[isapros] Re: ISA DHCP

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 26 Oct 2006 21:17:19 -0700

We need to clarify *which* DHCP rules you're talking about...

1.       Default System DHCP policies allow

a.       DHCP Request from Local Host to Internal (UDP:68 à UDP:67)

b.      DHCP Reply from Internal to local host (UDP:67 à UDP:68)

2.       SBS DHCP policies allow

a.       DHCP Request from Internal to Local Host (UDP:68 à UDP:67)

b.      DHCP Reply from Local Host to Internal (UDP:67 à UDP:68)

 

If a DHCP relay is in the path between the DHCP client and server, the traffic 
between the server and the relay will actually appear as UDP:67 à UDP:67 
regardless of direction.  Note that ISA doesn't make any distinction between 
this and DHCP Request traffic, since both are destined for UDP:67.  Is there a 
DHCP helper in either of these environments?

 

Based on the log excerpt you provided, it appears that it's the array rules 
that are failing.

Is that correct?

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

 

In SBS DHCP rules are automagically created in the system policy.

 

Amy Babinchak

 

Harbor Computer Services

(248) 546-6056 office

(248) 890-1794 mobile

 

http://isainsbs.blogspot.com

http://keepitsecure.blogspot.com

http://www.harborcomputerservices.net

 

     

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 9:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

 

He doth speaketh truly, doth he.

SBS always had to create an array-level rule allowing DHCP requests & replies 
for the internal network.

I 'd be very surprised to see SP2 installation removing those, since the SBS 
team had to have tested SP2 as well.

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Thursday, October 26, 2006 5:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

 

Hi Amy,

 

I'm not sure what the sceanrio is is. Is there a DHCP server on the ISA 
Firewall? If so, there never were any System Policy Rules that allow for this, 
you've always had to create your own rules.

 

Tom

 

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
        Sent: Thursday, October 26, 2006 3:45 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] ISA DHCP

        Here's the promised update for the DHCP stops working issue after ISA 
SP2 install. More are starting to show up on the SBS yahoo group. The server 
that I've seen belongs to Eriq Neale. I know Tom Shinder knows him, he's a 
pretty competent guy from there in Texas. 

         

        Original Client IP      Client Username   Client Agent      
Authenticated Client    Service      Server Name Referring Server  Destination 
Host Name   Transport   HTTP Method URL      MIME Type   Object Source     
Source Proxy      Destination Proxy Bidirectional      Client Host Name  Rule  
Filter Information      Network Interface Raw IP Header     Raw Payload     Log 
Time    Source Port Processing Time   Bytes Sent  Bytes Received    HTTP Status 
Code Cache Information Log Record Type   Destination IP    Destination Port  
Protocol      Action      Client IP   Source Network    Destination Network     
Result Code Error Information

        0.0.0.0                             CC-SBS      -           UDP   -     
-     -                                         -                       
10/26/2006 8:43:25 AM   68    0     0      0           0x0   Firewall    
255.255.255.255   67    DHCP (request)    Denied Connection  0.0.0.0     
Internal    Local Host  0xc004000d FWX_E_POLICY_RULES_DENIED      0x0

         

         

        I also ran an ISA info. Checked the server against mine and the system 
policy rules for DHCP are identical. Checked the NIC configurations those look 
good too. Checked that .255 is part of the internal network. Checked binding 
order and where DHCP is bound. Everything checks out.

         

        If you recreate the DHCP system policy rules as firewall rules, DHCP 
works. Saw it with my own eyes. DHCP was working prior to ISA SP2 installation. 

         

        I'm stumped. Anyone?

         

        p.s. I wish you guys would monitor the ISA MVP list as well. 

         

        Amy Babinchak

         

         

         

All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

GIF image

GIF image

GIF image

Other related posts: