[isapros] Re: ISA DHCP

  • From: "Steve Moffat" <steve@xxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 30 Oct 2006 21:20:44 -0400

Hmmm.....just for the hell of it, I updated 2 sbs's today to SP2...no issues at 
all. Did them remotely too.
S

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Monday, October 30, 2006 2:54 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

Jim,

Just checking to see that you got my reply to this. The DHCP rules are messed 
up. Not sure why this is happening after SP2.

Amy Babinchak

Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile

http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net

[cid:image001.gif@xxxxxxxxxxxxxxxxx][cid:image002.gif@xxxxxxxxxxxxxxxxx]  
[cid:image003.gif@xxxxxxxxxxxxxxxxx]


________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 12:17 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

We need to clarify *which* DHCP rules you're talking about...

1.      Default System DHCP policies allow

*   DHCP Request from Local Host to Internal (UDP:68 à UDP:67)
*   DHCP Reply from Internal to local host (UDP:67 à UDP:68)
2.      SBS DHCP policies allow

*   DHCP Request from Internal to Local Host (UDP:68 à UDP:67)
*   DHCP Reply from Local Host to Internal (UDP:67 à UDP:68)

If a DHCP relay is in the path between the DHCP client and server, the traffic 
between the server and the relay will actually appear as UDP:67 à UDP:67 
regardless of direction.  Note that ISA doesn't make any distinction between 
this and DHCP Request traffic, since both are destined for UDP:67.  Is there a 
DHCP helper in either of these environments?

Based on the log excerpt you provided, it appears that it's the array rules 
that are failing.
Is that correct?

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

In SBS DHCP rules are automagically created in the system policy.

Amy Babinchak

Harbor Computer Services
(248) 546-6056 office
(248) 890-1794 mobile

http://isainsbs.blogspot.com
http://keepitsecure.blogspot.com
http://www.harborcomputerservices.net

[cid:image001.gif@xxxxxxxxxxxxxxxxx][cid:image002.gif@xxxxxxxxxxxxxxxxx]  
[cid:image003.gif@xxxxxxxxxxxxxxxxx]


________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 9:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

He doth speaketh truly, doth he.
SBS always had to create an array-level rule allowing DHCP requests & replies 
for the internal network.
I 'd be very surprised to see SP2 installation removing those, since the SBS 
team had to have tested SP2 as well.

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Thursday, October 26, 2006 5:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA DHCP

Hi Amy,

I'm not sure what the sceanrio is is. Is there a DHCP server on the ISA 
Firewall? If so, there never were any System Policy Rules that allow for this, 
you've always had to create your own rules.

Tom


Thomas W Shinder, M.D.
Site: www.isaserver.org<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Thursday, October 26, 2006 3:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA DHCP
Here's the promised update for the DHCP stops working issue after ISA SP2 
install. More are starting to show up on the SBS yahoo group. The server that 
I've seen belongs to Eriq Neale. I know Tom Shinder knows him, he's a pretty 
competent guy from there in Texas.

Original Client IP      Client Username   Client Agent      Authenticated 
Client    Service      Server Name Referring Server  Destination Host Name   
Transport   HTTP Method URL      MIME Type   Object Source     Source Proxy     
 Destination Proxy Bidirectional      Client Host Name  Rule  Filter 
Information      Network Interface Raw IP Header     Raw Payload     Log Time   
 Source Port Processing Time   Bytes Sent  Bytes Received    HTTP Status Code 
Cache Information Log Record Type   Destination IP    Destination Port  
Protocol      Action      Client IP   Source Network    Destination Network     
Result Code Error Information
0.0.0.0                             CC-SBS      -           UDP   -     -     - 
                                        -                       10/26/2006 
8:43:25 AM   68    0     0      0           0x0   Firewall    255.255.255.255   
67    DHCP (request)    Denied Connection  0.0.0.0     Internal    Local Host  
0xc004000d FWX_E_POLICY_RULES_DENIED      0x0


I also ran an ISA info. Checked the server against mine and the system policy 
rules for DHCP are identical. Checked the NIC configurations those look good 
too. Checked that .255 is part of the internal network. Checked binding order 
and where DHCP is bound. Everything checks out.

If you recreate the DHCP system policy rules as firewall rules, DHCP works. Saw 
it with my own eyes. DHCP was working prior to ISA SP2 installation.

I'm stumped. Anyone?

p.s. I wish you guys would monitor the ISA MVP list as well.

Amy Babinchak




All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

GIF image

GIF image

GIF image

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 10-2006