[isapros] Re: ISA DHCP

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Fri, 3 Nov 2006 09:20:52 -0500

That's where it was confusing me. I was expecting the firewall policy to
have something to do with client computers and not the SBS server
itself. Thanks for lifting the fog.

Amy 
 
   
 
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, November 02, 2006 7:37 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

I answered that, too:
 
System Policy

            DHCP (Request) From Localhost to Anywhere for All Users
..this allows the SBS server to send DHCP requests to any network;
nothing else

            DHCP (Reply) From Internal to LocalHost for All Users ..this
allows the SBS server to receive ; nothing else
 

Firewall Policy

            DHCP (Reply) From External to LocalHost for All Users ..this
indicates the unwillingness of the SBS team to automate adding the
External network to the DHCP Reply system policy, but that's not what
you asked..  It allows the SBS machine to acquire an IP address from the
ISP during the DHCP Discover cycle.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, November 02, 2006 16:33
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

So what's the DHCP rule for? That's my question.

Amy Babinchak
 
Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile
 
http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net
 
   
 
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, November 02, 2006 6:38 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

Jim's already explained it...

The SBS rule that handles DHCP traffic between the SBS server and the
Internal network is the "SBS Protected Networks Access Rule", which
allows (I may just puke)
- Protocols = All
- Source = All Protected Networks
- Destination = All Protected Networks
- Users = All Users

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, November 02, 2006 7:01 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

The SBS server is the also DHCP server. Some are reporting the DHCP
server is no longer responding to requests. This caused me to look at
the DHCP rules. The rules don't make sense to me. How is the server
serving DHCP addresses to clients with these rules?

Amy


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, November 01, 2006 8:07 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

Sure, but I'm wondering what people think "stops working" after SP2 in
regards to DHCP.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)



> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Wednesday, November 01, 2006 6:51 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA DHCP
>
> Except for the firewall policy DHCP rule, those are the defaults in 
> their original state (might be worth money some day - don't let the 
> kids play with them).
>
>
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, November 01, 2006 16:44
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA DHCP
>
> What are these DHCP rules supposed to do?
>
> What is not working when they're not working?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
> -- Microsoft Firewalls (ISA)
>
>
>
>
> ________________________________
>
>       From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>       Sent: Wednesday, November 01, 2006 8:26 AM
>       To: isapros@xxxxxxxxxxxxx
>       Subject: [isapros] Re: ISA DHCP
>
>
>
>       So I created a new SBS box last weekend and have not installed 
> ISA Sp2 yet. Checked the DHCP rules and they are same as after ISA 
> SP2. So it appears that these are the default SBS DHCP rules. I still 
> don't understand why they are working. Guess I have a mental block on 
> it. Anyone care to educate me?
>
>
>
>       Here's what we have:
>
>
>
>       System Policy
>
>                   DHCP (Request) From Localhost to Anywhere for All 
> Users
>
>                   DHCP (Reply) From Internal to LocalHost for All 
> Users
>
>
>
>       Firewall Policy
>
>                   DHCP (Reply) From External to LocalHost for All 
> Users
>
>
>
>
>
>       Amy Babinchak
>
>
>
>
>
>
>
>
> ________________________________
>
>
>       From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>       Sent: Friday, October 27, 2006 12:17 AM
>       To: isapros@xxxxxxxxxxxxx
>       Subject: [isapros] Re: ISA DHCP
>
>
>
>       We need to clarify *which* DHCP rules you're talking about...
>
>       1.      Default System DHCP policies allow
>
>       a.       DHCP Request from Local Host to Internal
> (UDP:68 --> UDP:67)
>
>       b.      DHCP Reply from Internal to local host (UDP:67
> --> UDP:68)
>
>       2.      SBS DHCP policies allow
>
>       a.       DHCP Request from Internal to Local Host
> (UDP:68 --> UDP:67)
>
>       b.      DHCP Reply from Local Host to Internal (UDP:67
> --> UDP:68)
>
>
>
>       If a DHCP relay is in the path between the DHCP client and 
> server, the traffic between the server and the relay will actually 
> appear as UDP:67 --> UDP:67 regardless of direction.
>  Note that ISA doesn't make any distinction between this and DHCP 
> Request traffic, since both are destined for UDP:67.  Is there a DHCP 
> helper in either of these environments?
>
>
>
>       Based on the log excerpt you provided, it appears that it's the 
> array rules that are failing.
>
>       Is that correct?
>
>
>
>       From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>       Sent: Thursday, October 26, 2006 7:11 PM
>       To: isapros@xxxxxxxxxxxxx
>       Subject: [isapros] Re: ISA DHCP
>
>
>
>       In SBS DHCP rules are automagically created in the system 
> policy.
>
>
>
>       Amy Babinchak
>
>
>
>       Harbor Computer Services
>
>       (248) 546-6056 office
>
>       (248) 890-1794 mobile
>
>
>
>       http://isainsbs.blogspot.com
>
>       http://keepitsecure.blogspot.com
>
>       http://www.harborcomputerservices.net
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
>       From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>       Sent: Thursday, October 26, 2006 9:26 PM
>       To: isapros@xxxxxxxxxxxxx
>       Subject: [isapros] Re: ISA DHCP
>
>
>
>       He doth speaketh truly, doth he.
>
>       SBS always had to create an array-level rule allowing DHCP 
> requests & replies for the internal network.
>
>       I 'd be very surprised to see SP2 installation removing those, 
> since the SBS team had to have tested SP2 as well.
>
>
>
>       From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>       Sent: Thursday, October 26, 2006 5:20 PM
>       To: isapros@xxxxxxxxxxxxx
>       Subject: [isapros] Re: ISA DHCP
>
>
>
>       Hi Amy,
>
>
>
>       I'm not sure what the sceanrio is is. Is there a DHCP server on 
> the ISA Firewall? If so, there never were any System Policy Rules that

> allow for this, you've always had to create your own rules.
>
>
>
>       Tom
>
>
>
>       Thomas W Shinder, M.D.
>       Site: www.isaserver.org <http://www.isaserver.org/>
>       Blog: http://blogs.isaserver.org/shinder/
>       Book: http://tinyurl.com/3xqb7
>       MVP -- Microsoft Firewalls (ISA)
>
>
>
>
>
>
> ________________________________
>
>
>               From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>               Sent: Thursday, October 26, 2006 3:45 PM
>               To: isapros@xxxxxxxxxxxxx
>               Subject: [isapros] ISA DHCP
>
>               Here's the promised update for the DHCP stops working 
> issue after ISA SP2 install. More are starting to show up on the SBS 
> yahoo group. The server that I've seen belongs to Eriq Neale. I know 
> Tom Shinder knows him, he's a pretty competent guy from there in 
> Texas.
>
>
>
>               Original Client IP      Client Username
> Client Agent      Authenticated Client    Service      Server
> Name Referring Server  Destination Host Name   Transport
> HTTP Method URL      MIME Type   Object Source     Source
> Proxy      Destination Proxy Bidirectional      Client Host
> Name  Rule  Filter Information      Network Interface Raw IP
> Header     Raw Payload     Log Time    Source Port Processing
> Time   Bytes Sent  Bytes Received    HTTP Status Code Cache
> Information Log Record Type   Destination IP    Destination
> Port  Protocol      Action      Client IP   Source Network
> Destination Network     Result Code Error Information
>
>               0.0.0.0                             CC-SBS
> -           UDP   -     -     -
>           -                       10/26/2006 8:43:25 AM   68
>   0     0      0           0x0   Firewall    255.255.255.255
>  67    DHCP (request)    Denied Connection  0.0.0.0
> Internal    Local Host  0xc004000d FWX_E_POLICY_RULES_DENIED      0x0
>
>
>
>
>
>               I also ran an ISA info. Checked the server against mine 
> and the system policy rules for DHCP are identical. Checked the NIC 
> configurations those look good too. Checked that .255 is part of the 
> internal network.
> Checked binding order and where DHCP is bound. Everything checks out.
>
>
>
>               If you recreate the DHCP system policy rules as firewall

> rules, DHCP works. Saw it with my own eyes. DHCP was working prior to 
> ISA SP2 installation.
>
>
>
>               I'm stumped. Anyone?
>
>
>
>               p.s. I wish you guys would monitor the ISA MVP list as 
> well.
>
>
>
>               Amy Babinchak
>
>
>
>
>
>
>
>       All mail to and from this domain is GFI-scanned.
>
>       All mail to and from this domain is GFI-scanned.
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>





All mail to and from this domain is GFI-scanned.

• References:
  • [isapros] Re: ISA DHCP
    • From: Jim Harrison

Other related posts:

• » [isapros] ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP
• » [isapros] Re: ISA DHCP

1. Home
2. isapros
3. Archive
4. 11-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---