Hmm. Looks like it was fine. I'll post the other. t On 1/12/07 9:00 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all: > If it’s participating in the domain, add the subnet to AD, especially if you > have more than one AD site (I consider this a best practice). A lot of funny > things can occur with Active Directory aware applications when they can’t > tell > which site they belong to. Exchange (2003), for instance, won’t start an > information store. > > Cordially yours, > Jerry G. Young II > Product Engineer - Senior > Platform Engineering, Enterprise Hosting > NTT America, an NTT Communications Company > > 22451 Shaw Rd. > Sterling, VA 20166 > > Office: 571-434-1319 > Fax: 703-333-6749 > Email: g.young@xxxxxxxx > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones > Sent: Friday, January 12, 2007 6:53 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Either way, I think the idea of an intranet CAS and extranet CAS is probably > a > good approach - the extranet CAS one would assume could then go into the auth > access perimeter network whilst the intranet one could stay on the LAN. In > this model, each CAS has a different security risk and hence could be put into > different security zones. > > Would it be such a bad thing to add the perimeter subnet to the AD site? It > will have domain members in it after all... > Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 > (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: > jason.jones@xxxxxxxxxxxxxxxxx > > > ________________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Greg Mulholland > Sent: 12 January 2007 05:35 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > doing a little bit more reading the only thing i can think might be the reason > is that apparently each mailbox server needs to have a CAS server in its AD > site. Therefore they recommend you keep the cas box on the same lan. Also in > multi domain environments this would add more design considerations. Also in > larger environments you might need 2 CAS boxes, one for internal users and one > for external users, for the sake of keeping outbound lan access out of the dmz > or better design. > > but im not sure about the whole idea of the "swiss cheese" argument. seems a > bit like flogging a dead horse to me..i dont see how or why it wouldn't work > in the dmz environment. > > greg > > > ----- Original Message ----- > From: Thomas W Shinder > To: isapros@xxxxxxxxxxxxx > Sent: Friday, January 12, 2007 3:22 PM > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > WORD! > > I’ll gladly joining you in that public nut-kicking when the time comes. > What I > want to understand first is what are the protocol requirements for the CAS to > the back-end components, and what their rationale is for making the statements > that have been reported so far. They might have a good point, and if they have > it, I want to hear it. But if the point is ‘it’s too hard” or “I > don’t > understand network security, I just say what my boss tells me to say” or > “I’m > on the take with Syphco” then those aren’t valid and body parts will > deserve > some shaking up in the public square. The least they can do is state “we > don’t > have the time or inclination to show you have to provide the highest level of > network security, but it is possible to do it right, we’re just not going to > show you how to do it” as a disclaimer. With that, we can then go ahead and > help those who want to be helped ☺ > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Thursday, January 11, 2007 6:40 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > It may be just this type of “beating it to death” that is required to get > the > Exchange group’s attention. I don’t really care if they don’t support > “perimeter network” deployments as long as ISA is an exception. I have > every > intention to ensure that an ISA authenticated perimeter network DMZ segment > “in front” of the CAS server is fully supported if the proper protocols > are > allowed. I will make sure to press them into officially stating why it is > not > supported. Even so, if they try that, I will publicly kick them in the nuts. > > t > > > On 1/11/07 4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to > all: > Hi Amy, > > I am not really sure for their reasoning, but think it is based around the > "Swiss cheese", don't pass intradomain traffic across a normal firewall > argument. > > Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is "It's > true. The Client Access Server (CAS), which among other things includes the > OWA feature, is not supported in a perimeter network (aka a DMZ). Instead > you'll deploy one or more CASs inside your organization and put a robust > firewall such as ISA 2006 in front of it." I am guessing from experience of > other Exchange team recommendations that when they say perimeter network they > really mean a traditional DMZ which is created using traditional packet filter > firewalls. The recommended deployment is to put the CAS on the internal > network e.g. on the same network as the Exchange back-end servers. Once the > CAS is on the internal network, it should then be published to the Internet > using ISA. > > This design if fine if you want a simple open network where all servers exist > in the same security zone and hence all trust each other, but many people are > now trying to better this design by placing different types of servers into > different security zones based upon their risk level and internet presence - > say hello to the ISA auth access perimeter network! ;-) > > Basically I think it all harks back to the "don't put domain members in a DMZ" > mantra which is a pretty fair statement when using PF firewalls like PIX, but > things have moved on as least privilege authenticated access perimeter > networks with ISA are now getting advanced enough to challenge this argument. > Maybe the difference between a PIX firewall and ISA firewall is just too > subtle for some people??? > > Think we have now done this to death now!! - be very surprised if the Exchange > team go back on these type of statements though. I remember Tom banging his > head against a brick wall with Henrik based upon one of his MSExchange.org > articles which said "not in the DMZ" type statements. > > JJ > ________________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Amy Babinchak > Sent: 11 January 2007 23:15 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Jason, > > What’s the reasoning behind CAS not in the DMZ? Where to they want it? > Handing > nude off the router? Behind a firewall? > > If the later, then just drop the out dated DMZ language. Most firewall admins > think that DMZ means nude off the other port on my nat box. Your least priv > design puts CAS safely behind a firewall. > > > Amy Babinchak > Harbor Computer Services > ________________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones > Sent: Thursday, January 11, 2007 5:58 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Thanks Amy - maybe I am being a little oversensitive, just didn't expect some > of the initial responses. > > I tend to avoid most of the main mailing lists, probably for similar reasons > as others, and I tend to hang out at isaserver.org 95% of the time. Hence > maybe why only Tom (and Stefan) tend to see my input and views on stuff. > > Tom invited me to this list as he felt it would be a good place for me to pose > all the questions that he can't answer or go unreplied on isaserver.org > > I really do value the combined "ISA brain power" here, but just think it could > be a little more forgiving and friendly at times...having said that I have > found answers here that I just couldn't get elsewhere, so don't misunderstand > me as ungrateful. > > Anyhow back to the "core issue", from what I hearing from Exchange MVP > contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune very > strongly. This is a real shame as it looks like I will never be able to deploy > the existing least privilege design with Exchange 2007 without fear of > customers coming back to us after trying to log PSS calls or getting other > non-ISA firewall guys in who slate the design...oh well, at least ISA will > still involved to some degree, just not as cool as it could be... > > JJ > > > > ________________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Amy Babinchak > Sent: 11 January 2007 15:09 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > Jason don’t get discouraged. The changes in Exchange are monumental so there > are bound to be disagreements and changes of opinion on how to best secure it. > The concept of an authenticated access DMZ in a separate security zone > allowing only a very minimal set of protocols is a completely foreign concept > to 99% of firewall admins out there. That fact you are even thinking about > this stuff put you in an elite class. The rest are still poking holes and > setting up VLANs. > > Tom, Thor and Jim can be a bit clubby and a little overly poky to new comers. > It’s a twitch they developed after participating on the ISA server mailing > list. It got worse when they decided to join a general purpose SBS list. I’m > not sure that they’ll ever completely recover. > > > Amy > > > > > ________________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones > Sent: Thursday, January 11, 2007 5:47 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Wish I had never asked now...sometimes, some of you guys really don't make it > easy for new people to try express their views and pose questions for comment > without being slapped down. One minute I am being labelled as an "idiot" for > my comments/views, the next minute someone else who says the same thing as me > is now right and not challenged. What gives? > > I know many of you guys don't know me from Adam, but kinda unfair to just > assume I know jack about ISA and secure network design just because I'm not > "part of the club". > > > Anyhow, thanks to Tim and Tom for seeming to share my disappointment with the > decision made by the Exchange 2007 team...I think I need to try and find out > how "official" their lack of support with 2k7 is going to be before I can > continue recommending the least privilege model I have been using for Exchange > 2003. > ________________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: 11 January 2007 04:30 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > ..maybe I’m just tired… > I spent two hours trying to get home tonight and I’m clearly not in my mind > (right or otherwise). > Forget I wrote and we’ll start over tomorrow… > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: Wednesday, January 10, 2007 8:18 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > That’s exactly what I’m talking about. And precisely the configuration I > deploy: > > My FE is in the authenticated segment of the DMZ – and a member of my > internal > domain; however, the “recommended protocols” the Exchange group > recommends are > not necessary- and thus, Steve’s contention that “CIFS and all that other > stuff... Might as well just be internal” I reject. I only allow > Kerberos-Sec, > LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC’s. And only > HTTP to the BE’s. > > Even if the other prots WERE required, it would still be far smarter to deploy > the FE in the authenticated DMZ with limited access than to just give full > stack access to the ENTIRE internal network. This is a deployment of a > services made available (initially) to a global, anonymous, untrusted network. > > Maybe I’m not properly articulating my point, but I have to say I’m really > surprised that we are having this conversation... > > t > > > On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > C’mon, Tim; I know what your deployment recommendations are; this isn’t > it. > He wants to extend his domain via “remote membership”; not create a > separate > domain. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) > Sent: Wednesday, January 10, 2007 4:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Because it’s safer that way, that’s why... That’s what an authenticated > access > DMZ perimeter is for— with a CAS server that presents logon services to any > Internet user, I would (and, in fact, require) that the server be in a > least-privileged authenticated access perimeter network that limits that > servers communications to the minimum required for required functionality – > and only to the hosts it needs to talk to. > > Let’s say there is a front-end implementation issue or coding vulnerability: > the CAS on the internal network would allow unfettered, full-stack access to > the internal network. A CAS in a perimeter DMZ would mitigate potential > exposure in the event of a 0day or configuration issue. > > “Safer on the internal network” is a complete misnomer when it comes to > servers presenting services to an untrusted network. > > t > > > On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > Why would you want to place a member of your internal domain in your DMZ, fer > chrissakes?!? > Hosting any domain member in the DMZ is a difficult proposition; especially > where NAT is the order of the day. > You can either use a network shotgun at your firewall or attempt to use your > facvorite VPN tunnel across the firewall to the domain. > > Jim > ________________________________________ > > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones > Sent: Wed 1/10/2007 2:35 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > From what I can gather, the new CAS role now uses RPC to communicate with the > back-end (not sure of new name!) servers so I am guessing that this is an "RPC > isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty > true statement. > > Just think how much safer the world will be when firewalls can understand > dynamic protocols like RPC...maybe one day firewalls will even be able to > understand and filter based upon RPC interface...maybe one day... :-D ;-) > > Shame the Exchange team can't see how much ISA changes the traditional > approach to DMZ thinking...kinda makes you think that both teams work for a > different company :-( > Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 > (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: > jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > > ________________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Greg Mulholland > Sent: 10 January 2007 22:07 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > I seriously hope that they have take different paths and these are not > limitations on the software or it is going to mean a nice little redesign and > break from custom.. > > Greg > ----- Original Message ----- > From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > Sent: Thursday, January 11, 2007 8:25 AM > Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks > > > Hi All, > > I heard today from an Exchange MVP colleague that members of the Exchange team > (Scott Schnoll) are saying that they (Microsoft) do not support placing the > new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role > into a perimeter network. Has anyone else heard the same? This sounds very > similar to Exchange admins of old when they didn't really understand modern > application firewalls like ISA could do - RPC filter anyone??? > http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_threa > d/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4 > db165c21599cf9b > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre > ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum= > 2&hl=en#4db165c21599cf9b> > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr > ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum > =2&hl=en#4db165c21599cf9b> > <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre > ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum= > 2&hl=en#4db165c21599cf9b> > > I have just about managed to convince Exchange colleagues (and customers) of > the value of placing Exchange FE servers in a separate security zone from BE > servers, DC's etc and now I here this… > > Are the Exchange team confusing the old traditional DMZ's with what ISA can > achieve with perimeter networks? > > From what I believe, it is good perimeter security practice to place servers > which are Internet accessible into different security zones than servers that > are purely internal. Therefore, the idea of placing Exchange 2003 FE servers > in an ISA auth access perimeter network with Exchange 2003 BE servers on the > internal network has always seemed like a good approach. It also follows a > good least privilege model. > > Is this another example of the Exchange and ISA teams following different > paths???? > > Please tell me that I am wrong and that I am not going to have to start > putting all Exchange roles, irrespective of security risk, on the same network > again!!!! > > Comments? > > Cheers > > JJ > All mail to and from this domain is GFI-scanned. > > > > > > All mail to and from this domain is GFI-scanned. > > All mail to and from this domain is GFI-scanned. > >