[isapros] Re: ISA DHCP
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 1 Nov 2006 16:49:42 -0800
System Policy
DHCP (Request) From Localhost to Anywhere for All Users
..this allows the SBS server to send DHCP requests to any network; nothing else
DHCP (Reply) From Internal to LocalHost for All Users
..this allows the SBS server to receive ; nothing else
Firewall Policy
DHCP (Reply) From External to LocalHost for All Users
..this indicates the unwillingness of the SBS team to automate adding the
External network to the DHCP Reply system policy, but that's not what you
asked.. It allows the SBS machine to acquire an IP address from the ISP during
the DHCP Discover cycle.
The SBS rule that handles DHCP traffic between the SBS server and the Internal
network is the "SBS Protected Networks Access Rule", which allows (I may just
puke)
- Protocols = All
- Source = All Protected Networks
- Destination = All Protected Networks
- Users = All Users
Gee; can we say "All/All/All/All"?
Basically, anything that doesn't trigger the ISA flood mitigation or the HTTP
filter (there are no non-default settings here) is allowed between any network
(except External) and the SBS server.
This deployment is not much better than using ISA 2000.
All that aside, what is the state of this rule post-SP2?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Wednesday, November 01, 2006 06:26
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
So I created a new SBS box last weekend and have not installed ISA Sp2 yet.
Checked the DHCP rules and they are same as after ISA SP2. So it appears that
these are the default SBS DHCP rules. I still don't understand why they are
working. Guess I have a mental block on it. Anyone care to educate me?
Here's what we have:
System Policy
DHCP (Request) From Localhost to Anywhere for All Users
DHCP (Reply) From Internal to LocalHost for All Users
Firewall Policy
DHCP (Reply) From External to LocalHost for All Users
Amy Babinchak
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 12:17 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
We need to clarify *which* DHCP rules you're talking about...
1. Default System DHCP policies allow
a. DHCP Request from Local Host to Internal (UDP:68 --> UDP:67)
b. DHCP Reply from Internal to local host (UDP:67 --> UDP:68)
2. SBS DHCP policies allow
a. DHCP Request from Internal to Local Host (UDP:68 --> UDP:67)
b. DHCP Reply from Local Host to Internal (UDP:67 --> UDP:68)
If a DHCP relay is in the path between the DHCP client and server, the traffic
between the server and the relay will actually appear as UDP:67 --> UDP:67
regardless of direction. Note that ISA doesn't make any distinction between
this and DHCP Request traffic, since both are destined for UDP:67. Is there a
DHCP helper in either of these environments?
Based on the log excerpt you provided, it appears that it's the array rules
that are failing.
Is that correct?
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
In SBS DHCP rules are automagically created in the system policy.
Amy Babinchak
Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile
http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 9:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
He doth speaketh truly, doth he.
SBS always had to create an array-level rule allowing DHCP requests & replies
for the internal network.
I 'd be very surprised to see SP2 installation removing those, since the SBS
team had to have tested SP2 as well.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Thursday, October 26, 2006 5:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
Hi Amy,
I'm not sure what the sceanrio is is. Is there a DHCP server on the ISA
Firewall? If so, there never were any System Policy Rules that allow for this,
you've always had to create your own rules.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 3:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA DHCP
Here's the promised update for the DHCP stops working issue after ISA
SP2 install. More are starting to show up on the SBS yahoo group. The server
that I've seen belongs to Eriq Neale. I know Tom Shinder knows him, he's a
pretty competent guy from there in Texas.
Original Client IP Client Username Client Agent
Authenticated Client Service Server Name Referring Server Destination
Host Name Transport HTTP Method URL MIME Type Object Source
Source Proxy Destination Proxy Bidirectional Client Host Name Rule
Filter Information Network Interface Raw IP Header Raw Payload Log
Time Source Port Processing Time Bytes Sent Bytes Received HTTP Status
Code Cache Information Log Record Type Destination IP Destination Port
Protocol Action Client IP Source Network Destination Network
Result Code Error Information
0.0.0.0 CC-SBS - UDP -
- - -
10/26/2006 8:43:25 AM 68 0 0 0 0x0 Firewall
255.255.255.255 67 DHCP (request) Denied Connection 0.0.0.0
Internal Local Host 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0
I also ran an ISA info. Checked the server against mine and the system
policy rules for DHCP are identical. Checked the NIC configurations those look
good too. Checked that .255 is part of the internal network. Checked binding
order and where DHCP is bound. Everything checks out.
If you recreate the DHCP system policy rules as firewall rules, DHCP
works. Saw it with my own eyes. DHCP was working prior to ISA SP2 installation.
I'm stumped. Anyone?
p.s. I wish you guys would monitor the ISA MVP list as well.
Amy Babinchak
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
- References:
- [isapros] Re: ISA DHCP
- From: Amy Babinchak
Other related posts:
- » [isapros] ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- » [isapros] Re: ISA DHCP
- [isapros] Re: ISA DHCP
- From: Amy Babinchak