The Forefront TMG firewall, like the ISA firewall, will enter lockdown mode when certain events take place. For example, when there’s a problem with logging, there is a pre-configured alert action that sends the ISA and TMG firewall into lockdown mode. Any time the firewall service is disabled, the firewall will enter lockdown mode.
What happens when the TMG firewall goes into lockdown mode? The following:
- The kernel-mode packet filter driver (fweng) applies the firewall policy.
- Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response on the same connection.
- The following system policy rules continue to allow incoming traffic to the Local Host network unless they are disabled:
- Allow remote management from selected computers using MMC.
- Allow remote management from selected computers using Terminal Server.
- Allow DHCP replies from DHCP servers to Forefront TMG.
- Allow ICMP (PING) requests from selected computers to Forefront TMG.
- VPN remote access clients cannot access Forefront TMG. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
- Any changes to the network configuration that are made in lockdown mode are applied only after the Firewall service restarts and Forefront TMG exits lockdown mode.
- Forefront TMG does not issue any alerts
For more information on TMG firewalls in lockdown mode, check out http://technet.microsoft.com/en-us/library/cc441609.aspx
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)