I caught a CARP, this big! (extends arms) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: 26 February 2007 20:41 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Go Ahead, It's Filtered -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, February 26, 2007 3:27 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Ok - it's official - let's get an "ISABlog motto" contest going. Basic rules: - no derogatory comments about CheckPix or similar (makes the lawyers tremble) - no marketing spew - keep it short (10 words max) - must use ISA behavior or feature (like "wpad") - should abuse a common phrase (like "does a nautical pimp keep his 'oars' in the water?") -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, February 26, 2007 12:23 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks You had me at WPAD? :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Monday, February 26, 2007 12:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > NDA is a completely different point and Amy has it right - non-MS > lists are verboten to NDA material. > I'm an "odd duck" in this context (for more than one reason - ha! - > beat ya to it!), because it's actually a large part of my job to "keep > my finger on the pulse", as it were. This is why you see me doing > trips like tech Ready & Black Hat. Unfortunately, fiscal limitations > curtail any further involvement, but such is corporate life. > > I agree that the ISA team hasn't exactly kept pace with teams like > Exchange (we don't even have a silly motto like "you had me at ehlo"), > but it still comes back to the "effort priorities". I've been working > with the right folks to make this a better experience all around > (especially for the MVPs), but these things tend to move slowly... > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Monday, February 26, 2007 9:54 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Conflicting info, then. I was told by a source that non-MSFT lists > were poo-poo'ed on for liability and NDA reasons. > > And while I totally understand the "bottom line" thinking, it seems > like a huge waste to initiate something like the MVP program and to go > through all the motions only to do it half-assed. > > t > > > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > > > In fact, ISA product team members are strongly encouraged to > participate > > in lists, NG, blogs and all other manner of public communication > > efforts. > > The sad fact is; the time available for such endeavors is woefully > > small. > > MS, like many profit-making businesses, operates with the smallest > teams > > required to produce product "X". > > Unfortunately, with software engineering being what it is, and the > > pressures of the marketing "old boy club", the teams are > too small to > > cover all the "nice to do" bases and still leave folks time for > > themselves. > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Monday, February 26, 2007 9:07 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > I never really saw much from the PM's over there- just that > one stint > > about SQL logging, and to be honest, there wasn't much valuable > content > > sourced from the MSFT side... In fact, as I understand it, > the PM and > > product support people (other than Jim) are apparently not pushed to > > participate (and may be asked not to) because of the fact that it is > NOT > > an official MSFT site, and that NDA and product liability may be an > > issue. > > > > I'm going to draft up a "suggestions for the MVP program" and submit > > them to the powers that be, just so that things like this can be > > addressed. > > > > t > > > > > > On 2/26/07 8:50 AM, "Thomas W Shinder" > <tshinder@xxxxxxxxxxx> spoketh > to > > all: > > > > > > > > It's been a real problem for the ISA PG to work with the ISA MVPs, > > because they think that the ISA MVPs are still > involved with the > > ISA MVP mailing list. I explained to them that because of "issues" > with > > that list that there was less than optimal participation > and that they > > needed to get a MS managed solution. At the very least, they could > > create their own DL and send mail to people on that list. I hate > missing > > out on the ISA PGs communications on that "other" list, but > my life is > > so much better not having to listen to the ****** that happens over > > there. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > ________________________________ > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) > > Sent: Monday, February 26, 2007 8:56 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > > > I spoke with Melissa Travers, the MVP Lead for both ISA and > > Exchange, and she said the Exchange group's MVP site was really, > > really good, and that the Exchange group themselves is quite active. > > Being they are the Exchange group, I can see why they would have a > > decent portal. ;) > > > > I suggested that if there were a single sourced, Microsoft > > controlled MVP site where we could "browse through" other > MVP > > list content, that issues like this (the perceptions > surrounding what > > Exchange will and won't support and why) would be much easier to > > manage, and that "the right people" from both sides could > engage each > > other in a positive way when two technologies collide like > this. To > > me, this is a major shortcoming in the MVP program overall. Given > the > > fact that the MVP program was created in order to provide a > > collaborative environment for various technologies, it seems like a > > horrible waste of a perfect opportunity to expand that environment > out > > to the MVP's and product teams in other product competencies. The > > fate of the ISA-MVP list is testament to that. > > > > So, in the absence of a coordinated effort on Microsoft's part to > > wrap it's collective arms around the MVP's and product teams, I'll > > see if I can get on the Exchange MVP list and > begin > > a dialog of exactly what is going on here. But I'll need to get > > immersed in Ex2007 first, which I've just not had the time to do. > The > > promise of true unified messaging in 2007 was a major draw > to me, but > > given the apparent narrow PBX support and lack of official > > functionality documentation, the rush to explore has lost it's > luster. > > > > t > > > > > > On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to > > all: > > > > > > > > > > Documentation always follows the product, which is barely on the > > streets. > > I've seen some regarding WM6, but the basic concepts are the same. > > ..coming soon to a website near you... > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > Sent: Monday, February 26, 2007 3:31 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > Hi All, > > > > Anyone (Tim?) had chance to look at the least privilige approach > > with Exchange 2007 yet? > > > > From what I am hearing the "CAS not supported in perimeter" > > statement is based more on "we haven't tested it > yet" more > > than "we don't think it is a good idea". > > > > I have a few customers looking at placing the entire Exchange > > architecture behind ISA (very untrusted LANs) - I > have > > done this with Exch2k3, but has anyone looked at this for Exch2k7? > > > > I am guessing this is not supported either, but documentation is > > very thin on the ground with reference to 2k7 and periemeter > > networking.... > > > > Cheers > > > > JJ > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) > > Sent: 15 January 2007 15:27 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Right you are... The analogy fits when you use "comparative logic" > > as opposed to just thinking of the zone in singularity... Compared > > to the areas on either side of the DMZ, it should be easy to > > discern any activity at all in the DMZ itself- particularly hostile > > activities. There are strict policies about > what > > can go on in the Korean DMZ, as there should be in one's > network DMZ. > > Internet traffic is chaotic, and I don't even bother trying to > > determine what is going on out on my Internet segment- I can't > control > > it anyway (other than my policy of implementing router > ACL's to match > > inbound/outbound traffic policies at my border router). Internal > > traffic isn't chaotic, but it is hard to monitor for "hostile" > packets > > given the sheer volume and type of traffic being generated by > internal > > users, servers, services, etc to any number of different hosts and > > clients. But in the DMZ, you should be able to immediately notice > when > > something out of the ordinary is going on. For instance, if I see > POP3 > > logon traffic, I know something is FUBAR, as I don't > support POP3 in > my > > DMZ at all. If I see modal enumeration by way of a null session, I > > know something is going on. And etc, etc. > > > > So, to me, it fits, and that is the term I choose to use. I won't > > be changing ;) > > > > t > > > > > > On 1/15/07 6:40 AM, "Gerald G. Young" > > <g.young@xxxxxxxx> spoketh to all: > > The DMZ in Korea itself isn't crawling with military. Either side > > of it is, ensuring that the definition of a demilitarized zone is > > observed and maintained. Before the advent of DMZs in networking, a > > DMZ meant an area from which military forces, operations, and > > installations were prohibited. Essentially, it's a wide empty area > > that constitutes a border with forces on either side pointing guns > > into it. > > > > I've always thought the adaptation of the acronym to the world of > > networking a bit strange. "Oh! We got activity in our networked > > DMZ! Kill it!" :-) > > > > > > Cordially yours, > > Jerry G. Young II > > Product Engineer - Senior > > Platform Engineering, Enterprise Hosting NTT America, an NTT > > Communications Company > > > > 22451 Shaw Rd. > > Sterling, VA 20166 > > > > Office: 571-434-1319 > > Fax: 703-333-6749 > > Email: g.young@xxxxxxxx > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Sunday, January 14, 2007 7:08 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter > > Networks > > > > > > That's what it means to me too. Can't see the Korean no mans' land > > as qualifying as a DMZ when it's crawling with military. > > > > > > > > In this conversation we have to take into > > consideration that CAS also includes the capability to > provide access > to > > folders and files right in OWA. This may be the thing that the > Exchange > > team thinks throws a monkey wrench into the secure > deployment of CAS > in > > a a DMZ. > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of > > Jason Jones > > Sent: Sat 1/13/2007 6:46 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and > > Perimeter Networks > > > > For me, DMZ means scary place completely > > untrusted, perimeter network means less scary place trusted to a > > degree, but strongly controlled > > > > > > > > > > ________________________________ > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) > > Sent: 12 January 2007 23:51 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and > > Perimeter Networks > > Interesting... Probably a good idea for us to > > actually articulate what we really mean when we say DMZ. > > > > I guess to some it means "free for all network" > > but for me, it should be the network where you have the most > > restrictive policies controlling each service so that it is obvious > > when malicious traffic hits the wire. Thoughts> > > t > > > > > > On 1/12/07 3:30 PM, "Steve Moffat" > > <steve@xxxxxxxxxx> spoketh to all: > > That's what I thought, now it's what I know.... > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, January 12, 2007 6:35 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and > > Perimeter Networks > > > > Aside from normal router & switch ACLs, ISA is > > the single line of defense. > > "..we don't need no stinking DMZs" > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat > > Sent: Friday, January 12, 2007 12:12 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and > > Perimeter Networks > > > > Ahh...just had a thought. > > > > It's all labeling. > > > > Jason, and others (not Jason's fault), have been > > using the term DMZ. > > > > Historically, is the term DMZ not taken > > literally as being completely firewalled off from the trusted > networks, > > and what Jason is talking about is trusted network segmentation. > > > > I betcha that's why the Exchange team don't > > support it...they think it's a typical run of the mill DMZ... > > > > Jim, isn't MS's Internal network segmented by > > usin ISA?? Including your mail servers? > > > > S > > > > > > All mail to and from this domain is > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > All mail to and from this domain is GFI-scanned.