[isapros] Re: ISA DHCP
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 1 Nov 2006 18:43:59 -0600
What are these DHCP rules supposed to do?
What is not working when they're not working?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Wednesday, November 01, 2006 8:26 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
So I created a new SBS box last weekend and have not installed
ISA Sp2 yet. Checked the DHCP rules and they are same as after ISA SP2.
So it appears that these are the default SBS DHCP rules. I still don't
understand why they are working. Guess I have a mental block on it.
Anyone care to educate me?
Here's what we have:
System Policy
DHCP (Request) From Localhost to Anywhere for All
Users
DHCP (Reply) From Internal to LocalHost for All
Users
Firewall Policy
DHCP (Reply) From External to LocalHost for All
Users
Amy Babinchak
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 12:17 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
We need to clarify *which* DHCP rules you're talking about...
1. Default System DHCP policies allow
a. DHCP Request from Local Host to Internal (UDP:68 -->
UDP:67)
b. DHCP Reply from Internal to local host (UDP:67 -->
UDP:68)
2. SBS DHCP policies allow
a. DHCP Request from Internal to Local Host (UDP:68 -->
UDP:67)
b. DHCP Reply from Local Host to Internal (UDP:67 -->
UDP:68)
If a DHCP relay is in the path between the DHCP client and
server, the traffic between the server and the relay will actually
appear as UDP:67 --> UDP:67 regardless of direction. Note that ISA
doesn't make any distinction between this and DHCP Request traffic,
since both are destined for UDP:67. Is there a DHCP helper in either of
these environments?
Based on the log excerpt you provided, it appears that it's the
array rules that are failing.
Is that correct?
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
In SBS DHCP rules are automagically created in the system
policy.
Amy Babinchak
Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile
http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 9:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
He doth speaketh truly, doth he.
SBS always had to create an array-level rule allowing DHCP
requests & replies for the internal network.
I 'd be very surprised to see SP2 installation removing those,
since the SBS team had to have tested SP2 as well.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, October 26, 2006 5:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
Hi Amy,
I'm not sure what the sceanrio is is. Is there a DHCP server on
the ISA Firewall? If so, there never were any System Policy Rules that
allow for this, you've always had to create your own rules.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 3:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA DHCP
Here's the promised update for the DHCP stops working
issue after ISA SP2 install. More are starting to show up on the SBS
yahoo group. The server that I've seen belongs to Eriq Neale. I know Tom
Shinder knows him, he's a pretty competent guy from there in Texas.
Original Client IP Client Username Client Agent
Authenticated Client Service Server Name Referring Server
Destination Host Name Transport HTTP Method URL MIME Type
Object Source Source Proxy Destination Proxy Bidirectional
Client Host Name Rule Filter Information Network Interface Raw IP
Header Raw Payload Log Time Source Port Processing Time
Bytes Sent Bytes Received HTTP Status Code Cache Information Log
Record Type Destination IP Destination Port Protocol Action
Client IP Source Network Destination Network Result Code Error
Information
0.0.0.0 CC-SBS -
UDP - - - -
10/26/2006 8:43:25 AM 68 0 0 0 0x0 Firewall
255.255.255.255 67 DHCP (request) Denied Connection 0.0.0.0
Internal Local Host 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0
I also ran an ISA info. Checked the server against mine
and the system policy rules for DHCP are identical. Checked the NIC
configurations those look good too. Checked that .255 is part of the
internal network. Checked binding order and where DHCP is bound.
Everything checks out.
If you recreate the DHCP system policy rules as firewall
rules, DHCP works. Saw it with my own eyes. DHCP was working prior to
ISA SP2 installation.
I'm stumped. Anyone?
p.s. I wish you guys would monitor the ISA MVP list as
well.
Amy Babinchak
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
