:) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Wednesday, November 01, 2006 7:55 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > ISA does. > It's supposed to be a firewall, and this functionality is > compromised by the default SBS "rules". > ..but that's just me... > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Wednesday, November 01, 2006 17:07 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > Sure, but I'm wondering what people think "stops working" > after SP2 in regards to DHCP. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Wednesday, November 01, 2006 6:51 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > Except for the firewall policy DHCP rule, those are the defaults in > > their original state (might be worth money some day - don't let the > > kids play with them). > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Wednesday, November 01, 2006 16:44 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > What are these DHCP rules supposed to do? > > > > What is not working when they're not working? > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP > > -- Microsoft Firewalls (ISA) > > > > > > > > > > ________________________________ > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Wednesday, November 01, 2006 8:26 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > > > > > So I created a new SBS box last weekend and have not > installed ISA > > Sp2 yet. Checked the DHCP rules and they are same as after > ISA SP2. So > > it appears that these are the default SBS DHCP rules. I still don't > > understand why they are working. Guess I have a mental block on it. > > Anyone care to educate me? > > > > > > > > Here's what we have: > > > > > > > > System Policy > > > > DHCP (Request) From Localhost to Anywhere > for All Users > > > > DHCP (Reply) From Internal to LocalHost for > All Users > > > > > > > > Firewall Policy > > > > DHCP (Reply) From External to LocalHost for > All Users > > > > > > > > > > > > Amy Babinchak > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, October 27, 2006 12:17 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > > > > > We need to clarify *which* DHCP rules you're talking about... > > > > 1. Default System DHCP policies allow > > > > a. DHCP Request from Local Host to Internal > > (UDP:68 --> UDP:67) > > > > b. DHCP Reply from Internal to local host (UDP:67 > > --> UDP:68) > > > > 2. SBS DHCP policies allow > > > > a. DHCP Request from Internal to Local Host > > (UDP:68 --> UDP:67) > > > > b. DHCP Reply from Local Host to Internal (UDP:67 > > --> UDP:68) > > > > > > > > If a DHCP relay is in the path between the DHCP client > and server, > > the traffic between the server and the relay will actually > appear as > > UDP:67 --> UDP:67 regardless of direction. > > Note that ISA doesn't make any distinction between this and DHCP > > Request traffic, since both are destined for UDP:67. Is > there a DHCP > > helper in either of these environments? > > > > > > > > Based on the log excerpt you provided, it appears that > it's the array > > rules that are failing. > > > > Is that correct? > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Thursday, October 26, 2006 7:11 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > > > > > In SBS DHCP rules are automagically created in the > system policy. > > > > > > > > Amy Babinchak > > > > > > > > Harbor Computer Services > > > > (248) 546-6056 office > > > > (248) 890-1794 mobile > > > > > > > > http://isainsbs.blogspot.com > > > > http://keepitsecure.blogspot.com > > > > http://www.harborcomputerservices.net > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Thursday, October 26, 2006 9:26 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > > > > > He doth speaketh truly, doth he. > > > > SBS always had to create an array-level rule allowing > DHCP requests & > > replies for the internal network. > > > > I 'd be very surprised to see SP2 installation removing > those, since > > the SBS team had to have tested SP2 as well. > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Thursday, October 26, 2006 5:20 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA DHCP > > > > > > > > Hi Amy, > > > > > > > > I'm not sure what the sceanrio is is. Is there a DHCP > server on the > > ISA Firewall? If so, there never were any System Policy Rules that > > allow for this, you've always had to create your own rules. > > > > > > > > Tom > > > > > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > ________________________________ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Thursday, October 26, 2006 3:45 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] ISA DHCP > > > > Here's the promised update for the DHCP stops > working issue after > > ISA SP2 install. More are starting to show up on the SBS > yahoo group. > > The server that I've seen belongs to Eriq Neale. I know Tom Shinder > > knows him, he's a pretty competent guy from there in Texas. > > > > > > > > Original Client IP Client Username > > Client Agent Authenticated Client Service Server > > Name Referring Server Destination Host Name Transport > > HTTP Method URL MIME Type Object Source Source > > Proxy Destination Proxy Bidirectional Client Host > > Name Rule Filter Information Network Interface Raw IP > > Header Raw Payload Log Time Source Port Processing > > Time Bytes Sent Bytes Received HTTP Status Code Cache > > Information Log Record Type Destination IP Destination > > Port Protocol Action Client IP Source Network > > Destination Network Result Code Error Information > > > > 0.0.0.0 CC-SBS > > - UDP - - - > > - 10/26/2006 8:43:25 AM 68 > > 0 0 0 0x0 Firewall 255.255.255.255 > > 67 DHCP (request) Denied Connection 0.0.0.0 > > Internal Local Host 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 > > > > > > > > > > > > I also ran an ISA info. Checked the server > against mine and the > > system policy rules for DHCP are identical. Checked the NIC > > configurations those look good too. Checked that .255 is > part of the > > internal network. > > Checked binding order and where DHCP is bound. Everything > checks out. > > > > > > > > If you recreate the DHCP system policy rules as > firewall rules, DHCP > > works. Saw it with my own eyes. DHCP was working prior to ISA SP2 > > installation. > > > > > > > > I'm stumped. Anyone? > > > > > > > > p.s. I wish you guys would monitor the ISA MVP > list as well. > > > > > > > > Amy Babinchak > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > All mail to and from this domain is GFI-scanned. > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > >