"ISA's Got You In Its Sites" Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Monday, February 26, 2007 4:01 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > I'd rather be on Layer 7 > > Amy > > > > > > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Monday, February 26, 2007 4:45 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Not bad; except for the trailing commentary... > :-p > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Monday, February 26, 2007 12:53 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > How about: > > "ISA Firewall Rules!" > > Get it? Firewall rules? Like in firewall ruleset? You know, sort of a > double entendre sort of thingie :)) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Monday, February 26, 2007 2:27 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > Ok - it's official - let's get an "ISABlog motto" contest going. > > Basic rules: > > - no derogatory comments about CheckPix or similar (makes > the lawyers > > tremble) > > - no marketing spew > > - keep it short (10 words max) > > - must use ISA behavior or feature (like "wpad") > > - should abuse a common phrase (like "does a nautical pimp keep his > > 'oars' in the water?") > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Monday, February 26, 2007 12:23 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > You had me at WPAD? :) > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Monday, February 26, 2007 12:26 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > > > NDA is a completely different point and Amy has it right - > > > non-MS lists > > > are verboten to NDA material. > > > I'm an "odd duck" in this context (for more than one reason - > > > ha! - beat > > > ya to it!), because it's actually a large part of my job > to "keep my > > > finger on the pulse", as it were. This is why you see me > > doing trips > > > like tech Ready & Black Hat. Unfortunately, fiscal > > > limitations curtail > > > any further involvement, but such is corporate life. > > > > > > I agree that the ISA team hasn't exactly kept pace with teams like > > > Exchange (we don't even have a silly motto like "you had me > > at ehlo"), > > > but it still comes back to the "effort priorities". I've > > been working > > > with the right folks to make this a better experience all around > > > (especially for the MVPs), but these things tend to move slowly... > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thor (Hammer of God) > > > Sent: Monday, February 26, 2007 9:54 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > > > Conflicting info, then. I was told by a source that non-MSFT > > > lists were > > > poo-poo'ed on for liability and NDA reasons. > > > > > > And while I totally understand the "bottom line" thinking, it > > > seems like > > > a > > > huge waste to initiate something like the MVP program and to > > > go through > > > all > > > the motions only to do it half-assed. > > > > > > t > > > > > > > > > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > > spoketh to all: > > > > > > > In fact, ISA product team members are strongly encouraged to > > > participate > > > > in lists, NG, blogs and all other manner of public communication > > > > efforts. > > > > The sad fact is; the time available for such endeavors > is woefully > > > > small. > > > > MS, like many profit-making businesses, operates with > the smallest > > > teams > > > > required to produce product "X". > > > > Unfortunately, with software engineering being what it > is, and the > > > > pressures of the marketing "old boy club", the teams are > > > too small to > > > > cover all the "nice to do" bases and still leave folks time for > > > > themselves. > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thor (Hammer of God) > > > > Sent: Monday, February 26, 2007 9:07 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > > > > > > > I never really saw much from the PM's over there- just that > > > one stint > > > > about SQL logging, and to be honest, there wasn't much valuable > > > content > > > > sourced from the MSFT side... In fact, as I understand it, > > > the PM and > > > > product support people (other than Jim) are apparently > > not pushed to > > > > participate (and may be asked not to) because of the fact > > that it is > > > NOT > > > > an official MSFT site, and that NDA and product liability > > may be an > > > > issue. > > > > > > > > I'm going to draft up a "suggestions for the MVP program" > > and submit > > > > them to the powers that be, just so that things like this can be > > > > addressed. > > > > > > > > t > > > > > > > > > > > > On 2/26/07 8:50 AM, "Thomas W Shinder" > > > <tshinder@xxxxxxxxxxx> spoketh > > > to > > > > all: > > > > > > > > > > > > > > > > It's been a real problem for the ISA PG to work with the ISA > > > > MVPs, because they think that the ISA MVPs are still > > > involved with the > > > > ISA MVP mailing list. I explained to them that because > of "issues" > > > with > > > > that list that there was less than optimal participation > > > and that they > > > > needed to get a MS managed solution. At the very least, > they could > > > > create their own DL and send mail to people on that list. I hate > > > missing > > > > out on the ISA PGs communications on that "other" list, but > > > my life is > > > > so much better not having to listen to the ****** that > > happens over > > > > there. > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org <http://www.isaserver.org/> > > > > <http://www.isaserver.org/> > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > > > <http://tinyurl.com/3xqb7> > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of > > > God) > > > > Sent: Monday, February 26, 2007 8:56 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter > > > > Networks > > > > > > > > > > > > I spoke with Melissa Travers, the MVP Lead for both ISA > > > > and Exchange, and she said the Exchange group's MVP site > > was really, > > > > really good, and that the Exchange group themselves is > > quite active. > > > > Being they are the Exchange group, I can see why they > would have a > > > > decent portal. ;) > > > > > > > > I suggested that if there were a single sourced, > > > > Microsoft controlled MVP site where we could "browse > > through" other > > > MVP > > > > list content, that issues like this (the perceptions > > > surrounding what > > > > Exchange will and won't support and why) would be much > easier to > > > > manage, and that "the right people" from both sides could > > > engage each > > > > other in a positive way when two technologies collide like > > > this. To > > > > me, this is a major shortcoming in the MVP program > > overall. Given > > > the > > > > fact that the MVP program was created in order to provide a > > > > collaborative environment for various technologies, it > > seems like a > > > > horrible waste of a perfect opportunity to expand that > > environment > > > out > > > > to the MVP's and product teams in other product > > competencies. The > > > > fate of the ISA-MVP list is testament to that. > > > > > > > > So, in the absence of a coordinated effort on > > > > Microsoft's part to wrap it's collective arms around the > > MVP's and > > > > product teams, I'll see if I can get on the Exchange > MVP list and > > > begin > > > > a dialog of exactly what is going on here. But I'll > need to get > > > > immersed in Ex2007 first, which I've just not had the > time to do. > > > The > > > > promise of true unified messaging in 2007 was a major draw > > > to me, but > > > > given the apparent narrow PBX support and lack of official > > > > functionality documentation, the rush to explore has lost it's > > > luster. > > > > > > > > t > > > > > > > > > > > > On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > > > > spoketh to all: > > > > > > > > > > > > > > > > > > > > Documentation always follows the product, which > > > > is barely on the streets. > > > > I've seen some regarding WM6, but the basic > > > > concepts are the same. > > > > ..coming soon to a website near you... > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Monday, February 26, 2007 3:31 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > > > > > Hi All, > > > > > > > > Anyone (Tim?) had chance to look at the least > > > > privilige approach with Exchange 2007 yet? > > > > > > > > From what I am hearing the "CAS not supported in > > > > perimeter" statement is based more on "we haven't tested it > > > yet" more > > > > than "we don't think it is a good idea". > > > > > > > > I have a few customers looking at placing the > > > > entire Exchange architecture behind ISA (very > untrusted LANs) - I > > > have > > > > done this with Exch2k3, but has anyone looked at this > > for Exch2k7? > > > > > > > > I am guessing this is not supported either, but > > > > documentation is very thin on the ground with reference > to 2k7 and > > > > periemeter networking.... > > > > > > > > Cheers > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of > > > God) > > > > Sent: 15 January 2007 15:27 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > Right you are... The analogy fits when you use > > > > "comparative logic" as opposed to just thinking of the zone in > > > > singularity... Compared to the areas on either side of > the DMZ, it > > > > should be easy to discern any activity at all in the > DMZ itself- > > > > particularly hostile activities. There are strict > policies about > > > what > > > > can go on in the Korean DMZ, as there should be in one's > > > network DMZ. > > > > Internet traffic is chaotic, and I don't even bother trying to > > > > determine what is going on out on my Internet segment- I can't > > > control > > > > it anyway (other than my policy of implementing router > > > ACL's to match > > > > inbound/outbound traffic policies at my border > router). Internal > > > > traffic isn't chaotic, but it is hard to monitor for "hostile" > > > packets > > > > given the sheer volume and type of traffic being generated by > > > internal > > > > users, servers, services, etc to any number of different > > hosts and > > > > clients. But in the DMZ, you should be able to > > immediately notice > > > when > > > > something out of the ordinary is going on. For > > instance, if I see > > > POP3 > > > > logon traffic, I know something is FUBAR, as I don't > > > support POP3 in > > > my > > > > DMZ at all. If I see modal enumeration by way of a null > > session, I > > > > know something is going on. And etc, etc. > > > > > > > > So, to me, it fits, and that is the term I > > > > choose to use. I won't be changing ;) > > > > > > > > t > > > > > > > > > > > > On 1/15/07 6:40 AM, "Gerald G. Young" > > > > <g.young@xxxxxxxx> spoketh to all: > > > > The DMZ in Korea itself isn't crawling with > > > > military. Either side of it is, ensuring that the > definition of a > > > > demilitarized zone is observed and maintained. Before > > the advent of > > > > DMZs in networking, a DMZ meant an area from which > > military forces, > > > > operations, and installations were prohibited. > > Essentially, it's a > > > > wide empty area that constitutes a border with forces on > > either side > > > > pointing guns into it. > > > > > > > > I've always thought the adaptation of the > > > > acronym to the world of networking a bit strange. "Oh! We got > > > > activity in our networked DMZ! Kill it!" :-) > > > > > > > > > > > > Cordially yours, > > > > Jerry G. Young II > > > > Product Engineer - Senior > > > > Platform Engineering, Enterprise Hosting > > > > NTT America, an NTT Communications Company > > > > > > > > 22451 Shaw Rd. > > > > Sterling, VA 20166 > > > > > > > > Office: 571-434-1319 > > > > Fax: 703-333-6749 > > > > Email: g.young@xxxxxxxx > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy > Babinchak > > > > Sent: Sunday, January 14, 2007 7:08 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: RE: [isapros] Re: ISA, Exchange 2007 > > > > and Perimeter Networks > > > > > > > > > > > > That's what it means to me too. Can't see the > > > > Korean no mans' land as qualifying as a DMZ when it's > > crawling with > > > > military. > > > > > > > > > > > > > > > > In this conversation we have to take into > > > > consideration that CAS also includes the capability to > > > provide access > > > to > > > > folders and files right in OWA. This may be the thing that the > > > Exchange > > > > team thinks throws a monkey wrench into the secure > > > deployment of CAS > > > in > > > > a a DMZ. > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of > > > > Jason Jones > > > > Sent: Sat 1/13/2007 6:46 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > > > > > For me, DMZ means scary place completely > > > > untrusted, perimeter network means less scary place > trusted to a > > > > degree, but strongly controlled > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of > > > God) > > > > Sent: 12 January 2007 23:51 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > Interesting... Probably a good idea for us to > > > > actually articulate what we really mean when we say DMZ. > > > > > > > > I guess to some it means "free for all network" > > > > but for me, it should be the network where you have the most > > > > restrictive policies controlling each service so that it > > is obvious > > > > when malicious traffic hits the wire. Thoughts> > > > > t > > > > > > > > > > > > On 1/12/07 3:30 PM, "Steve Moffat" > > > > <steve@xxxxxxxxxx> spoketh to all: > > > > That's what I thought, now it's what I know.... > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Friday, January 12, 2007 6:35 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > > > > > Aside from normal router & switch ACLs, ISA is > > > > the single line of defense. > > > > "..we don't need no stinking DMZs" > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat > > > > Sent: Friday, January 12, 2007 12:12 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA, Exchange 2007 and > > > > Perimeter Networks > > > > > > > > Ahh...just had a thought. > > > > > > > > It's all labeling. > > > > > > > > Jason, and others (not Jason's fault), have been > > > > using the term DMZ. > > > > > > > > Historically, is the term DMZ not taken > > > > literally as being completely firewalled off from the trusted > > > networks, > > > > and what Jason is talking about is trusted network > segmentation. > > > > > > > > I betcha that's why the Exchange team don't > > > > support it...they think it's a typical run of the mill DMZ... > > > > > > > > Jim, isn't MS's Internal network segmented by > > > > usin ISA?? Including your mail servers? > > > > > > > > S > > > > > > > > > > > > All mail to and from this domain is > > > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > >