right! occassionally the system policy mode has not been enough for me but i learn to live with it. Lockdown mode doesnt occur much unless sql goes in to "non-robosity" (i love it, new word for the week which describes everything i cant think of a word for) mode, hence the disabling of it too in most cases :) greg ________________________________ From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) Sent: Sun 21/05/2006 5:13 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Customizing Lockdown Policy But if you edit the system policy, you can change the "to/from" on those defined rules. For instance, the default RDP system policy is not " Allowing Remote Desktop Protocol (RDP) from Internal to Local Host" as you have below - it is RDP from the default "Remote Management Computers" Computer Set. This set is empty by default unless you installed ISA via RDP, in which case it automatically populates the box you installed it from (which is pretty damn smart, if you asked me.) If you wanted RDP from Internal to LH available while the system was in lockdown, you would have to edit the system policy for Terminal Services (RDP.) t On 5/20/06 12:11 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Hi Jim, > > I thought lockdown policy was limited to: > > * Allowing hosts in the Internal network element to access the > Local Host network element using the firewall's administration protocol. > * Allowing Remote Desktop Protocol (RDP) from Internal to Local > Host. > * Allowing ICMP ping from Internal to Local Host. > * Allowing DHCP from any host to Local Host. > * Outgoing traffic from the firewall to any destination > * Traffic that already has a connection element (this allows > stopping the firewall service without disrupting existing connections) > * Traffic that is to/from the allowed range determined by using > FWENGMON > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Saturday, May 20, 2006 1:52 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Customizing Lockdown Policy >> >> Sorta. >> Lockdown allows all the system policy traffic. >> Thus, if you want to change the traffic profile for lockdown, >> you can do >> it via system policy management. >> >> It's not as flexible as array policies, but it covers 99.444% of what >> the ISA admin needs to bring the server back to life. >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thomas W Shinder >> Sent: Saturday, May 20, 2006 11:45 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Customizing Lockdown Policy >> >> Hey guys, >> >> I know there is a default lockdown policy, but I was wondering while >> watering the flowers this morning if there was a method to >> customize the >> lockdown policy, other than using FWENGMON ? >> >> Thanks! >> Tom >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org <http://www.isaserver.org/> >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> MVP -- ISA Firewalls >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> > > >