[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 27 Feb 2007 09:36:25 -0500

Should be "Firewall's make me Hot", shouldn't it?

How about "Flames, baby flames, you're goin' down." As said by The
Bomber What Bombs at Midnight. (from The Tick, of course)

Amy 
 
 
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Gerald G. Young
Sent: Tuesday, February 27, 2007 9:12 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

"ISA, your friendly, neighborhood firewall."
"Never a dull rule in ISA."
"ISA's hot." - as imagined said by Paris Hilton.
"ISA and PIX, sitting in a tree..." - yeah, not so much. ;)
"I'll show you my certificate if you'll show me yours."

Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company

22451 Shaw Rd.
Sterling, VA 20166

Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, February 26, 2007 7:22 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

"ISA's Got You In Its Sites"

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> Sent: Monday, February 26, 2007 4:01 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I'd rather be on Layer 7
> 
> Amy 
>  
>  
>  
>  
>  
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Monday, February 26, 2007 4:45 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Not bad; except for the trailing commentary...
> :-p
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Monday, February 26, 2007 12:53 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> How about:
> 
> "ISA Firewall Rules!"
> 
> Get it? Firewall rules? Like in firewall ruleset? You know, sort of a
> double entendre sort of thingie :))
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Monday, February 26, 2007 2:27 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > Ok - it's official - let's get an "ISABlog motto" contest going.
> > Basic rules:
> > - no derogatory comments about CheckPix or similar (makes 
> the lawyers
> > tremble)
> > - no marketing spew
> > - keep it short (10 words max)
> > - must use ISA behavior or feature (like "wpad")
> > - should abuse a common phrase (like "does a nautical pimp keep his
> > 'oars' in the water?")
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Monday, February 26, 2007 12:23 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > 
> > You had me at WPAD? :)
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Monday, February 26, 2007 12:26 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > > 
> > > NDA is a completely different point and Amy has it right - 
> > > non-MS lists
> > > are verboten to NDA material.
> > > I'm an "odd duck" in this context (for more than one reason - 
> > > ha! - beat
> > > ya to it!), because it's actually a large part of my job 
> to "keep my
> > > finger on the pulse", as it were.  This is why you see me 
> > doing trips
> > > like tech Ready & Black Hat.  Unfortunately, fiscal 
> > > limitations curtail
> > > any further involvement, but such is corporate life.
> > > 
> > > I agree that the ISA team hasn't exactly kept pace with teams like
> > > Exchange (we don't even have a silly motto like "you had me 
> > at ehlo"),
> > > but it still comes back to the "effort priorities".  I've 
> > been working
> > > with the right folks to make this a better experience all around
> > > (especially for the MVPs), but these things tend to move slowly...
> > > 
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thor (Hammer of God)
> > > Sent: Monday, February 26, 2007 9:54 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > > 
> > > Conflicting info, then.  I was told by a source that non-MSFT 
> > > lists were
> > > poo-poo'ed on for liability and NDA reasons.
> > > 
> > > And while I totally understand the "bottom line" thinking, it 
> > > seems like
> > > a
> > > huge waste to initiate something like the MVP program and to 
> > > go through
> > > all
> > > the motions only to do it half-assed.
> > > 
> > > t
> > > 
> > > 
> > > On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> 
> > spoketh to all:
> > > 
> > > > In fact, ISA product team members are strongly encouraged to
> > > participate
> > > > in lists, NG, blogs and all other manner of public communication
> > > > efforts.
> > > > The sad fact is; the time available for such endeavors 
> is woefully
> > > > small.
> > > > MS, like many profit-making businesses, operates with 
> the smallest
> > > teams
> > > > required to produce product "X".
> > > > Unfortunately, with software engineering being what it 
> is, and the
> > > > pressures of the marketing "old boy club", the teams are 
> > > too small to
> > > > cover all the "nice to do" bases and still leave folks time for
> > > > themselves.
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thor (Hammer of God)
> > > > Sent: Monday, February 26, 2007 9:07 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> > > > 
> > > > I never really saw much from the PM's over there- just that 
> > > one stint
> > > > about SQL logging, and to be honest, there wasn't much valuable
> > > content
> > > > sourced from the MSFT side... In fact, as I understand it, 
> > > the PM and
> > > > product support people (other than Jim) are apparently 
> > not pushed to
> > > > participate (and may be asked not to) because of the fact 
> > that it is
> > > NOT
> > > > an official MSFT site, and that NDA and product liability 
> > may be an
> > > > issue.
> > > > 
> > > > I'm going to draft up a "suggestions for the MVP program" 
> > and submit
> > > > them to the powers that be, just so that things like this can be
> > > > addressed.
> > > > 
> > > > t
> > > > 
> > > > 
> > > > On 2/26/07 8:50 AM, "Thomas W Shinder" 
> > > <tshinder@xxxxxxxxxxx> spoketh
> > > to
> > > > all:
> > > > 
> > > > 
> > > > 
> > > > It's been a real problem for the ISA PG to work with the ISA
> > > > MVPs, because they think that the ISA MVPs are still 
> > > involved with the
> > > > ISA MVP mailing list. I explained to them that because 
> of "issues"
> > > with
> > > > that list that there was less than optimal participation 
> > > and that they
> > > > needed to get a MS managed solution. At the very least, 
> they could
> > > > create their own DL and send mail to people on that list. I hate
> > > missing
> > > > out on the ISA PGs communications on that "other" list, but 
> > > my life is
> > > > so much better not having to listen to the ****** that 
> > happens over
> > > > there.
> > > > 
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > > <http://www.isaserver.org/>
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > > > <http://tinyurl.com/3xqb7>
> > > > MVP -- Microsoft Firewalls (ISA)
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ________________________________
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor 
> (Hammer of
> > > God)
> > > > Sent: Monday, February 26, 2007 8:56 AM
> > > > To:  isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter
> > > > Networks
> > > > 
> > > > 
> > > > I spoke with Melissa Travers, the MVP Lead for both  ISA
> > > > and Exchange, and she said the Exchange group's MVP site 
> > was really,
> > > > really good, and that the Exchange group themselves is 
> > quite active.
> > > > Being they are the Exchange group, I can see why they 
> would have a
> > > > decent portal. ;)
> > > > 
> > > > I suggested that if there were a single sourced,
> > > > Microsoft controlled MVP site where we could "browse 
> > through" other
> > > MVP
> > > > list  content, that issues like this (the perceptions 
> > > surrounding what
> > > > Exchange will  and won't support and why) would be much 
> easier to
> > > > manage, and that "the right  people" from both sides could 
> > > engage each
> > > > other in a positive way when two  technologies collide like 
> > > this.  To
> > > > me, this is a major shortcoming in  the MVP program 
> > overall.  Given
> > > the
> > > > fact that the MVP program was created  in order to provide a
> > > > collaborative environment for various technologies, it  
> > seems like a
> > > > horrible waste of a perfect opportunity to expand that  
> > environment
> > > out
> > > > to the MVP's and product teams in other product 
> > competencies.    The
> > > > fate of the ISA-MVP list is testament to that.
> > > > 
> > > > So, in  the absence of a coordinated effort on
> > > > Microsoft's part to wrap it's  collective arms around the 
> > MVP's and
> > > > product teams, I'll see if I can get on  the Exchange 
> MVP list and
> > > begin
> > > > a dialog of exactly what is going on here.   But I'll 
> need to get
> > > > immersed in Ex2007 first, which I've just not had  the 
> time to do.
> > > The
> > > > promise of true unified messaging in 2007 was  a major draw 
> > > to me, but
> > > > given the apparent narrow PBX support and lack of  official
> > > > functionality documentation, the rush to explore has lost it's
> > > luster.
> > > > 
> > > > t
> > > > 
> > > > 
> > > > On 2/26/07 6:02 AM, "Jim Harrison"  <Jim@xxxxxxxxxxxx>
> > > > spoketh to all:
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Documentation always follows the  product, which
> > > > is barely on the streets.
> > > > I've seen some regarding WM6,  but the basic
> > > > concepts are the same.
> > > > ..coming soon to a website near  you...
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jason Jones
> > > > Sent: Monday, February 26, 2007  3:31 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > > Perimeter Networks
> > > > 
> > > > Hi All,
> > > > 
> > > > Anyone (Tim?) had chance to look at the least
> > > > privilige approach with Exchange 2007 yet?
> > > > 
> > > > From what I am hearing the "CAS not supported in
> > > > perimeter" statement is based more on "we haven't tested it 
> > > yet" more
> > > > than  "we don't think it is a good idea".
> > > > 
> > > > I have a few customers looking at placing the
> > > > entire  Exchange architecture behind ISA (very 
> untrusted LANs) - I
> > > have
> > > > done this  with Exch2k3, but has anyone looked at this 
> > for  Exch2k7?
> > > > 
> > > > I am guessing this is not supported either, but
> > > > documentation is very thin on the ground with reference 
> to 2k7 and
> > > > periemeter networking....
> > > > 
> > > > Cheers
> > > > 
> > > > JJ
> > > > 
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > ________________________________
> > > > 
> > > >  
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor 
> > (Hammer of
> > > God)
> > > > Sent: 15 January 2007  15:27
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > > Perimeter Networks
> > > > Right you are...  The analogy fits when you use
> > > > "comparative logic" as opposed to just thinking of the zone in
> > > > singularity... Compared to the areas on either side of 
> the DMZ, it
> > > > should be  easy to discern any activity at all in the 
> DMZ itself-
> > > > particularly hostile  activities.  There are strict 
> policies about
> > > what
> > > > can go on in the  Korean DMZ, as there should be in one's 
> > > network DMZ.
> > > > Internet  traffic is chaotic, and I don't even bother trying to
> > > > determine what is  going on out on my Internet segment- I can't
> > > control
> > > > it anyway (other than  my policy of implementing router 
> > > ACL's to match
> > > > inbound/outbound traffic  policies at my border 
> router).  Internal
> > > > traffic isn't chaotic, but it  is  hard to monitor for "hostile"
> > > packets
> > > > given the sheer volume and  type of traffic being generated by
> > > internal
> > > > users, servers, services, etc to  any number of different 
> > hosts and
> > > > clients.  But in the DMZ, you should  be able to 
> > immediately notice
> > > when
> > > > something out of the ordinary is going  on.  For 
> > instance, if I see
> > > POP3
> > > > logon traffic, I know something is  FUBAR, as I don't 
> > > support POP3 in
> > > my
> > > > DMZ at all.  If I see modal  enumeration by way of a null 
> > session, I
> > > > know something is going on.   And etc, etc.
> > > > 
> > > > So, to me, it fits, and that is the term I
> > > > choose to use.  I won't be changing ;)
> > > > 
> > > > t
> > > > 
> > > > 
> > > > On 1/15/07  6:40 AM, "Gerald G. Young"
> > > > <g.young@xxxxxxxx> spoketh to  all:
> > > > The DMZ in Korea itself isn't crawling with
> > > > military.  Either side of it is, ensuring that the 
> definition of a
> > > > demilitarized zone is observed and maintained.  Before 
> > the advent of
> > > > DMZs in networking, a DMZ meant an area from which 
> > military forces,
> > > > operations, and installations were prohibited.  
> > Essentially, it's a
> > > > wide empty area that constitutes a border with forces on 
> > either side
> > > > pointing guns into it.
> > > > 
> > > > I've always thought the adaptation of  the
> > > > acronym to the world of networking a bit strange.  "Oh!  We  got
> > > > activity in our networked DMZ!  Kill it!"  :-)
> > > > 
> > > > 
> > > > Cordially  yours,
> > > > Jerry G. Young  II
> > > > Product  Engineer - Senior
> > > > Platform Engineering, Enterprise Hosting
> > > > NTT  America, an NTT Communications Company
> > > > 
> > > > 22451 Shaw  Rd.
> > > > Sterling, VA 20166
> > > > 
> > > > Office: 571-434-1319
> > > > Fax:  703-333-6749
> > > > Email:  g.young@xxxxxxxx
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Amy 
> Babinchak
> > > > Sent: Sunday, January 14, 2007  7:08 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: RE: [isapros]  Re: ISA, Exchange 2007
> > > > and Perimeter Networks
> > > > 
> > > > 
> > > > That's what it means to me too. Can't see the
> > > > Korean  no mans' land as qualifying as a DMZ when it's 
> > crawling with
> > > > military.  
> > > > 
> > > > 
> > > > 
> > > > In this conversation we have to take into
> > > > consideration that CAS also includes the capability to 
> > > provide access
> > > to
> > > > folders and files right in OWA. This may be the thing that the
> > > Exchange
> > > > team  thinks throws a monkey wrench into the secure 
> > > deployment of CAS
> > > in
> > > > a a DMZ.  
> > > > 
> > > >      
> > > > 
> > > > 
> > > > 
> > > > ________________________________
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf  of
> > > > Jason Jones
> > > > Sent: Sat 1/13/2007 6:46 PM
> > > > To:  isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA, Exchange 2007  and
> > > > Perimeter Networks
> > > > 
> > > > For me, DMZ means scary place completely
> > > > untrusted,  perimeter network means less scary place 
> trusted to a
> > > > degree, but strongly  controlled
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ________________________________
> > > > 
> > > >  
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Thor 
> > (Hammer of
> > > God)
> > > > Sent: 12 January 2007  23:51
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > > Perimeter Networks
> > > > Interesting... Probably a good idea for us to
> > > > actually articulate what we really mean when we say DMZ.
> > > > 
> > > > I guess to  some it means "free for all network"
> > > > but for me, it should be the network  where you have the most
> > > > restrictive policies controlling each service so  that it 
> > is obvious
> > > > when malicious traffic hits the wire.   Thoughts>
> > > > t
> > > > 
> > > > 
> > > > On 1/12/07 3:30 PM, "Steve Moffat"
> > > > <steve@xxxxxxxxxx> spoketh to all:
> > > > That's what I thought, now it's what I  know....
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Jim Harrison
> > > > Sent: Friday, January 12, 2007  6:35 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re:  ISA, Exchange 2007 and
> > > > Perimeter Networks
> > > > 
> > > > Aside from normal router & switch ACLs, ISA is
> > > > the single line of defense.
> > > > "..we don't need no stinking  DMZs"
> > > > 
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]  On Behalf Of Steve Moffat
> > > > Sent: Friday, January 12, 2007  12:12 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros]  Re: ISA, Exchange 2007 and
> > > > Perimeter Networks
> > > > 
> > > > Ahh...just had a thought.
> > > > 
> > > > It's all  labeling.
> > > > 
> > > > Jason, and others (not Jason's fault), have been
> > > > using the term DMZ.
> > > > 
> > > > Historically, is the term DMZ not taken
> > > > literally as being completely firewalled off from the trusted
> > > networks,
> > > > and  what Jason is talking about is trusted network 
> segmentation.
> > > > 
> > > > I  betcha that's why the Exchange team don't
> > > > support it...they think it's a  typical run of the mill DMZ...
> > > > 
> > > > Jim, isn't MS's Internal network  segmented by
> > > > usin ISA?? Including your mail servers?
> > > > 
> > > > S  
> > > > 
> > > > 
> > > > All mail to and  from this domain is
> > > > GFI-scanned. 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >     
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 
> 


Other related posts: