Thursday, 11 October 2007

SBS Premium - SBS Post Install ISA Rule Must Do for DHCP

The reason that brought us to the aformentioned Mr. Client's location was a complaint that some machines were no longer able to connect to the network.

The possibility of a switch failure drew us to bring an extra Gigabit switch with us as we have seen switch failures before.

It turned out that we needed to create a special rule in ISA for client machines that have lost their IP completely and now had a 169. address.

The rule looks like the following:

Access Rule: DHCP (reply) & (request) via Internal and Local Host

Note that the Listener is set for only the Internal and Local Host interfaces. We don't want the DHCP rule to access the Internet NIC.

To create the rule:
  1. Open ISA Manager
  2. Right Click on Firewall Policy --> New
  3. Click on "Access Rule"
  4. Call it 169 DHCP Access or the like [Next]
  5. Allow [Next]
  6. This rule applies to: Selected Protocols
  7. Add Button
  8. Infrastructure: DHCP (reply) and DHCP (request)
  9. Close and Next
  10. This rule applies to traffic from these sources: Internal and Local Host [Next]
  11. This rule applies to traffic sent to these destinations: [Add Button]
  12. Network Sets: All Networks (and Local Host)
  13. Close and Next
  14. All Users [Next]
  15. Finish
  16. Apply and OK in the ISA Manager
Your now complete rule will look like the above pictured ISA Firewall Policy that is highlighted.

Doing a release and renew will allow the client computer to now connect.

The reasoning as we understand it can be found in a previous post: SBS 2K3 Premium - All Editions, ISA, and DHCP on SBS.

This particular SBS Premium box was installed last year during a run of large installs and apparently we missed this step during setup and the DHCP issue didn't rear its head until now!

The importance of this Firewall Rule being there on Premium boxes is the reason behind this post. :D

UPDATE 2007-10-12: Image of ISA if one tries to add the broadcast address to the Internal Range:


It does not seem to work.

The default ISA Internal does include the full subnet though:


But only for that particular IP range.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

5 comments:

  1. Can't say I've seen this problem.

    A question for you - do you have .255 included in your Internal Network range? The exclusion of the broadcast address may be causing you this grief.

    ReplyDelete
  2. Chris,

    See the update in the post. ISA does not have that address in by default.

    The image in the update shows that ISA won't accept that address.

    So, could you clarify for me a little more as far as your question please?

    Thanks,

    Philip

    ReplyDelete
  3. It was the 192.168.224.255 address I was talking about.

    I've seen some SBS installs where the internal range is set from .0 to .254, which causes broadcast related problems. I thought this may have been responsible for your problem.

    ReplyDelete
  4. See http://securesmb.blogspot.com for the reason behind why some people have this problem on their ISA servers and others do not.

    ReplyDelete
  5. Chris,

    I may have seen that behaviour once or twice. IIRC, a rerun of the CEICW would fix that.

    Amy,

    Yes, I saw the post come through my reader.

    I still haven't quite been able to wrap my mind about it yet as the DHCP problem has occured on servers where the rules were setup correctly with the right protocols and restrictions.

    So, answer me this: According to the images posted on your blog, would it be safe to say that the SBS Protected Networks Access Rule should be saddled up against the bottom of the default SBS installed rules? That is, any custom rules would then be setup between the SBS PNAR and the Last Default rule?

    Please feel free to fill us in.

    Amy's post: Why DHCP Stops Working After You Add a Custom Access Rule.

    Thanks for taking the time to comment Amy and Chris! It is appreciated.

    Philip

    ReplyDelete

NOTE: All comments are moderated.