[isapros] Re: Customizing Lockdown Policy
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sun, 21 May 2006 08:31:29 -0700
Looks like Tom were right - it's not the whole of the system policy, but
a select few rules.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Sunday, May 21, 2006 8:26 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Customizing Lockdown Policy
Hi Ori,
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Ori Yosefi
> Sent: Saturday, May 20, 2006 3:39 PM
> To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Customizing Lockdown Policy
>
> If I remember correctly, in lockdown policy the driver would
> allow all outbound connections from localhost (both new and
> existing) and a list of 5 or 6 system policy rules (e.g. RDP
> from remote management computers).
>
> The relevant system policy rules can be enabled / disabled
> and the To / From can be modified, although, as the mentioned
> documentation states, changes to the configuration will only
> be applied after the firewall service comes up (as it needs
> to store the modified configuration in the registry for the
> driver to be able to access it).
>
> I don't think there is any way to add new policy to the
> lockdown policy apart from what is mentioned in the above paragraph.
>
> HTH,
>
> Ori.
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
> Sent: Sat 5/20/2006 9:54 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Customizing Lockdown Policy
>
>
>
> Soon as I can get my wife off our connection, I'll test it. There is a
> System Policy Rule that allows all HTTP to all Networks for
> CRL checking
> and I'd like to see if that still works. I'd test it now, but
> she's on a
> FWC machine and not SecureNAT, so her connection will be dropped.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: Saturday, May 20, 2006 2:18 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Customizing Lockdown Policy
> >
> > Ah- well, I was under the impression that all system
> polices stayed in
> > effect, but according to TechNet, what you described seems to
> > be the case.
> > In my testing, though, everything I've tried that was in
> system policy
> > worked while in lockdown mode-- however, I didn't actually
> > try everything
> > (like SMTP for instance.) Jim will have to answer that one.
> >
> > t
> >
> >
> > On 5/20/06 12:17 PM, "Thomas W Shinder"
> > <tshinder@xxxxxxxxxxx> spoketh to
> > all:
> >
> > > Yes, but there are many more types of connections defined
> in System
> > > Policy -- not all of them are enabled during Lockdown Mode, right?
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > >> Sent: Saturday, May 20, 2006 2:06 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Re: Customizing Lockdown Policy
> > >>
> > >> Yep - all those (except fwengmon) are defined by the
> system policy.
> > >>
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > >> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > >> On Behalf Of Thomas W Shinder
> > >> Sent: Saturday, May 20, 2006 12:11 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Re: Customizing Lockdown Policy
> > >>
> > >> Hi Jim,
> > >>
> > >> I thought lockdown policy was limited to:
> > >>
> > >> * Allowing hosts in the Internal network element to access the
> > >> Local Host network element using the firewall's
> > >> administration protocol.
> > >> * Allowing Remote Desktop Protocol (RDP) from Internal to Local
> > >> Host.
> > >> * Allowing ICMP ping from Internal to Local Host.
> > >> * Allowing DHCP from any host to Local Host.
> > >> * Outgoing traffic from the firewall to any destination
> > >> * Traffic that already has a connection element (this allows
> > >> stopping the firewall service without disrupting existing
> > connections)
> > >> * Traffic that is to/from the allowed range determined by using
> > >> FWENGMON
> > >>
> > >> Thanks!
> > >> Tom
> > >>
> > >> Thomas W Shinder, M.D.
> > >> Site: www.isaserver.org
> > >> Blog: http://blogs.isaserver.org/shinder/
> > >> Book: http://tinyurl.com/3xqb7
> > >> MVP -- ISA Firewalls
> > >>
> > >>
> > >>
> > >>> -----Original Message-----
> > >>> From: isapros-bounce@xxxxxxxxxxxxx
> > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > >>> Sent: Saturday, May 20, 2006 1:52 PM
> > >>> To: isapros@xxxxxxxxxxxxx
> > >>> Subject: [isapros] Re: Customizing Lockdown Policy
> > >>>
> > >>> Sorta.
> > >>> Lockdown allows all the system policy traffic.
> > >>> Thus, if you want to change the traffic profile for lockdown,
> > >>> you can do
> > >>> it via system policy management.
> > >>>
> > >>> It's not as flexible as array policies, but it covers
> > >> 99.444% of what
> > >>> the ISA admin needs to bring the server back to life.
> > >>>
> > >>> -----Original Message-----
> > >>> From: isapros-bounce@xxxxxxxxxxxxx
> > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > >>> On Behalf Of Thomas W Shinder
> > >>> Sent: Saturday, May 20, 2006 11:45 AM
> > >>> To: isapros@xxxxxxxxxxxxx
> > >>> Subject: [isapros] Customizing Lockdown Policy
> > >>>
> > >>> Hey guys,
> > >>>
> > >>> I know there is a default lockdown policy, but I was
> > wondering while
> > >>> watering the flowers this morning if there was a method to
> > >>> customize the
> > >>> lockdown policy, other than using FWENGMON ?
> > >>>
> > >>> Thanks!
> > >>> Tom
> > >>>
> > >>> Thomas W Shinder, M.D.
> > >>> Site: www.isaserver.org <http://www.isaserver.org/>
> > >>> Blog: http://blogs.isaserver.org/shinder/
> > >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > >>> MVP -- ISA Firewalls
> > >>>
> > >>>
> > >>>
> > >>> All mail to and from this domain is GFI-scanned.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >> All mail to and from this domain is GFI-scanned.
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
>
>
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
