About TMG Lockdown Mode
The Forefront TMG firewall, like the ISA firewall, will enter lockdown mode when certain events take place. For example, when there’s a problem with logging, there is a pre-configured alert action that sends the ISA and TMG firewall into lockdown mode. Any time the firewall service is disabled, the firewall will enter lockdown mode.
What happens when the TMG firewall goes into lockdown mode? The following:
- The kernel-mode packet filter driver (fweng) applies the firewall policy.
- Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response on the same connection.
- The following system policy rules continue to allow incoming traffic to the Local Host network unless they are disabled:
- Allow remote management from selected computers using MMC.
- Allow remote management from selected computers using Terminal Server.
- Allow DHCP replies from DHCP servers to Forefront TMG.
- Allow ICMP (PING) requests from selected computers to Forefront TMG.
- VPN remote access clients cannot access Forefront TMG. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
- Any changes to the network configuration that are made in lockdown mode are applied only after the Firewall service restarts and Forefront TMG exits lockdown mode.
- Forefront TMG does not issue any alerts
For more information on TMG firewalls in lockdown mode, check out http://technet.microsoft.com/en-us/library/cc441609.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Amy B Says:
October 12th, 2008 at 5:48 pm
Tom,
Just a quick note for those that had bad experiences with SQL logging and LockDown Mode in previous versions. TMG is much more tolerant of interruptions to the logging database. So if your SQL server gets rebooted TMG won’t immediately go into LockDown as previous version of ISA did.
Var ska jag nu får uppslag för nya klädinköp? | Mina dagliga bestyr Says:
October 13th, 2008 at 7:10 am
[…] About TMG Lockdown Mode […]
Paulo Oliveira Says:
October 13th, 2008 at 12:46 pm
Hi Tom,
for what I´ve seen nothing has changed about lockdown mode on ISA since 2004 version, except the SQL logging tolerance.
Regards,
Paulo Oliveira.
Joe Swanson Says:
September 7th, 2011 at 1:13 pm
Is there anyway to disable the Lockdown mode altogether? This feature, I believe, caused so much headache in our network. If a laptop with skype is connected to our network, immediately ISA 2004 goes into lockdown mode and shuts the whole network. Nobody can go anywhere. I can’t even TS into ISA. I have to reboot ISA before any outbound traffic (Internal –> External) can get to WAN. The event viewer has no entry.
I would expect ISA to ONLY shutdown / block the offending client’s traffic, not bring down the entire network. This is very embarrassing. I thought I don’t have to deal with this problem in TMG2010.