[isapros] Re: ISA DHCP
- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 3 Nov 2006 11:35:08 +1100
I think that rule is known as the sb rule!
Greg
----- Original Message -----
From: "Steve Moffat" <steve@xxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Friday, November 03, 2006 10:38 AM
Subject: [isapros] Re: ISA DHCP
Jim's already explained it...
The SBS rule that handles DHCP traffic between the SBS server and the
Internal network is the "SBS Protected Networks Access Rule", which allows
(I may just puke)
- Protocols = All
- Source = All Protected Networks
- Destination = All Protected Networks
- Users = All Users
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Thursday, November 02, 2006 7:01 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
The SBS server is the also DHCP server. Some are reporting the DHCP
server is no longer responding to requests. This caused me to look at
the DHCP rules. The rules don't make sense to me. How is the server
serving DHCP addresses to clients with these rules?
Amy
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, November 01, 2006 8:07 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
Sure, but I'm wondering what people think "stops working" after SP2 in
regards to DHCP.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, November 01, 2006 6:51 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
Except for the firewall policy DHCP rule, those are the
defaults in their original state (might be worth money some
day - don't let the kids play with them).
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, November 01, 2006 16:44
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
What are these DHCP rules supposed to do?
What is not working when they're not working?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
-- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Wednesday, November 01, 2006 8:26 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
So I created a new SBS box last weekend and have not
installed ISA Sp2 yet. Checked the DHCP rules and they are
same as after ISA SP2. So it appears that these are the
default SBS DHCP rules. I still don't understand why they are
working. Guess I have a mental block on it. Anyone care to educate me?
Here's what we have:
System Policy
DHCP (Request) From Localhost to Anywhere
for All Users
DHCP (Reply) From Internal to LocalHost for
All Users
Firewall Policy
DHCP (Reply) From External to LocalHost for
All Users
Amy Babinchak
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 12:17 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
We need to clarify *which* DHCP rules you're talking about...
1. Default System DHCP policies allow
a. DHCP Request from Local Host to Internal
(UDP:68 --> UDP:67)
b. DHCP Reply from Internal to local host (UDP:67
--> UDP:68)
2. SBS DHCP policies allow
a. DHCP Request from Internal to Local Host
(UDP:68 --> UDP:67)
b. DHCP Reply from Local Host to Internal (UDP:67
--> UDP:68)
If a DHCP relay is in the path between the DHCP client
and server, the traffic between the server and the relay will
actually appear as UDP:67 --> UDP:67 regardless of direction.
Note that ISA doesn't make any distinction between this and
DHCP Request traffic, since both are destined for UDP:67. Is
there a DHCP helper in either of these environments?
Based on the log excerpt you provided, it appears that
it's the array rules that are failing.
Is that correct?
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
In SBS DHCP rules are automagically created in the
system policy.
Amy Babinchak
Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile
http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 9:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
He doth speaketh truly, doth he.
SBS always had to create an array-level rule allowing
DHCP requests & replies for the internal network.
I 'd be very surprised to see SP2 installation removing
those, since the SBS team had to have tested SP2 as well.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, October 26, 2006 5:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP
Hi Amy,
I'm not sure what the sceanrio is is. Is there a DHCP
server on the ISA Firewall? If so, there never were any
System Policy Rules that allow for this, you've always had to
create your own rules.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 3:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA DHCP
Here's the promised update for the DHCP stops
working issue after ISA SP2 install. More are starting to
show up on the SBS yahoo group. The server that I've seen
belongs to Eriq Neale. I know Tom Shinder knows him, he's a
pretty competent guy from there in Texas.
Original Client IP Client Username
Client Agent Authenticated Client Service Server
Name Referring Server Destination Host Name Transport
HTTP Method URL MIME Type Object Source Source
Proxy Destination Proxy Bidirectional Client Host
Name Rule Filter Information Network Interface Raw IP
Header Raw Payload Log Time Source Port Processing
Time Bytes Sent Bytes Received HTTP Status Code Cache
Information Log Record Type Destination IP Destination
Port Protocol Action Client IP Source Network
Destination Network Result Code Error Information
0.0.0.0 CC-SBS
- UDP - - -
- 10/26/2006 8:43:25 AM 68
0 0 0 0x0 Firewall 255.255.255.255
67 DHCP (request) Denied Connection 0.0.0.0
Internal Local Host 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0
I also ran an ISA info. Checked the server
against mine and the system policy rules for DHCP are
identical. Checked the NIC configurations those look good
too. Checked that .255 is part of the internal network.
Checked binding order and where DHCP is bound. Everything checks out.
If you recreate the DHCP system policy rules as
firewall rules, DHCP works. Saw it with my own eyes. DHCP was
working prior to ISA SP2 installation.
I'm stumped. Anyone?
p.s. I wish you guys would monitor the ISA MVP
list as well.
Amy Babinchak
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
