That's where it was confusing me. I was expecting the firewall policy to have something to do with client computers and not the SBS server itself. Thanks for lifting the fog. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, November 02, 2006 7:37 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP I answered that, too: System Policy DHCP (Request) From Localhost to Anywhere for All Users ..this allows the SBS server to send DHCP requests to any network; nothing else DHCP (Reply) From Internal to LocalHost for All Users ..this allows the SBS server to receive ; nothing else Firewall Policy DHCP (Reply) From External to LocalHost for All Users ..this indicates the unwillingness of the SBS team to automate adding the External network to the DHCP Reply system policy, but that's not what you asked.. It allows the SBS machine to acquire an IP address from the ISP during the DHCP Discover cycle. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Thursday, November 02, 2006 16:33 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP So what's the DHCP rule for? That's my question. Amy Babinchak Harbor Computer Services (248) 546-6056 office (248) 890-1794 mobile http://isainsbs.blogspot.com http://keepitsecure.blogspot.com http://www.harborcomputerservices.net -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Thursday, November 02, 2006 6:38 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP Jim's already explained it... The SBS rule that handles DHCP traffic between the SBS server and the Internal network is the "SBS Protected Networks Access Rule", which allows (I may just puke) - Protocols = All - Source = All Protected Networks - Destination = All Protected Networks - Users = All Users -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Thursday, November 02, 2006 7:01 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP The SBS server is the also DHCP server. Some are reporting the DHCP server is no longer responding to requests. This caused me to look at the DHCP rules. The rules don't make sense to me. How is the server serving DHCP addresses to clients with these rules? Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Wednesday, November 01, 2006 8:07 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP Sure, but I'm wondering what people think "stops working" after SP2 in regards to DHCP. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Wednesday, November 01, 2006 6:51 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > Except for the firewall policy DHCP rule, those are the defaults in > their original state (might be worth money some day - don't let the > kids play with them). > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Wednesday, November 01, 2006 16:44 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > What are these DHCP rules supposed to do? > > What is not working when they're not working? > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP > -- Microsoft Firewalls (ISA) > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Wednesday, November 01, 2006 8:26 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > > > So I created a new SBS box last weekend and have not installed > ISA Sp2 yet. Checked the DHCP rules and they are same as after ISA > SP2. So it appears that these are the default SBS DHCP rules. I still > don't understand why they are working. Guess I have a mental block on > it. Anyone care to educate me? > > > > Here's what we have: > > > > System Policy > > DHCP (Request) From Localhost to Anywhere for All > Users > > DHCP (Reply) From Internal to LocalHost for All > Users > > > > Firewall Policy > > DHCP (Reply) From External to LocalHost for All > Users > > > > > > Amy Babinchak > > > > > > > > > ________________________________ > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, October 27, 2006 12:17 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > > > We need to clarify *which* DHCP rules you're talking about... > > 1. Default System DHCP policies allow > > a. DHCP Request from Local Host to Internal > (UDP:68 --> UDP:67) > > b. DHCP Reply from Internal to local host (UDP:67 > --> UDP:68) > > 2. SBS DHCP policies allow > > a. DHCP Request from Internal to Local Host > (UDP:68 --> UDP:67) > > b. DHCP Reply from Local Host to Internal (UDP:67 > --> UDP:68) > > > > If a DHCP relay is in the path between the DHCP client and > server, the traffic between the server and the relay will actually > appear as UDP:67 --> UDP:67 regardless of direction. > Note that ISA doesn't make any distinction between this and DHCP > Request traffic, since both are destined for UDP:67. Is there a DHCP > helper in either of these environments? > > > > Based on the log excerpt you provided, it appears that it's the > array rules that are failing. > > Is that correct? > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Thursday, October 26, 2006 7:11 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > > > In SBS DHCP rules are automagically created in the system > policy. > > > > Amy Babinchak > > > > Harbor Computer Services > > (248) 546-6056 office > > (248) 890-1794 mobile > > > > http://isainsbs.blogspot.com > > http://keepitsecure.blogspot.com > > http://www.harborcomputerservices.net > > > > > > > > > > > ________________________________ > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Thursday, October 26, 2006 9:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > > > He doth speaketh truly, doth he. > > SBS always had to create an array-level rule allowing DHCP > requests & replies for the internal network. > > I 'd be very surprised to see SP2 installation removing those, > since the SBS team had to have tested SP2 as well. > > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Thursday, October 26, 2006 5:20 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA DHCP > > > > Hi Amy, > > > > I'm not sure what the sceanrio is is. Is there a DHCP server on > the ISA Firewall? If so, there never were any System Policy Rules that > allow for this, you've always had to create your own rules. > > > > Tom > > > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > > > ________________________________ > > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Thursday, October 26, 2006 3:45 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] ISA DHCP > > Here's the promised update for the DHCP stops working > issue after ISA SP2 install. More are starting to show up on the SBS > yahoo group. The server that I've seen belongs to Eriq Neale. I know > Tom Shinder knows him, he's a pretty competent guy from there in > Texas. > > > > Original Client IP Client Username > Client Agent Authenticated Client Service Server > Name Referring Server Destination Host Name Transport > HTTP Method URL MIME Type Object Source Source > Proxy Destination Proxy Bidirectional Client Host > Name Rule Filter Information Network Interface Raw IP > Header Raw Payload Log Time Source Port Processing > Time Bytes Sent Bytes Received HTTP Status Code Cache > Information Log Record Type Destination IP Destination > Port Protocol Action Client IP Source Network > Destination Network Result Code Error Information > > 0.0.0.0 CC-SBS > - UDP - - - > - 10/26/2006 8:43:25 AM 68 > 0 0 0 0x0 Firewall 255.255.255.255 > 67 DHCP (request) Denied Connection 0.0.0.0 > Internal Local Host 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 > > > > > > I also ran an ISA info. Checked the server against mine > and the system policy rules for DHCP are identical. Checked the NIC > configurations those look good too. Checked that .255 is part of the > internal network. > Checked binding order and where DHCP is bound. Everything checks out. > > > > If you recreate the DHCP system policy rules as firewall > rules, DHCP works. Saw it with my own eyes. DHCP was working prior to > ISA SP2 installation. > > > > I'm stumped. Anyone? > > > > p.s. I wish you guys would monitor the ISA MVP list as > well. > > > > Amy Babinchak > > > > > > > > All mail to and from this domain is GFI-scanned. > > All mail to and from this domain is GFI-scanned. > > > All mail to and from this domain is GFI-scanned. > > > > All mail to and from this domain is GFI-scanned.