Where's my CLUB? Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, February 27, 2007 9:51 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks How about "ISA. So simple a caveman can use it." Oh wait. SBS already took that one! :-p t On 2/27/07 6:36 AM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all: > Should be "Firewall's make me Hot", shouldn't it? > > How about "Flames, baby flames, you're goin' down." As said by The > Bomber What Bombs at Midnight. (from The Tick, of course) > > Amy > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Gerald G. Young > Sent: Tuesday, February 27, 2007 9:12 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > "ISA, your friendly, neighborhood firewall." > "Never a dull rule in ISA." > "ISA's hot." - as imagined said by Paris Hilton. > "ISA and PIX, sitting in a tree..." - yeah, not so much. ;) > "I'll show you my certificate if you'll show me yours." > > Cordially yours, > Jerry G. Young II > Application Engineer, Platform Engineering and Architecture > NTT America, an NTT Communications Company > > 22451 Shaw Rd. > Sterling, VA 20166 > > Office: 571-434-1319 > Fax: 703-333-6749 > Email: g.young@xxxxxxxx > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Monday, February 26, 2007 7:22 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > "ISA's Got You In Its Sites" > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak >> Sent: Monday, February 26, 2007 4:01 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> I'd rather be on Layer 7 >> >> Amy >> >> >> >> >> >> >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Jim Harrison >> Sent: Monday, February 26, 2007 4:45 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> Not bad; except for the trailing commentary... >> :-p >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thomas W Shinder >> Sent: Monday, February 26, 2007 12:53 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> How about: >> >> "ISA Firewall Rules!" >> >> Get it? Firewall rules? Like in firewall ruleset? You know, sort of a >> double entendre sort of thingie :)) >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- Microsoft Firewalls (ISA) >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: Monday, February 26, 2007 2:27 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> Ok - it's official - let's get an "ISABlog motto" contest going. >>> Basic rules: >>> - no derogatory comments about CheckPix or similar (makes >> the lawyers >>> tremble) >>> - no marketing spew >>> - keep it short (10 words max) >>> - must use ISA behavior or feature (like "wpad") >>> - should abuse a common phrase (like "does a nautical pimp keep his >>> 'oars' in the water?") >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Thomas W Shinder >>> Sent: Monday, February 26, 2007 12:23 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> You had me at WPAD? :) >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- Microsoft Firewalls (ISA) >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>> Sent: Monday, February 26, 2007 12:26 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>>> >>>> NDA is a completely different point and Amy has it right - >>>> non-MS lists >>>> are verboten to NDA material. >>>> I'm an "odd duck" in this context (for more than one reason - >>>> ha! - beat >>>> ya to it!), because it's actually a large part of my job >> to "keep my >>>> finger on the pulse", as it were. This is why you see me >>> doing trips >>>> like tech Ready & Black Hat. Unfortunately, fiscal >>>> limitations curtail >>>> any further involvement, but such is corporate life. >>>> >>>> I agree that the ISA team hasn't exactly kept pace with teams like >>>> Exchange (we don't even have a silly motto like "you had me >>> at ehlo"), >>>> but it still comes back to the "effort priorities". I've >>> been working >>>> with the right folks to make this a better experience all around >>>> (especially for the MVPs), but these things tend to move slowly... >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Thor (Hammer of God) >>>> Sent: Monday, February 26, 2007 9:54 AM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>>> >>>> Conflicting info, then. I was told by a source that non-MSFT >>>> lists were >>>> poo-poo'ed on for liability and NDA reasons. >>>> >>>> And while I totally understand the "bottom line" thinking, it >>>> seems like >>>> a >>>> huge waste to initiate something like the MVP program and to >>>> go through >>>> all >>>> the motions only to do it half-assed. >>>> >>>> t >>>> >>>> >>>> On 2/26/07 9:35 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> >>> spoketh to all: >>>> >>>>> In fact, ISA product team members are strongly encouraged to >>>> participate >>>>> in lists, NG, blogs and all other manner of public communication >>>>> efforts. >>>>> The sad fact is; the time available for such endeavors >> is woefully >>>>> small. >>>>> MS, like many profit-making businesses, operates with >> the smallest >>>> teams >>>>> required to produce product "X". >>>>> Unfortunately, with software engineering being what it >> is, and the >>>>> pressures of the marketing "old boy club", the teams are >>>> too small to >>>>> cover all the "nice to do" bases and still leave folks time for >>>>> themselves. >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>>> On Behalf Of Thor (Hammer of God) >>>>> Sent: Monday, February 26, 2007 9:07 AM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>>>> >>>>> I never really saw much from the PM's over there- just that >>>> one stint >>>>> about SQL logging, and to be honest, there wasn't much valuable >>>> content >>>>> sourced from the MSFT side... In fact, as I understand it, >>>> the PM and >>>>> product support people (other than Jim) are apparently >>> not pushed to >>>>> participate (and may be asked not to) because of the fact >>> that it is >>>> NOT >>>>> an official MSFT site, and that NDA and product liability >>> may be an >>>>> issue. >>>>> >>>>> I'm going to draft up a "suggestions for the MVP program" >>> and submit >>>>> them to the powers that be, just so that things like this can be >>>>> addressed. >>>>> >>>>> t >>>>> >>>>> >>>>> On 2/26/07 8:50 AM, "Thomas W Shinder" >>>> <tshinder@xxxxxxxxxxx> spoketh >>>> to >>>>> all: >>>>> >>>>> >>>>> >>>>> It's been a real problem for the ISA PG to work with the ISA >>>>> MVPs, because they think that the ISA MVPs are still >>>> involved with the >>>>> ISA MVP mailing list. I explained to them that because >> of "issues" >>>> with >>>>> that list that there was less than optimal participation >>>> and that they >>>>> needed to get a MS managed solution. At the very least, >> they could >>>>> create their own DL and send mail to people on that list. I hate >>>> missing >>>>> out on the ISA PGs communications on that "other" list, but >>>> my life is >>>>> so much better not having to listen to the ****** that >>> happens over >>>>> there. >>>>> >>>>> Thomas W Shinder, M.D. >>>>> Site: www.isaserver.org <http://www.isaserver.org/> >>>>> <http://www.isaserver.org/> >>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>>>> <http://tinyurl.com/3xqb7> >>>>> MVP -- Microsoft Firewalls (ISA) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of >>>> God) >>>>> Sent: Monday, February 26, 2007 8:56 AM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter >>>>> Networks >>>>> >>>>> >>>>> I spoke with Melissa Travers, the MVP Lead for both ISA >>>>> and Exchange, and she said the Exchange group's MVP site >>> was really, >>>>> really good, and that the Exchange group themselves is >>> quite active. >>>>> Being they are the Exchange group, I can see why they >> would have a >>>>> decent portal. ;) >>>>> >>>>> I suggested that if there were a single sourced, >>>>> Microsoft controlled MVP site where we could "browse >>> through" other >>>> MVP >>>>> list content, that issues like this (the perceptions >>>> surrounding what >>>>> Exchange will and won't support and why) would be much >> easier to >>>>> manage, and that "the right people" from both sides could >>>> engage each >>>>> other in a positive way when two technologies collide like >>>> this. To >>>>> me, this is a major shortcoming in the MVP program >>> overall. Given >>>> the >>>>> fact that the MVP program was created in order to provide a >>>>> collaborative environment for various technologies, it >>> seems like a >>>>> horrible waste of a perfect opportunity to expand that >>> environment >>>> out >>>>> to the MVP's and product teams in other product >>> competencies. The >>>>> fate of the ISA-MVP list is testament to that. >>>>> >>>>> So, in the absence of a coordinated effort on >>>>> Microsoft's part to wrap it's collective arms around the >>> MVP's and >>>>> product teams, I'll see if I can get on the Exchange >> MVP list and >>>> begin >>>>> a dialog of exactly what is going on here. But I'll >> need to get >>>>> immersed in Ex2007 first, which I've just not had the >> time to do. >>>> The >>>>> promise of true unified messaging in 2007 was a major draw >>>> to me, but >>>>> given the apparent narrow PBX support and lack of official >>>>> functionality documentation, the rush to explore has lost it's >>>> luster. >>>>> >>>>> t >>>>> >>>>> >>>>> On 2/26/07 6:02 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> >>>>> spoketh to all: >>>>> >>>>> >>>>> >>>>> >>>>> Documentation always follows the product, which >>>>> is barely on the streets. >>>>> I've seen some regarding WM6, but the basic >>>>> concepts are the same. >>>>> ..coming soon to a website near you... >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Monday, February 26, 2007 3:31 AM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> >>>>> Hi All, >>>>> >>>>> Anyone (Tim?) had chance to look at the least >>>>> privilige approach with Exchange 2007 yet? >>>>> >>>>> From what I am hearing the "CAS not supported in >>>>> perimeter" statement is based more on "we haven't tested it >>>> yet" more >>>>> than "we don't think it is a good idea". >>>>> >>>>> I have a few customers looking at placing the >>>>> entire Exchange architecture behind ISA (very >> untrusted LANs) - I >>>> have >>>>> done this with Exch2k3, but has anyone looked at this >>> for Exch2k7? >>>>> >>>>> I am guessing this is not supported either, but >>>>> documentation is very thin on the ground with reference >> to 2k7 and >>>>> periemeter networking.... >>>>> >>>>> Cheers >>>>> >>>>> JJ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>> (Hammer of >>>> God) >>>>> Sent: 15 January 2007 15:27 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> Right you are... The analogy fits when you use >>>>> "comparative logic" as opposed to just thinking of the zone in >>>>> singularity... Compared to the areas on either side of >> the DMZ, it >>>>> should be easy to discern any activity at all in the >> DMZ itself- >>>>> particularly hostile activities. There are strict >> policies about >>>> what >>>>> can go on in the Korean DMZ, as there should be in one's >>>> network DMZ. >>>>> Internet traffic is chaotic, and I don't even bother trying to >>>>> determine what is going on out on my Internet segment- I can't >>>> control >>>>> it anyway (other than my policy of implementing router >>>> ACL's to match >>>>> inbound/outbound traffic policies at my border >> router). Internal >>>>> traffic isn't chaotic, but it is hard to monitor for "hostile" >>>> packets >>>>> given the sheer volume and type of traffic being generated by >>>> internal >>>>> users, servers, services, etc to any number of different >>> hosts and >>>>> clients. But in the DMZ, you should be able to >>> immediately notice >>>> when >>>>> something out of the ordinary is going on. For >>> instance, if I see >>>> POP3 >>>>> logon traffic, I know something is FUBAR, as I don't >>>> support POP3 in >>>> my >>>>> DMZ at all. If I see modal enumeration by way of a null >>> session, I >>>>> know something is going on. And etc, etc. >>>>> >>>>> So, to me, it fits, and that is the term I >>>>> choose to use. I won't be changing ;) >>>>> >>>>> t >>>>> >>>>> >>>>> On 1/15/07 6:40 AM, "Gerald G. Young" >>>>> <g.young@xxxxxxxx> spoketh to all: >>>>> The DMZ in Korea itself isn't crawling with >>>>> military. Either side of it is, ensuring that the >> definition of a >>>>> demilitarized zone is observed and maintained. Before >>> the advent of >>>>> DMZs in networking, a DMZ meant an area from which >>> military forces, >>>>> operations, and installations were prohibited. >>> Essentially, it's a >>>>> wide empty area that constitutes a border with forces on >>> either side >>>>> pointing guns into it. >>>>> >>>>> I've always thought the adaptation of the >>>>> acronym to the world of networking a bit strange. "Oh! We got >>>>> activity in our networked DMZ! Kill it!" :-) >>>>> >>>>> >>>>> Cordially yours, >>>>> Jerry G. Young II >>>>> Product Engineer - Senior >>>>> Platform Engineering, Enterprise Hosting >>>>> NTT America, an NTT Communications Company >>>>> >>>>> 22451 Shaw Rd. >>>>> Sterling, VA 20166 >>>>> >>>>> Office: 571-434-1319 >>>>> Fax: 703-333-6749 >>>>> Email: g.young@xxxxxxxx >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy >> Babinchak >>>>> Sent: Sunday, January 14, 2007 7:08 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: RE: [isapros] Re: ISA, Exchange 2007 >>>>> and Perimeter Networks >>>>> >>>>> >>>>> That's what it means to me too. Can't see the >>>>> Korean no mans' land as qualifying as a DMZ when it's >>> crawling with >>>>> military. >>>>> >>>>> >>>>> >>>>> In this conversation we have to take into >>>>> consideration that CAS also includes the capability to >>>> provide access >>>> to >>>>> folders and files right in OWA. This may be the thing that the >>>> Exchange >>>>> team thinks throws a monkey wrench into the secure >>>> deployment of CAS >>>> in >>>>> a a DMZ. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of >>>>> Jason Jones >>>>> Sent: Sat 1/13/2007 6:46 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> >>>>> For me, DMZ means scary place completely >>>>> untrusted, perimeter network means less scary place >> trusted to a >>>>> degree, but strongly controlled >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>> (Hammer of >>>> God) >>>>> Sent: 12 January 2007 23:51 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> Interesting... Probably a good idea for us to >>>>> actually articulate what we really mean when we say DMZ. >>>>> >>>>> I guess to some it means "free for all network" >>>>> but for me, it should be the network where you have the most >>>>> restrictive policies controlling each service so that it >>> is obvious >>>>> when malicious traffic hits the wire. Thoughts> >>>>> t >>>>> >>>>> >>>>> On 1/12/07 3:30 PM, "Steve Moffat" >>>>> <steve@xxxxxxxxxx> spoketh to all: >>>>> That's what I thought, now it's what I know.... >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: Friday, January 12, 2007 6:35 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> >>>>> Aside from normal router & switch ACLs, ISA is >>>>> the single line of defense. >>>>> "..we don't need no stinking DMZs" >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat >>>>> Sent: Friday, January 12, 2007 12:12 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: ISA, Exchange 2007 and >>>>> Perimeter Networks >>>>> >>>>> Ahh...just had a thought. >>>>> >>>>> It's all labeling. >>>>> >>>>> Jason, and others (not Jason's fault), have been >>>>> using the term DMZ. >>>>> >>>>> Historically, is the term DMZ not taken >>>>> literally as being completely firewalled off from the trusted >>>> networks, >>>>> and what Jason is talking about is trusted network >> segmentation. >>>>> >>>>> I betcha that's why the Exchange team don't >>>>> support it...they think it's a typical run of the mill DMZ... >>>>> >>>>> Jim, isn't MS's Internal network segmented by >>>>> usin ISA?? Including your mail servers? >>>>> >>>>> S >>>>> >>>>> >>>>> All mail to and from this domain is >>>>> GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> All mail to and from this domain is GFI-scanned. >>>> >>>> >>>> >>>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> > > > >