Looks like Tom were right - it's not the whole of the system policy, but a select few rules. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, May 21, 2006 8:26 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Customizing Lockdown Policy Hi Ori, Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Ori Yosefi > Sent: Saturday, May 20, 2006 3:39 PM > To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Customizing Lockdown Policy > > If I remember correctly, in lockdown policy the driver would > allow all outbound connections from localhost (both new and > existing) and a list of 5 or 6 system policy rules (e.g. RDP > from remote management computers). > > The relevant system policy rules can be enabled / disabled > and the To / From can be modified, although, as the mentioned > documentation states, changes to the configuration will only > be applied after the firewall service comes up (as it needs > to store the modified configuration in the registry for the > driver to be able to access it). > > I don't think there is any way to add new policy to the > lockdown policy apart from what is mentioned in the above paragraph. > > HTH, > > Ori. > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder > Sent: Sat 5/20/2006 9:54 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Customizing Lockdown Policy > > > > Soon as I can get my wife off our connection, I'll test it. There is a > System Policy Rule that allows all HTTP to all Networks for > CRL checking > and I'd like to see if that still works. I'd test it now, but > she's on a > FWC machine and not SecureNAT, so her connection will be dropped. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of God) > > Sent: Saturday, May 20, 2006 2:18 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: Customizing Lockdown Policy > > > > Ah- well, I was under the impression that all system > polices stayed in > > effect, but according to TechNet, what you described seems to > > be the case. > > In my testing, though, everything I've tried that was in > system policy > > worked while in lockdown mode-- however, I didn't actually > > try everything > > (like SMTP for instance.) Jim will have to answer that one. > > > > t > > > > > > On 5/20/06 12:17 PM, "Thomas W Shinder" > > <tshinder@xxxxxxxxxxx> spoketh to > > all: > > > > > Yes, but there are many more types of connections defined > in System > > > Policy -- not all of them are enabled during Lockdown Mode, right? > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > > > > > > > > > >> -----Original Message----- > > >> From: isapros-bounce@xxxxxxxxxxxxx > > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > >> Sent: Saturday, May 20, 2006 2:06 PM > > >> To: isapros@xxxxxxxxxxxxx > > >> Subject: [isapros] Re: Customizing Lockdown Policy > > >> > > >> Yep - all those (except fwengmon) are defined by the > system policy. > > >> > > >> -----Original Message----- > > >> From: isapros-bounce@xxxxxxxxxxxxx > > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] > > >> On Behalf Of Thomas W Shinder > > >> Sent: Saturday, May 20, 2006 12:11 PM > > >> To: isapros@xxxxxxxxxxxxx > > >> Subject: [isapros] Re: Customizing Lockdown Policy > > >> > > >> Hi Jim, > > >> > > >> I thought lockdown policy was limited to: > > >> > > >> * Allowing hosts in the Internal network element to access the > > >> Local Host network element using the firewall's > > >> administration protocol. > > >> * Allowing Remote Desktop Protocol (RDP) from Internal to Local > > >> Host. > > >> * Allowing ICMP ping from Internal to Local Host. > > >> * Allowing DHCP from any host to Local Host. > > >> * Outgoing traffic from the firewall to any destination > > >> * Traffic that already has a connection element (this allows > > >> stopping the firewall service without disrupting existing > > connections) > > >> * Traffic that is to/from the allowed range determined by using > > >> FWENGMON > > >> > > >> Thanks! > > >> Tom > > >> > > >> Thomas W Shinder, M.D. > > >> Site: www.isaserver.org > > >> Blog: http://blogs.isaserver.org/shinder/ > > >> Book: http://tinyurl.com/3xqb7 > > >> MVP -- ISA Firewalls > > >> > > >> > > >> > > >>> -----Original Message----- > > >>> From: isapros-bounce@xxxxxxxxxxxxx > > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > >>> Sent: Saturday, May 20, 2006 1:52 PM > > >>> To: isapros@xxxxxxxxxxxxx > > >>> Subject: [isapros] Re: Customizing Lockdown Policy > > >>> > > >>> Sorta. > > >>> Lockdown allows all the system policy traffic. > > >>> Thus, if you want to change the traffic profile for lockdown, > > >>> you can do > > >>> it via system policy management. > > >>> > > >>> It's not as flexible as array policies, but it covers > > >> 99.444% of what > > >>> the ISA admin needs to bring the server back to life. > > >>> > > >>> -----Original Message----- > > >>> From: isapros-bounce@xxxxxxxxxxxxx > > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] > > >>> On Behalf Of Thomas W Shinder > > >>> Sent: Saturday, May 20, 2006 11:45 AM > > >>> To: isapros@xxxxxxxxxxxxx > > >>> Subject: [isapros] Customizing Lockdown Policy > > >>> > > >>> Hey guys, > > >>> > > >>> I know there is a default lockdown policy, but I was > > wondering while > > >>> watering the flowers this morning if there was a method to > > >>> customize the > > >>> lockdown policy, other than using FWENGMON ? > > >>> > > >>> Thanks! > > >>> Tom > > >>> > > >>> Thomas W Shinder, M.D. > > >>> Site: www.isaserver.org <http://www.isaserver.org/> > > >>> Blog: http://blogs.isaserver.org/shinder/ > > >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > >>> MVP -- ISA Firewalls > > >>> > > >>> > > >>> > > >>> All mail to and from this domain is GFI-scanned. > > >>> > > >>> > > >>> > > >>> > > >> > > >> > > >> All mail to and from this domain is GFI-scanned. > > >> > > >> > > >> > > >> > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned.