ISA Server 2004 has a new feature known as Lockdown Mode, which enables an ISA Server to continue to function in a limited capacity when the Firewall Service has crashed or has not been enabled yet. This is an important feature to understand when administrating an ISA Server.
Administering and Understanding Lockdown Mode
Lockdown mode enables administrators to access and troubleshoot an ISA Server, in addition to allowing internal clients to continue to have external network access in the event of a problem with ISA Server, while at the same time disabling external network access rules. This has the effect of keeping critical network access intact, while protecting the internal network from denial of service (DoS) or other attacks.
Triggering and Resetting ISA Lockdown Mode
Putting ISA Server 2004 into lockdown mode can be triggered by various mechanisms, based on the sensitivity of the environment and the rules of the organization. For example, a highly sensitive organization prone to major hacking attempts could configure an ISA Server to block all inbound access to the organization when specific types of attacks or port scans take place.
To change the parameters for when a server enters lockdown, click on the Configure Alert Definitions link under the Tasks Tab of the Alerts tab in the Monitoring node of the Console. This enables the alert definitions, shown in Figure 16.12, to be shown and modified.
Figure 16.12. Configuring alert definitions.
For example, the default setting for the Log Failure alert, which can be viewed by double-clicking on the entry in the dialog box, is to take the action of stopping the firewall service, putting the server into lockdown mode. The setting can be set via the Actions tab, as shown in Figure 16.13.
Figure 16.13. Setting the alert actions.
Configuring the alert settings helps to set thresholds for when a server enters lockdown mode. To take a server out of lockdown mode, simply restart the firewall service.