The possibility of a switch failure drew us to bring an extra Gigabit switch with us as we have seen switch failures before.
It turned out that we needed to create a special rule in ISA for client machines that have lost their IP completely and now had a 169. address.
The rule looks like the following:
Note that the Listener is set for only the Internal and Local Host interfaces. We don't want the DHCP rule to access the Internet NIC.
Access Rule: DHCP (reply) & (request) via Internal and Local Host
To create the rule:
- Open ISA Manager
- Right Click on Firewall Policy --> New
- Click on "Access Rule"
- Call it 169 DHCP Access or the like [Next]
- Allow [Next]
- This rule applies to: Selected Protocols
- Add Button
- Infrastructure: DHCP (reply) and DHCP (request)
- Close and Next
- This rule applies to traffic from these sources: Internal and Local Host [Next]
- This rule applies to traffic sent to these destinations: [Add Button]
- Network Sets: All Networks (and Local Host)
- Close and Next
- All Users [Next]
- Apply and OK in the ISA Manager
Doing a release and renew will allow the client computer to now connect.
The reasoning as we understand it can be found in a previous post: SBS 2K3 Premium - All Editions, ISA, and DHCP on SBS.
This particular SBS Premium box was installed last year during a run of large installs and apparently we missed this step during setup and the DHCP issue didn't rear its head until now!
The importance of this Firewall Rule being there on Premium boxes is the reason behind this post. :D
UPDATE 2007-10-12: Image of ISA if one tries to add the broadcast address to the Internal Range:
It does not seem to work.
The default ISA Internal does include the full subnet though:
But only for that particular IP range.
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.