12:23 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> You had me at WPAD? :)
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Monday, February 26, 2007 12:26 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > NDA is a completely different point and Amy has it right - 
> > non-MS lists
> > are verboten to NDA material.
> > I'm an "odd duck" in this context (for more than one reason - 
> > ha! - beat
> > ya to it!), because it's actually a large part of my job to "keep my
> > finger on the pulse", as it were.  This is why you see me 
> doing trips
> > like tech Ready & Black Hat.  Unfortunately, fiscal 
> > limitations curtail
> > any further involvement, but such is corporate life.
> > 
> > I agree that the ISA team hasn't exactly kept pace with teams like
> > Exchange (we don't even have a silly motto like "you had me 
> at ehlo"),
> > but it still comes back to the "effort priorities".  I've 
> been working
> > with the right folks to make this a better experience all around
> > (especially for the MVPs), but these things tend to move slowly...
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Monday, February 26, 2007 9:54 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > Conflicting info, then.  I was told by a source that non-MSFT 
> > lists were
> > poo-poo'ed on for liability and NDA reasons.
> > 
> > And while I totally understand the "bottom line" thinking, it 
> > seems like
> > a
> > huge waste to initiate something like the MVP program and to 
> > go through
> > all
> > the motions only to do it half-assed.
> > 
> > t
> > 
> > 
> > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> 
> spoketh to all:
> > 
> > > In fact, ISA product team members are strongly encouraged to
> > participate
> > > in lists, NG, blogs and all other manner of public communication
> > > efforts.
> > > The sad fact is; the time available for such endeavors is woefully
> > > small.
> > > MS, like many profit-making businesses, operates with the smallest
> > teams
> > > required to produce product "X".
> > > Unfortunately, with software engineering being what it is, and the
> > > pressures of the marketing "old boy club", the teams are 
> > too small to
> > > cover all the "nice to do" bases and still leave folks time for
> > > themselves.
> > > 
> > > 
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thor (Hammer of God)
> > > Sent: Monday, February 26, 2007 9:07 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > > 
> > > I never really saw much from the PM's over there- just that 
> > one stint
> > > about SQL logging, and to be honest, there wasn't much valuable
> > content
> > > sourced from the MSFT side... In fact, as I understand it, 
> > the PM and
> > > product support people (other than Jim) are apparently 
> not pushed to
> > > participate (and may be asked not to) because of the fact 
> that it is
> > NOT
> > > an official MSFT site, and that NDA and product liability 
> may be an
> > > issue.
> > > 
> > > I'm going to draft up a "suggestions for the MVP program" 
> and submit
> > > them to the powers that be, just so that things like this can be
> > > addressed.
> > > 
> > > t
> > > 
> > > 
> > > On 2/26/07 8:50 AM, "Thomas W Shinder" 
> > <tshinder@xxxxxxxxxxx> spoketh
> > to
> > > all:
> > > 
> > > 
> > > 
> > > It's been a real problem for the ISA PG to work with the ISA
> > > MVPs, because they think that the ISA MVPs are still 
> > involved with the
> > > ISA MVP mailing list. I explained to them that because of "issues"
> > with
> > > that list that there was less than optimal participation 
> > and that they
> > > needed to get a MS managed solution. At the very least, they could
> > > create their own DL and send mail to people on that list. I hate
> > missing
> > > out on the ISA PGs communications on that "other" list, but 
> > my life is
> > > so much better not having to listen to the ****** that 
> happens over
> > > there.
> > > 
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > <http://www.isaserver.org/>
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > > <http://tinyurl.com/3xqb7>
> > > MVP -- Microsoft Firewalls (ISA)
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > ________________________________
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> > God)
> > > Sent: Monday, February 26, 2007 8:56 AM
> > > To:  isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter
> > > Networks
> > > 
> > > 
> > > I spoke with Melissa Travers, the MVP Lead for both  ISA
> > > and Exchange, and she said the Exchange group's MVP site 
> was really,
> > > really good, and that the Exchange group themselves is 
> quite active.
> > > Being they are the Exchange group, I can see why they would have a
> > > decent portal. ;)
> > > 
> > > I suggested that if there were a single sourced,
> > > Microsoft controlled MVP site where we could "browse 
> through" other
> > MVP
> > > list  content, that issues like this (the perceptions 
> > surrounding what
> > > Exchange will  and won't support and why) would be much easier to
> > > manage, and that "the right  people" from both sides could 
> > engage each
> > > other in a positive way when two  technologies collide like 
> > this.  To
> > > me, this is a major shortcoming in  the MVP program 
> overall.  Given
> > the
> > > fact that the MVP program was created  in order to provide a
> > > collaborative environment for various technologies, it  
> seems like a
> > > horrible waste of a perfect opportunity to expand that  
> environment
> > out
> > > to the MVP's and product teams in other product 
> competencies.    The
> > > fate of the ISA-MVP list is testament to that.
> > > 
> > > So, in  the absence of a coordinated effort on
> > > Microsoft's part to wrap it's  collective arms around the 
> MVP's and
> > > product teams, I'll see if I can get on  the Exchange MVP list and
> > begin
> > > a dialog of exactly what is going on here.   But I'll need to get
> > > immersed in Ex2007 first, which I've just not had  the time to do.
> > The
> > > promise of true unified messaging in 2007 was  a major draw 
> > to me, but
> > > given the apparent narrow PBX support and lack of  official
> > > functionality documentation, the rush to explore has lost it's
> > luster.
> > > 
> > > t
> > > 
> > > 
> > > On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx>
> > > spoketh to all:
> > > 
> > > 
> > > 
> > > 
> > > Documentation always follows the  product, which
> > > is barely on the streets.
> > > I've seen some regarding WM6,  but the basic
> > > concepts are the same.
> > > ..coming soon to a website near  you...
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
> > > Sent: Monday, February 26, 2007  3:31 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > Perimeter Networks
> > > 
> > > Hi All,
> > > 
> > > Anyone (Tim?) had chance to look at the least
> > > privilige approach with Exchange 2007 yet?
> > > 
> > > From what I am hearing the "CAS not supported in
> > > perimeter" statement is based more on "we haven't tested it 
> > yet" more
> > > than  "we don't think it is a good idea".
> > > 
> > > I have a few customers looking at placing the
> > > entire  Exchange architecture behind ISA (very untrusted LANs) - I
> > have
> > > done this  with Exch2k3, but has anyone looked at this 
> for  Exch2k7?
> > > 
> > > I am guessing this is not supported either, but
> > > documentation is very thin on the ground with reference to 2k7 and
> > > periemeter networking....
> > > 
> > > Cheers
> > > 
> > > JJ
> > > 
> > > 
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > ________________________________
> > > 
> > >  
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor 
> (Hammer of
> > God)
> > > Sent: 15 January 2007  15:27
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > Perimeter Networks
> > > Right you are...  The analogy fits when you use
> > > "comparative logic" as opposed to just thinking of the zone in
> > > singularity... Compared to the areas on either side of the DMZ, it
> > > should be  easy to discern any activity at all in the DMZ itself-
> > > particularly hostile  activities.  There are strict policies about
> > what
> > > can go on in the  Korean DMZ, as there should be in one's 
> > network DMZ.
> > > Internet  traffic is chaotic, and I don't even bother trying to
> > > determine what is  going on out on my Internet segment- I can't
> > control
> > > it anyway (other than  my policy of implementing router 
> > ACL's to match
> > > inbound/outbound traffic  policies at my border router).  Internal
> > > traffic isn't chaotic, but it  is  hard to monitor for "hostile"
> > packets
> > > given the sheer volume and  type of traffic being generated by
> > internal
> > > users, servers, services, etc to  any number of different 
> hosts and
> > > clients.  But in the DMZ, you should  be able to 
> immediately notice
> > when
> > > something out of the ordinary is going  on.  For 
> instance, if I see
> > POP3
> > > logon traffic, I know something is  FUBAR, as I don't 
> > support POP3 in
> > my
> > > DMZ at all.  If I see modal  enumeration by way of a null 
> session, I
> > > know something is going on.   And etc, etc.
> > > 
> > > So, to me, it fits, and that is the term I
> > > choose to use.  I won't be changing ;)
> > > 
> > > t
> > > 
> > > 
> > > On 1/15/07  6:40 AM, "Gerald G. Young"
> > > <g.young@xxxxxxxx> spoketh to  all:
> > > The DMZ in Korea itself isn't crawling with
> > > military.  Either side of it is, ensuring that the definition of a
> > > demilitarized zone is observed and maintained.  Before 
> the advent of
> > > DMZs in networking, a DMZ meant an area from which 
> military forces,
> > > operations, and installations were prohibited.  
> Essentially, it's a
> > > wide empty area that constitutes a border with forces on 
> either side
> > > pointing guns into it.
> > > 
> > > I've always thought the adaptation of  the
> > > acronym to the world of networking a bit strange.  "Oh!  We  got
> > > activity in our networked DMZ!  Kill it!"  :-)
> > > 
> > > 
> > > Cordially  yours,
> > > Jerry G. Young  II
> > > Product  Engineer - Senior
> > > Platform Engineering, Enterprise Hosting
> > > NTT  America, an NTT Communications Company
> > > 
> > > 22451 Shaw  Rd.
> > > Sterling, VA 20166
> > > 
> > > Office: 571-434-1319
> > > Fax:  703-333-6749
> > > Email:  g.young@xxxxxxxx
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy Babinchak
> > > Sent: Sunday, January 14, 2007  7:08 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: RE: [isapros]  Re: ISA, Exchange 2007
> > > and Perimeter Networks
> > > 
> > > 
> > > That's what it means to me too. Can't see the
> > > Korean  no mans' land as qualifying as a DMZ when it's 
> crawling with
> > > military.  
> > > 
> > > 
> > > 
> > > In this conversation we have to take into
> > > consideration that CAS also includes the capability to 
> > provide access
> > to
> > > folders and files right in OWA. This may be the thing that the
> > Exchange
> > > team  thinks throws a monkey wrench into the secure 
> > deployment of CAS
> > in
> > > a a DMZ.  
> > > 
> > >      
> > > 
> > > 
> > > 
> > > ________________________________
> > > 
> > >  
> > > 
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
> > > Jason Jones
> > > Sent: Sat 1/13/2007 6:46 PM
> > > To:  isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA, Exchange 2007  and
> > > Perimeter Networks
> > > 
> > > For me, DMZ means scary place completely
> > > untrusted,  perimeter network means less scary place trusted to a
> > > degree, but strongly  controlled
> > > 
> > > 
> > > 
> > > 
> > > ________________________________
> > > 
> > >  
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor 
> (Hammer of
> > God)
> > > Sent: 12 January 2007  23:51
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > Perimeter Networks
> > > Interesting... Probably a good idea for us to
> > > actually articulate what we really mean when we say DMZ.
> > > 
> > > I guess to  some it means "free for all network"
> > > but for me, it should be the network  where you have the most
> > > restrictive policies controlling each service so  that it 
> is obvious
> > > when malicious traffic hits the wire.   Thoughts>
> > > t
> > > 
> > > 
> > > On 1/12/07 3:30 PM, "Steve Moffat"
> > > <steve@xxxxxxxxxx> spoketh to all:
> > > That's what I thought, now it's what I  know....
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
> > > Sent: Friday, January 12, 2007  6:35 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > Perimeter Networks
> > > 
> > > Aside from normal router & switch ACLs, ISA is
> > > the single line of defense.
> > > "..we don't need no stinking  DMZs"
> > > 
> > > 
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
> > > Sent: Friday, January 12, 2007  12:12 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros]  Re: ISA, Exchange 2007 and
> > > Perimeter Networks
> > > 
> > > Ahh...just had a thought.
> > > 
> > > It's all  labeling.
> > > 
> > > Jason, and others (not Jason's fault), have been
> > > using the term DMZ.
> > > 
> > > Historically, is the term DMZ not taken
> > > literally as being completely firewalled off from the trusted
> > networks,
> > > and  what Jason is talking about is trusted network segmentation.
> > > 
> > > I  betcha that's why the Exchange team don't
> > > support it...they think it's a  typical run of the mill DMZ...
> > > 
> > > Jim, isn't MS's Internal network  segmented by
> > > usin ISA?? Including your mail servers?
> > > 
> > > S  
> > > 
> > > 
> > > All mail to and  from this domain is
> > > GFI-scanned. 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > >     
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
