[isapros] Re: Customizing Lockdown Policy
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 20 May 2006 14:40:45 -0500
System Policy Rules 12, 13, 14
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Saturday, May 20, 2006 2:32 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Customizing Lockdown Policy
>
> I'm confused then... Remote Access VPN client connections,
> site to site VPN,
> etc are not even part of the System Policy in the first place...
>
> t
>
>
> On 5/20/06 12:29 PM, "Thomas W Shinder"
> <tshinder@xxxxxxxxxxx> spoketh to
> all:
>
> > OK, sho 'nuf. But even if I enable them not all of them
> will be enabled
> > during lockdown. Remote Access VPN client connections, site
> to site VPN
> > client connections, more?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >> Sent: Saturday, May 20, 2006 2:13 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Customizing Lockdown Policy
> >>
> >> Actually, not all of them are enabled, period; although all
> >> of them are
> >> honored during lockdown. This is the primary purpose of the system
> >> policies - to allow ISA to function as a member of the
> >> network, even in
> >> the face of service failure.
> >>
> >> What policies are enabled by default largely depends on the server
> >> context discovered when ISA was installed.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thomas W Shinder
> >> Sent: Saturday, May 20, 2006 12:17 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Customizing Lockdown Policy
> >>
> >> Yes, but there are many more types of connections defined in System
> >> Policy -- not all of them are enabled during Lockdown Mode, right?
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>> Sent: Saturday, May 20, 2006 2:06 PM
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Re: Customizing Lockdown Policy
> >>>
> >>> Yep - all those (except fwengmon) are defined by the
> system policy.
> >>>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >>> On Behalf Of Thomas W Shinder
> >>> Sent: Saturday, May 20, 2006 12:11 PM
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Re: Customizing Lockdown Policy
> >>>
> >>> Hi Jim,
> >>>
> >>> I thought lockdown policy was limited to:
> >>>
> >>> * Allowing hosts in the Internal network element to access the
> >>> Local Host network element using the firewall's
> >>> administration protocol.
> >>> * Allowing Remote Desktop Protocol (RDP) from Internal to Local
> >>> Host.
> >>> * Allowing ICMP ping from Internal to Local Host.
> >>> * Allowing DHCP from any host to Local Host.
> >>> * Outgoing traffic from the firewall to any destination
> >>> * Traffic that already has a connection element (this allows
> >>> stopping the firewall service without disrupting existing
> >> connections)
> >>> * Traffic that is to/from the allowed range determined by using
> >>> FWENGMON
> >>>
> >>> Thanks!
> >>> Tom
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>>> Sent: Saturday, May 20, 2006 1:52 PM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: Customizing Lockdown Policy
> >>>>
> >>>> Sorta.
> >>>> Lockdown allows all the system policy traffic.
> >>>> Thus, if you want to change the traffic profile for lockdown,
> >>>> you can do
> >>>> it via system policy management.
> >>>>
> >>>> It's not as flexible as array policies, but it covers
> >>> 99.444% of what
> >>>> the ISA admin needs to bring the server back to life.
> >>>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >>>> On Behalf Of Thomas W Shinder
> >>>> Sent: Saturday, May 20, 2006 11:45 AM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Customizing Lockdown Policy
> >>>>
> >>>> Hey guys,
> >>>>
> >>>> I know there is a default lockdown policy, but I was
> >> wondering while
> >>>> watering the flowers this morning if there was a method to
> >>>> customize the
> >>>> lockdown policy, other than using FWENGMON ?
> >>>>
> >>>> Thanks!
> >>>> Tom
> >>>>
> >>>> Thomas W Shinder, M.D.
> >>>> Site: www.isaserver.org <http://www.isaserver.org/>
> >>>> Blog: http://blogs.isaserver.org/shinder/
> >>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> >>>> MVP -- ISA Firewalls
> >>>>
> >>>>
> >>>>
> >>>> All mail to and from this domain is GFI-scanned.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> All mail to and from this domain is GFI-scanned.
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> All mail to and from this domain is GFI-scanned.
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
>
Other related posts:
