I'm confused then... Remote Access VPN client connections, site to site VPN, etc are not even part of the System Policy in the first place... t On 5/20/06 12:29 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > OK, sho 'nuf. But even if I enable them not all of them will be enabled > during lockdown. Remote Access VPN client connections, site to site VPN > client connections, more? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Saturday, May 20, 2006 2:13 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Customizing Lockdown Policy >> >> Actually, not all of them are enabled, period; although all >> of them are >> honored during lockdown. This is the primary purpose of the system >> policies - to allow ISA to function as a member of the >> network, even in >> the face of service failure. >> >> What policies are enabled by default largely depends on the server >> context discovered when ISA was installed. >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thomas W Shinder >> Sent: Saturday, May 20, 2006 12:17 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Customizing Lockdown Policy >> >> Yes, but there are many more types of connections defined in System >> Policy -- not all of them are enabled during Lockdown Mode, right? >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: Saturday, May 20, 2006 2:06 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Customizing Lockdown Policy >>> >>> Yep - all those (except fwengmon) are defined by the system policy. >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Thomas W Shinder >>> Sent: Saturday, May 20, 2006 12:11 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Customizing Lockdown Policy >>> >>> Hi Jim, >>> >>> I thought lockdown policy was limited to: >>> >>> * Allowing hosts in the Internal network element to access the >>> Local Host network element using the firewall's >>> administration protocol. >>> * Allowing Remote Desktop Protocol (RDP) from Internal to Local >>> Host. >>> * Allowing ICMP ping from Internal to Local Host. >>> * Allowing DHCP from any host to Local Host. >>> * Outgoing traffic from the firewall to any destination >>> * Traffic that already has a connection element (this allows >>> stopping the firewall service without disrupting existing >> connections) >>> * Traffic that is to/from the allowed range determined by using >>> FWENGMON >>> >>> Thanks! >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>> Sent: Saturday, May 20, 2006 1:52 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Customizing Lockdown Policy >>>> >>>> Sorta. >>>> Lockdown allows all the system policy traffic. >>>> Thus, if you want to change the traffic profile for lockdown, >>>> you can do >>>> it via system policy management. >>>> >>>> It's not as flexible as array policies, but it covers >>> 99.444% of what >>>> the ISA admin needs to bring the server back to life. >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Thomas W Shinder >>>> Sent: Saturday, May 20, 2006 11:45 AM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Customizing Lockdown Policy >>>> >>>> Hey guys, >>>> >>>> I know there is a default lockdown policy, but I was >> wondering while >>>> watering the flowers this morning if there was a method to >>>> customize the >>>> lockdown policy, other than using FWENGMON ? >>>> >>>> Thanks! >>>> Tom >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org <http://www.isaserver.org/> >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>> All mail to and from this domain is GFI-scanned. >>>> >>>> >>>> >>>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> > > >