[isapros] Re: ISA DHCP
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 1 Nov 2006 20:02:01 -0600
:)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Wednesday, November 01, 2006 7:55 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA DHCP
>
> ISA does.
> It's supposed to be a firewall, and this functionality is
> compromised by the default SBS "rules".
> ..but that's just me...
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, November 01, 2006 17:07
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA DHCP
>
> Sure, but I'm wondering what people think "stops working"
> after SP2 in regards to DHCP.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Wednesday, November 01, 2006 6:51 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> > Except for the firewall policy DHCP rule, those are the defaults in
> > their original state (might be worth money some day - don't let the
> > kids play with them).
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Wednesday, November 01, 2006 16:44
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> > What are these DHCP rules supposed to do?
> >
> > What is not working when they're not working?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
> > -- Microsoft Firewalls (ISA)
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Wednesday, November 01, 2006 8:26 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> >
> >
> > So I created a new SBS box last weekend and have not
> installed ISA
> > Sp2 yet. Checked the DHCP rules and they are same as after
> ISA SP2. So
> > it appears that these are the default SBS DHCP rules. I still don't
> > understand why they are working. Guess I have a mental block on it.
> > Anyone care to educate me?
> >
> >
> >
> > Here's what we have:
> >
> >
> >
> > System Policy
> >
> > DHCP (Request) From Localhost to Anywhere
> for All Users
> >
> > DHCP (Reply) From Internal to LocalHost for
> All Users
> >
> >
> >
> > Firewall Policy
> >
> > DHCP (Reply) From External to LocalHost for
> All Users
> >
> >
> >
> >
> >
> > Amy Babinchak
> >
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Friday, October 27, 2006 12:17 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> >
> >
> > We need to clarify *which* DHCP rules you're talking about...
> >
> > 1. Default System DHCP policies allow
> >
> > a. DHCP Request from Local Host to Internal
> > (UDP:68 --> UDP:67)
> >
> > b. DHCP Reply from Internal to local host (UDP:67
> > --> UDP:68)
> >
> > 2. SBS DHCP policies allow
> >
> > a. DHCP Request from Internal to Local Host
> > (UDP:68 --> UDP:67)
> >
> > b. DHCP Reply from Local Host to Internal (UDP:67
> > --> UDP:68)
> >
> >
> >
> > If a DHCP relay is in the path between the DHCP client
> and server,
> > the traffic between the server and the relay will actually
> appear as
> > UDP:67 --> UDP:67 regardless of direction.
> > Note that ISA doesn't make any distinction between this and DHCP
> > Request traffic, since both are destined for UDP:67. Is
> there a DHCP
> > helper in either of these environments?
> >
> >
> >
> > Based on the log excerpt you provided, it appears that
> it's the array
> > rules that are failing.
> >
> > Is that correct?
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Thursday, October 26, 2006 7:11 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> >
> >
> > In SBS DHCP rules are automagically created in the
> system policy.
> >
> >
> >
> > Amy Babinchak
> >
> >
> >
> > Harbor Computer Services
> >
> > (248) 546-6056 office
> >
> > (248) 890-1794 mobile
> >
> >
> >
> > http://isainsbs.blogspot.com
> >
> > http://keepitsecure.blogspot.com
> >
> > http://www.harborcomputerservices.net
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Thursday, October 26, 2006 9:26 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> >
> >
> > He doth speaketh truly, doth he.
> >
> > SBS always had to create an array-level rule allowing
> DHCP requests &
> > replies for the internal network.
> >
> > I 'd be very surprised to see SP2 installation removing
> those, since
> > the SBS team had to have tested SP2 as well.
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Thursday, October 26, 2006 5:20 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA DHCP
> >
> >
> >
> > Hi Amy,
> >
> >
> >
> > I'm not sure what the sceanrio is is. Is there a DHCP
> server on the
> > ISA Firewall? If so, there never were any System Policy Rules that
> > allow for this, you've always had to create your own rules.
> >
> >
> >
> > Tom
> >
> >
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Thursday, October 26, 2006 3:45 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] ISA DHCP
> >
> > Here's the promised update for the DHCP stops
> working issue after
> > ISA SP2 install. More are starting to show up on the SBS
> yahoo group.
> > The server that I've seen belongs to Eriq Neale. I know Tom Shinder
> > knows him, he's a pretty competent guy from there in Texas.
> >
> >
> >
> > Original Client IP Client Username
> > Client Agent Authenticated Client Service Server
> > Name Referring Server Destination Host Name Transport
> > HTTP Method URL MIME Type Object Source Source
> > Proxy Destination Proxy Bidirectional Client Host
> > Name Rule Filter Information Network Interface Raw IP
> > Header Raw Payload Log Time Source Port Processing
> > Time Bytes Sent Bytes Received HTTP Status Code Cache
> > Information Log Record Type Destination IP Destination
> > Port Protocol Action Client IP Source Network
> > Destination Network Result Code Error Information
> >
> > 0.0.0.0 CC-SBS
> > - UDP - - -
> > - 10/26/2006 8:43:25 AM 68
> > 0 0 0 0x0 Firewall 255.255.255.255
> > 67 DHCP (request) Denied Connection 0.0.0.0
> > Internal Local Host 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0
> >
> >
> >
> >
> >
> > I also ran an ISA info. Checked the server
> against mine and the
> > system policy rules for DHCP are identical. Checked the NIC
> > configurations those look good too. Checked that .255 is
> part of the
> > internal network.
> > Checked binding order and where DHCP is bound. Everything
> checks out.
> >
> >
> >
> > If you recreate the DHCP system policy rules as
> firewall rules, DHCP
> > works. Saw it with my own eyes. DHCP was working prior to ISA SP2
> > installation.
> >
> >
> >
> > I'm stumped. Anyone?
> >
> >
> >
> > p.s. I wish you guys would monitor the ISA MVP
> list as well.
> >
> >
> >
> > Amy Babinchak
> >
> >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
Other related posts:
