System Policy Rules 12, 13, 14 Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Saturday, May 20, 2006 2:32 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Customizing Lockdown Policy > > I'm confused then... Remote Access VPN client connections, > site to site VPN, > etc are not even part of the System Policy in the first place... > > t > > > On 5/20/06 12:29 PM, "Thomas W Shinder" > <tshinder@xxxxxxxxxxx> spoketh to > all: > > > OK, sho 'nuf. But even if I enable them not all of them > will be enabled > > during lockdown. Remote Access VPN client connections, site > to site VPN > > client connections, more? > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >> Sent: Saturday, May 20, 2006 2:13 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Customizing Lockdown Policy > >> > >> Actually, not all of them are enabled, period; although all > >> of them are > >> honored during lockdown. This is the primary purpose of the system > >> policies - to allow ISA to function as a member of the > >> network, even in > >> the face of service failure. > >> > >> What policies are enabled by default largely depends on the server > >> context discovered when ISA was installed. > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Thomas W Shinder > >> Sent: Saturday, May 20, 2006 12:17 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Customizing Lockdown Policy > >> > >> Yes, but there are many more types of connections defined in System > >> Policy -- not all of them are enabled during Lockdown Mode, right? > >> > >> Thomas W Shinder, M.D. > >> Site: www.isaserver.org > >> Blog: http://blogs.isaserver.org/shinder/ > >> Book: http://tinyurl.com/3xqb7 > >> MVP -- ISA Firewalls > >> > >> > >> > >>> -----Original Message----- > >>> From: isapros-bounce@xxxxxxxxxxxxx > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>> Sent: Saturday, May 20, 2006 2:06 PM > >>> To: isapros@xxxxxxxxxxxxx > >>> Subject: [isapros] Re: Customizing Lockdown Policy > >>> > >>> Yep - all those (except fwengmon) are defined by the > system policy. > >>> > >>> -----Original Message----- > >>> From: isapros-bounce@xxxxxxxxxxxxx > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >>> On Behalf Of Thomas W Shinder > >>> Sent: Saturday, May 20, 2006 12:11 PM > >>> To: isapros@xxxxxxxxxxxxx > >>> Subject: [isapros] Re: Customizing Lockdown Policy > >>> > >>> Hi Jim, > >>> > >>> I thought lockdown policy was limited to: > >>> > >>> * Allowing hosts in the Internal network element to access the > >>> Local Host network element using the firewall's > >>> administration protocol. > >>> * Allowing Remote Desktop Protocol (RDP) from Internal to Local > >>> Host. > >>> * Allowing ICMP ping from Internal to Local Host. > >>> * Allowing DHCP from any host to Local Host. > >>> * Outgoing traffic from the firewall to any destination > >>> * Traffic that already has a connection element (this allows > >>> stopping the firewall service without disrupting existing > >> connections) > >>> * Traffic that is to/from the allowed range determined by using > >>> FWENGMON > >>> > >>> Thanks! > >>> Tom > >>> > >>> Thomas W Shinder, M.D. > >>> Site: www.isaserver.org > >>> Blog: http://blogs.isaserver.org/shinder/ > >>> Book: http://tinyurl.com/3xqb7 > >>> MVP -- ISA Firewalls > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>> Sent: Saturday, May 20, 2006 1:52 PM > >>>> To: isapros@xxxxxxxxxxxxx > >>>> Subject: [isapros] Re: Customizing Lockdown Policy > >>>> > >>>> Sorta. > >>>> Lockdown allows all the system policy traffic. > >>>> Thus, if you want to change the traffic profile for lockdown, > >>>> you can do > >>>> it via system policy management. > >>>> > >>>> It's not as flexible as array policies, but it covers > >>> 99.444% of what > >>>> the ISA admin needs to bring the server back to life. > >>>> > >>>> -----Original Message----- > >>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >>>> On Behalf Of Thomas W Shinder > >>>> Sent: Saturday, May 20, 2006 11:45 AM > >>>> To: isapros@xxxxxxxxxxxxx > >>>> Subject: [isapros] Customizing Lockdown Policy > >>>> > >>>> Hey guys, > >>>> > >>>> I know there is a default lockdown policy, but I was > >> wondering while > >>>> watering the flowers this morning if there was a method to > >>>> customize the > >>>> lockdown policy, other than using FWENGMON ? > >>>> > >>>> Thanks! > >>>> Tom > >>>> > >>>> Thomas W Shinder, M.D. > >>>> Site: www.isaserver.org <http://www.isaserver.org/> > >>>> Blog: http://blogs.isaserver.org/shinder/ > >>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > >>>> MVP -- ISA Firewalls > >>>> > >>>> > >>>> > >>>> All mail to and from this domain is GFI-scanned. > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> All mail to and from this domain is GFI-scanned. > >>> > >>> > >>> > >>> > >> > >> > >> All mail to and from this domain is GFI-scanned. > >> > >> > >> > >> > > > > > > > > > > >