We need to clarify *which* DHCP rules you're talking about... 1. Default System DHCP policies allow a. DHCP Request from Local Host to Internal (UDP:68 à UDP:67) b. DHCP Reply from Internal to local host (UDP:67 à UDP:68) 2. SBS DHCP policies allow a. DHCP Request from Internal to Local Host (UDP:68 à UDP:67) b. DHCP Reply from Local Host to Internal (UDP:67 à UDP:68) If a DHCP relay is in the path between the DHCP client and server, the traffic between the server and the relay will actually appear as UDP:67 à UDP:67 regardless of direction. Note that ISA doesn't make any distinction between this and DHCP Request traffic, since both are destined for UDP:67. Is there a DHCP helper in either of these environments? Based on the log excerpt you provided, it appears that it's the array rules that are failing. Is that correct? From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Thursday, October 26, 2006 7:11 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP In SBS DHCP rules are automagically created in the system policy. Amy Babinchak Harbor Computer Services (248) 546-6056 office (248) 890-1794 mobile http://isainsbs.blogspot.com http://keepitsecure.blogspot.com http://www.harborcomputerservices.net ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, October 26, 2006 9:26 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP He doth speaketh truly, doth he. SBS always had to create an array-level rule allowing DHCP requests & replies for the internal network. I 'd be very surprised to see SP2 installation removing those, since the SBS team had to have tested SP2 as well. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, October 26, 2006 5:20 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA DHCP Hi Amy, I'm not sure what the sceanrio is is. Is there a DHCP server on the ISA Firewall? If so, there never were any System Policy Rules that allow for this, you've always had to create your own rules. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Thursday, October 26, 2006 3:45 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] ISA DHCP Here's the promised update for the DHCP stops working issue after ISA SP2 install. More are starting to show up on the SBS yahoo group. The server that I've seen belongs to Eriq Neale. I know Tom Shinder knows him, he's a pretty competent guy from there in Texas. Original Client IP Client Username Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport HTTP Method URL MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Rule Filter Information Network Interface Raw IP Header Raw Payload Log Time Source Port Processing Time Bytes Sent Bytes Received HTTP Status Code Cache Information Log Record Type Destination IP Destination Port Protocol Action Client IP Source Network Destination Network Result Code Error Information 0.0.0.0 CC-SBS - UDP - - - - 10/26/2006 8:43:25 AM 68 0 0 0 0x0 Firewall 255.255.255.255 67 DHCP (request) Denied Connection 0.0.0.0 Internal Local Host 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 I also ran an ISA info. Checked the server against mine and the system policy rules for DHCP are identical. Checked the NIC configurations those look good too. Checked that .255 is part of the internal network. Checked binding order and where DHCP is bound. Everything checks out. If you recreate the DHCP system policy rules as firewall rules, DHCP works. Saw it with my own eyes. DHCP was working prior to ISA SP2 installation. I'm stumped. Anyone? p.s. I wish you guys would monitor the ISA MVP list as well. Amy Babinchak All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.