That's a shame and definitely your loss. Tim is right; while ISA can ignore a specific client when it triggers flood mitigation, this is not "lockdown". Actually, alerts aren't the only thing that can cause lockdown, and they're not even the most common. Anything that can cause the Firewall service to hang or stop will create the same effect. This is what I alluded to with "crappy plug-ins". PSS has logged *MANY* cases where a filter bug caused ISA to crash on a regular basis, forcing a lockdown scenario. The worst part of it is that they frequently wouldn't let PSS remove the filter to validate the bug theory, citing "security requirements" while simultaneously crying "SLA!!". This is where reboots sometimes gave temporary relief but actually did *nothing* to solve the problem. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Tuesday, April 03, 2007 4:25 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: lockdown mode Well I was looking for another answer, I will not be able to offer you the position we have open. Maybe next time ;-) Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, April 03, 2007 1:58 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: lockdown mode The "alert" configuration dictates the circumstances under which lockdown occurs. You can define them to suit your needs. Regarding your "attack" question, no, ISA doesn't go into lockdown because of an attack. That would defeat the purpose ;) If you want to restart the services first and ask questions later when a lockdown occurs, that is completely your choice. I, however, would choose to appreciate the security posture of "lockdown" mode (as configured) and to perform due diligence in administration of my enterprise firewall before I just restart the services that have told you there is a serious issue in the very service that is protecting your network. But that's just me. t ----- Original Message ----- From: D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR <mailto:DPietruszka@xxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Monday, April 02, 2007 5:29 PM Subject: [isalist] Re: lockdown mode And who told you that you will be able to solve the problem? Is the only reason for ISA to go to lock down mode an internal fail? What if was an attack and that will not happen again? -------------------------- Sent from my BlackBerry Wireless Device -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx> Sent: Mon Apr 02 19:52:11 2007 Subject: [isalist] Re: lockdown mode http://www.ISAserver.org ------------------------------------------------------- In this case, if you don't solve the problem that caused the symptoms, you merely repeat the symptoms. Discover and solve the problem first. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Monday, April 02, 2007 4:02 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: lockdown mode Well in a production environment I would restart the service first and then ask ISA why that happened. -------------------------- Sent from my BlackBerry Wireless Device -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx> Sent: Mon Apr 02 18:53:12 2007 Subject: [isalist] Re: lockdown mode http://www.ISAserver.org ------------------------------------------------------- Do what Tim said. If you don't know why it happened, it's likely to happen again. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, April 02, 2007 2:26 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: lockdown mode You have to find out what caused ISA to go into Lockdown first, rectify the situation, and then restart the services. t ---- Timothy Mullen, MVP, MCSE, MCT, MCSD Vice President of Consulting Services NGS Software www.ngssoftware.com Check out Thor's "Microsoft Ninjitsu: Blackbelt Edition" at Blackhat Vegas 2007! http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html ----- Original Message ----- From: Michael Ross <mailto:mross@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Monday, April 02, 2007 1:54 PM Subject: [isalist] lockdown mode if an ISA box went into lockdown mode, how could you make it return to a normal state? (ISA 2004 SP2) All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.