[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Gerald G. Young" <g.young@xxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 16:35:03 -0500

One Firewall to rule them all.
One Firewall to find them.
One Firewall to bridge them all and in the ether block them.

Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company

22451 Shaw Rd.
Sterling, VA 20166

Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Monday, February 26, 2007 4:15 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I caught a CARP, this big! (extends arms)

 
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: 26 February 2007 20:41
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Go Ahead, It's Filtered
 
 
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 26, 2007 3:27 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Ok - it's official - let's get an "ISABlog motto" contest going.
Basic rules:
- no derogatory comments about CheckPix or similar (makes the lawyers
tremble)
- no marketing spew
- keep it short (10 words max)
- must use ISA behavior or feature (like "wpad")
- should abuse a common phrase (like "does a nautical pimp keep his
'oars' in the water?")

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, February 26, 2007 12:23 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

You had me at WPAD? :)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, February 26, 2007 12:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> NDA is a completely different point and Amy has it right - non-MS 
> lists are verboten to NDA material.
> I'm an "odd duck" in this context (for more than one reason - ha! - 
> beat ya to it!), because it's actually a large part of my job to "keep

> my finger on the pulse", as it were.  This is why you see me doing 
> trips like tech Ready & Black Hat.  Unfortunately, fiscal limitations 
> curtail any further involvement, but such is corporate life.
> 
> I agree that the ISA team hasn't exactly kept pace with teams like 
> Exchange (we don't even have a silly motto like "you had me at ehlo"),

> but it still comes back to the "effort priorities".  I've been working

> with the right folks to make this a better experience all around 
> (especially for the MVPs), but these things tend to move slowly...
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Monday, February 26, 2007 9:54 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Conflicting info, then.  I was told by a source that non-MSFT lists 
> were poo-poo'ed on for liability and NDA reasons.
> 
> And while I totally understand the "bottom line" thinking, it seems 
> like a huge waste to initiate something like the MVP program and to go

> through all the motions only to do it half-assed.
> 
> t
> 
> 
> On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> 
> > In fact, ISA product team members are strongly encouraged to
> participate
> > in lists, NG, blogs and all other manner of public communication 
> > efforts.
> > The sad fact is; the time available for such endeavors is woefully 
> > small.
> > MS, like many profit-making businesses, operates with the smallest
> teams
> > required to produce product "X".
> > Unfortunately, with software engineering being what it is, and the 
> > pressures of the marketing "old boy club", the teams are
> too small to
> > cover all the "nice to do" bases and still leave folks time for 
> > themselves.
> > 
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Monday, February 26, 2007 9:07 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > I never really saw much from the PM's over there- just that
> one stint
> > about SQL logging, and to be honest, there wasn't much valuable
> content
> > sourced from the MSFT side... In fact, as I understand it,
> the PM and
> > product support people (other than Jim) are apparently not pushed to

> > participate (and may be asked not to) because of the fact that it is
> NOT
> > an official MSFT site, and that NDA and product liability may be an 
> > issue.
> > 
> > I'm going to draft up a "suggestions for the MVP program" and submit

> > them to the powers that be, just so that things like this can be 
> > addressed.
> > 
> > t
> > 
> > 
> > On 2/26/07 8:50 AM, "Thomas W Shinder" 
> <tshinder@xxxxxxxxxxx> spoketh
> to
> > all:
> > 
> > 
> > 
> > It's been a real problem for the ISA PG to work with the ISA MVPs, 
> > because they think that the ISA MVPs are still
> involved with the
> > ISA MVP mailing list. I explained to them that because of "issues"
> with
> > that list that there was less than optimal participation
> and that they
> > needed to get a MS managed solution. At the very least, they could 
> > create their own DL and send mail to people on that list. I hate
> missing
> > out on the ISA PGs communications on that "other" list, but
> my life is
> > so much better not having to listen to the ****** that happens over 
> > there.
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/> 
> > <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> > <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA)
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ________________________________
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> > Sent: Monday, February 26, 2007 8:56 AM
> > To:  isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
> > 
> > 
> > I spoke with Melissa Travers, the MVP Lead for both  ISA and 
> > Exchange, and she said the Exchange group's MVP site was really, 
> > really good, and that the Exchange group themselves is quite active.
> > Being they are the Exchange group, I can see why they would have a 
> > decent portal. ;)
> > 
> > I suggested that if there were a single sourced, Microsoft 
> > controlled MVP site where we could "browse through" other
> MVP
> > list  content, that issues like this (the perceptions
> surrounding what
> > Exchange will  and won't support and why) would be much easier to 
> > manage, and that "the right  people" from both sides could
> engage each
> > other in a positive way when two  technologies collide like
> this.  To
> > me, this is a major shortcoming in  the MVP program overall.  Given
> the
> > fact that the MVP program was created  in order to provide a 
> > collaborative environment for various technologies, it  seems like a

> > horrible waste of a perfect opportunity to expand that  environment
> out
> > to the MVP's and product teams in other product competencies.    The
> > fate of the ISA-MVP list is testament to that.
> > 
> > So, in  the absence of a coordinated effort on Microsoft's part to 
> > wrap it's  collective arms around the MVP's and product teams, I'll 
> > see if I can get on  the Exchange MVP list and
> begin
> > a dialog of exactly what is going on here.   But I'll need to get
> > immersed in Ex2007 first, which I've just not had  the time to do.
> The
> > promise of true unified messaging in 2007 was  a major draw
> to me, but
> > given the apparent narrow PBX support and lack of  official 
> > functionality documentation, the rush to explore has lost it's
> luster.
> > 
> > t
> > 
> > 
> > On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx> spoketh to 
> > all:
> > 
> > 
> > 
> > 
> > Documentation always follows the  product, which is barely on the 
> > streets.
> > I've seen some regarding WM6,  but the basic concepts are the same.
> > ..coming soon to a website near  you...
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
> > Sent: Monday, February 26, 2007  3:31 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
> > 
> > Hi All,
> > 
> > Anyone (Tim?) had chance to look at the least privilige approach 
> > with Exchange 2007 yet?
> > 
> > From what I am hearing the "CAS not supported in perimeter" 
> > statement is based more on "we haven't tested it
> yet" more
> > than  "we don't think it is a good idea".
> > 
> > I have a few customers looking at placing the entire  Exchange 
> > architecture behind ISA (very untrusted LANs) - I
> have
> > done this  with Exch2k3, but has anyone looked at this for  Exch2k7?
> > 
> > I am guessing this is not supported either, but documentation is 
> > very thin on the ground with reference to 2k7 and periemeter 
> > networking....
> > 
> > Cheers
> > 
> > JJ
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
> > Sent: 15 January 2007  15:27
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks 
> > Right you are...  The analogy fits when you use "comparative logic" 
> > as opposed to just thinking of the zone in singularity... Compared 
> > to the areas on either side of the DMZ, it should be  easy to 
> > discern any activity at all in the DMZ itself- particularly hostile

> > activities.  There are strict policies about
> what
> > can go on in the  Korean DMZ, as there should be in one's
> network DMZ.
> > Internet  traffic is chaotic, and I don't even bother trying to 
> > determine what is  going on out on my Internet segment- I can't
> control
> > it anyway (other than  my policy of implementing router
> ACL's to match
> > inbound/outbound traffic  policies at my border router).  Internal 
> > traffic isn't chaotic, but it  is  hard to monitor for "hostile"
> packets
> > given the sheer volume and  type of traffic being generated by
> internal
> > users, servers, services, etc to  any number of different hosts and 
> > clients.  But in the DMZ, you should  be able to immediately notice
> when
> > something out of the ordinary is going  on.  For instance, if I see
> POP3
> > logon traffic, I know something is  FUBAR, as I don't
> support POP3 in
> my
> > DMZ at all.  If I see modal  enumeration by way of a null session, I
> > know something is going on.   And etc, etc.
> > 
> > So, to me, it fits, and that is the term I choose to use.  I won't 
> > be changing ;)
> > 
> > t
> > 
> > 
> > On 1/15/07  6:40 AM, "Gerald G. Young"
> > <g.young@xxxxxxxx> spoketh to  all:
> > The DMZ in Korea itself isn't crawling with military.  Either side 
> > of it is, ensuring that the definition of a demilitarized zone is 
> > observed and maintained.  Before the advent of DMZs in networking, a

> > DMZ meant an area from which military forces, operations, and 
> > installations were prohibited.  Essentially, it's a wide empty area 
> > that constitutes a border with forces on either side pointing guns 
> > into it.
> > 
> > I've always thought the adaptation of  the acronym to the world of 
> > networking a bit strange.  "Oh!  We  got activity in our networked 
> > DMZ!  Kill it!"  :-)
> > 
> > 
> > Cordially  yours,
> > Jerry G. Young  II
> > Product  Engineer - Senior
> > Platform Engineering, Enterprise Hosting NTT  America, an NTT 
> > Communications Company
> > 
> > 22451 Shaw  Rd.
> > Sterling, VA 20166
> > 
> > Office: 571-434-1319
> > Fax:  703-333-6749
> > Email:  g.young@xxxxxxxx
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy Babinchak
> > Sent: Sunday, January 14, 2007  7:08 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: RE: [isapros]  Re: ISA, Exchange 2007 and Perimeter 
> > Networks
> > 
> > 
> > That's what it means to me too. Can't see the Korean  no mans' land 
> > as qualifying as a DMZ when it's crawling with military.
> > 
> > 
> > 
> > In this conversation we have to take into
> > consideration that CAS also includes the capability to 
> provide access
> to
> > folders and files right in OWA. This may be the thing that the
> Exchange
> > team  thinks throws a monkey wrench into the secure 
> deployment of CAS
> in
> > a a DMZ.  
> > 
> >      
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
> > Jason Jones
> > Sent: Sat 1/13/2007 6:46 PM
> > To:  isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007  and
> > Perimeter Networks
> > 
> > For me, DMZ means scary place completely
> > untrusted,  perimeter network means less scary place trusted to a
> > degree, but strongly  controlled
> > 
> > 
> > 
> > 
> > ________________________________
> > 
> >  
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor (Hammer of
> God)
> > Sent: 12 January 2007  23:51
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > Perimeter Networks
> > Interesting... Probably a good idea for us to
> > actually articulate what we really mean when we say DMZ.
> > 
> > I guess to  some it means "free for all network"
> > but for me, it should be the network  where you have the most
> > restrictive policies controlling each service so  that it is obvious
> > when malicious traffic hits the wire.   Thoughts>
> > t
> > 
> > 
> > On 1/12/07 3:30 PM, "Steve Moffat"
> > <steve@xxxxxxxxxx> spoketh to all:
> > That's what I thought, now it's what I  know....
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
> > Sent: Friday, January 12, 2007  6:35 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > Perimeter Networks
> > 
> > Aside from normal router & switch ACLs, ISA is
> > the single line of defense.
> > "..we don't need no stinking  DMZs"
> > 
> > 
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
> > Sent: Friday, January 12, 2007  12:12 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros]  Re: ISA, Exchange 2007 and
> > Perimeter Networks
> > 
> > Ahh...just had a thought.
> > 
> > It's all  labeling.
> > 
> > Jason, and others (not Jason's fault), have been
> > using the term DMZ.
> > 
> > Historically, is the term DMZ not taken
> > literally as being completely firewalled off from the trusted
> networks,
> > and  what Jason is talking about is trusted network segmentation.
> > 
> > I  betcha that's why the Exchange team don't
> > support it...they think it's a  typical run of the mill DMZ...
> > 
> > Jim, isn't MS's Internal network  segmented by
> > usin ISA?? Including your mail servers?
> > 
> > S  
> > 
> > 
> > All mail to and  from this domain is
> > GFI-scanned. 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >     
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 


All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 02-2007