RE: ISA denies DHCP request
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 14:09:10 -0600
Hi Amy,
> SBS LocalHost DHCP Access (DHCP Reply protocol from External to
> LocalHost by All Users)
Allows external DHCP servers to reply to the ISA firewall's DHCP request
> All DHCP Requests from ISA to All Networks (DHCP request
> protocol, from
> Internal to All Networks by All Users.)
Allows the ISA firewall to send DHCP requests
> Allow DHCP Replies from DHCP Servers to ISA Server (DHCP
> reply protocol,
> from Internal to Local Host by All Users)
Allows DHCP servers on the default Internal Network to reply to DHCP
requests made by the ISA firewall.
So, none of these would pertain to using the ISA firewall as a DHCP
server. Am I off here?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, December 05, 2005 1:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA denies DHCP request
>
> http://www.ISAserver.org
>
> It is.
>
> SBS servers are given these default ISA DHCP rules:
>
> SBS LocalHost DHCP Access (DHCP Reply protocol from External to
> LocalHost by All Users)
>
> And these System Policy entries:
>
> All DHCP Requests from ISA to All Networks (DHCP request
> protocol, from
> Internal to All Networks by All Users.)
>
> Allow DHCP Replies from DHCP Servers to ISA Server (DHCP
> reply protocol,
> from Internal to Local Host by All Users)
>
>
> Amy
>
> Harbor Computer Services
> Small Business Computer Specialists
>
> Client Blog: http://smalltechnotes.blogspot.com/
> Tech Blog: http://isainsbs.blogspot.com/
> Website: http://www.harborcomputerservices.net/
>
>
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, December 05, 2005 2:45 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA denies DHCP request
>
> http://www.ISAserver.org
>
> Is the DHCP service configured to use only the internal interface?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Sent: Monday, December 05, 2005 1:29 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA denies DHCP request
> >
> > http://www.ISAserver.org
> >
> > Yes, it is.
> >
> > Amy
> >
> > Harbor Computer Services
> > Small Business Computer Specialists
> >
> > Client Blog: http://smalltechnotes.blogspot.com/
> > Tech Blog: http://isainsbs.blogspot.com/
> > Website: http://www.harborcomputerservices.net/
> >
> >
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Monday, December 05, 2005 2:20 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA denies DHCP request
> >
> > http://www.ISAserver.org
> >
> > Hi Amy,
> >
> > Is the DHCP server on the ISA firewall?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Monday, December 05, 2005 1:12 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] ISA denies DHCP request
> > >
> > > http://www.ISAserver.org
> > >
> > > I got stumped this weekend. A fellow consultant has a SBS
> > box with ISA
> > > 2004. After the upgrade from ISA 2000 to ISA 2004, ISA denies DHCP
> > > requests because it sees them as coming in on the external NIC.
> > >
> > > I checked all of the usual stuff. NICs are configured
> > > correctly. Binding
> > > order is correct. Routing table looks normal. DHCP rules
> > are correct.
> > > Clients are correctly configured. External NIC is connected
> > > only to the
> > > ADSL modem, Internal NIC is connected only to a switch with
> > the PC's.
> > >
> > > Here's the packets. I can't figure out why ISA thinks these
> > > are external
> > > packets.
> > >
> > > 192.168.1.16 SBSERVER UDP 68 0
> > 0 0
> > > 0x0 0x0 0x0 Firewall 12/4/2005 9:10
> > 192.168.1.2
> > > 67 DHCP (request) Initiated Connection SBS
> Protected Networks
> > > Access Rule 192.168.1.16 Internal Local Host
> > >
> > > 0.0.0.0 SBSERVER UDP 68 0 0 0
> > > 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall
> > > 12/4/2005 9:10 255.255.255.255 67 DHCP (request) Denied
> > > Connection Default rule 0.0.0.0 External
> Local Host
> > >
> > > 0.0.0.0 SBSERVER UDP 68 0 0 0
> > > 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall
> > > 12/4/2005 9:10 255.255.255.255 67 DHCP (request) Denied
> > > Connection Default rule 0.0.0.0 External
> Local Host
> > >
> > > 0.0.0.0 SBSERVER UDP 68 0 0 0
> > > 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall
> > > 12/4/2005 9:10 255.255.255.255 67 DHCP (request) Denied
> > > Connection Default rule 0.0.0.0 External
> Local Host
> > >
> > >
> > > This server also has difficulty with VPN clients. They also
> > don't get
> > > served IP addresses by the DHCP server. However, even when you
> > > statically assign the VPN client an address, access to
> shares on the
> > > server is denied.
> > >
> > > Removed and reinstall DHCP. Disabled and reconfigured Routing
> > > and Remote
> > > Access. No luck.
> > >
> > >
> > >
> > > Amy
> > >
> > > Harbor Computer Services
> > > Small Business Computer Specialists
> > >
> > > Client Blog: http://smalltechnotes.blogspot.com/
> > > Tech Blog: http://isainsbs.blogspot.com/
> > > Website: http://www.harborcomputerservices.net/
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
