[isapros] Re: Customizing Lockdown Policy

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Sat, 20 May 2006 12:31:32 -0700
I'm confused then... Remote Access VPN client connections, site to site VPN,
etc are not even part of the System Policy in the first place...

t


On 5/20/06 12:29 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:

> OK, sho 'nuf. But even if I enable them not all of them will be enabled
> during lockdown. Remote Access VPN client connections, site to site VPN
> client connections, more?
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> Sent: Saturday, May 20, 2006 2:13 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Customizing Lockdown Policy
>> 
>> Actually, not all of them are enabled, period; although all
>> of them are
>> honored during lockdown.  This is the primary purpose of the system
>> policies - to allow ISA to function as a member of the
>> network, even in
>> the face of service failure.
>> 
>> What policies are enabled by default largely depends on the server
>> context discovered when ISA was installed.
>> 
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thomas W Shinder
>> Sent: Saturday, May 20, 2006 12:17 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Customizing Lockdown Policy
>> 
>> Yes, but there are many more types of connections defined in System
>> Policy -- not all of them are enabled during Lockdown Mode, right?
>> 
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>> 
>>  
>> 
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: Saturday, May 20, 2006 2:06 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Customizing Lockdown Policy
>>> 
>>> Yep - all those (except fwengmon) are defined by the system policy.
>>> 
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thomas W Shinder
>>> Sent: Saturday, May 20, 2006 12:11 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Customizing Lockdown Policy
>>> 
>>> Hi Jim,
>>> 
>>> I thought lockdown policy was limited to:
>>> 
>>> * Allowing  hosts in the Internal network element to access the
>>> Local Host network element using the firewall's
>>> administration protocol.
>>> * Allowing Remote Desktop Protocol (RDP) from Internal to Local
>>> Host.
>>> * Allowing ICMP ping from Internal to Local Host.
>>> * Allowing DHCP from any host to Local Host.
>>> * Outgoing traffic from the firewall to any destination
>>> * Traffic that already has a connection element (this allows
>>> stopping the firewall service without disrupting existing
>> connections)
>>> * Traffic that is to/from the allowed range determined by using
>>> FWENGMON
>>> 
>>> Thanks!
>>> Tom
>>> 
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>> 
>>>  
>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>> Sent: Saturday, May 20, 2006 1:52 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Customizing Lockdown Policy
>>>> 
>>>> Sorta.
>>>> Lockdown allows all the system policy traffic.
>>>> Thus, if you want to change the traffic profile for lockdown,
>>>> you can do
>>>> it via system policy management.
>>>> 
>>>> It's not as flexible as array policies, but it covers
>>> 99.444% of what
>>>> the ISA admin needs to bring the server back to life.
>>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Thomas W Shinder
>>>> Sent: Saturday, May 20, 2006 11:45 AM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Customizing Lockdown Policy
>>>> 
>>>> Hey guys,
>>>>  
>>>> I know there is a default lockdown policy, but I was
>> wondering while
>>>> watering the flowers this morning if there was a method to
>>>> customize the
>>>> lockdown policy, other than using FWENGMON ?
>>>>  
>>>> Thanks!
>>>> Tom
>>>>  
>>>> Thomas W Shinder, M.D.
>>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>>> Blog: http://blogs.isaserver.org/shinder/
>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>>> MVP -- ISA Firewalls
>>>> 
>>>>  
>>>> 
>>>> All mail to and from this domain is GFI-scanned.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> All mail to and from this domain is GFI-scanned.
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> All mail to and from this domain is GFI-scanned.
>> 
>> 
>> 
>> 
> 
> 
>
References:
- [isapros] Re: Customizing Lockdown Policy
  - From: Thomas W Shinder
[isapros] Re: Customizing Lockdown Policy

Other related posts:
