[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 22:35:24 -0000

From what I can gather, the new CAS role now uses RPC to communicate
with the back-end (not sure of new name!) servers so I am guessing that
this is an "RPC isn't safe across firewalls" type stance. Which I guess
for a PIX, is a pretty true statement.
 
Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)
 
Shame the Exchange team can't see how much ISA changes the traditional
approach to DMZ thinking...kinda makes you think that both teams work
for a different company :-(

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


I seriously hope that they have take different paths and these are not
limitations on the software or it is going to mean a nice little
redesign and break from custom..
 
Greg

        ----- Original Message ----- 
        From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  
        To: isapros@xxxxxxxxxxxxx 
        Sent: Thursday, January 11, 2007 8:25 AM
        Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


        Hi All, 

        I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not
support placing the new Exchange 2007 Client Access Server (like the old
Exch2k3 FE role) role into a perimeter network. Has anyone else heard
the same? This sounds very similar to Exchange admins of old when they
didn't really understand modern application firewalls like ISA could do
- RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

        I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate
security zone from BE servers, DC's etc and now I here this...

        Are the Exchange team confusing the old traditional DMZ's with
what ISA can achieve with perimeter networks? 

        From what I believe, it is good perimeter security practice to
place servers which are Internet accessible into different security
zones than servers that are purely internal. Therefore, the idea of
placing Exchange 2003 FE servers in an ISA auth access perimeter network
with Exchange 2003 BE servers on the internal network has always seemed
like a good approach. It also follows a good least privilege model. 

        Is this another example of the Exchange and ISA teams following
different paths???? 

        Please tell me that I am wrong and that I am not going to have
to start putting all Exchange roles, irrespective of security risk, on
the same network again!!!!

        Comments? 

        Cheers 

        JJ

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007