ISA and DHCP
ByI’ve been fighting a rash of internal DHCP issues for clients running ISA 2004 SP2 on SBS 2003. Amy Babinchak noted this a while back in her blog, and I’ve been working with her to iron out the issues. One item I ran across this morning seems to tie the problem to a Restrited Access rule. The jury is still out on the why and the root cause of the issue, but I noted one change that I made to one set of rules that allowed DHCP to work correctly on the internal network afterward.
The rules that had been created followed this pattern: Set of domain URLs that the creator of the rule did not want to allow internal workstations to access; default action on the rule was “deny”; applied to all protocols and all users. In one case, I modified the rules to apply to all protocols except those listed, and I included DHCP Request and DHCP Reply in the exceptions list. Once I applied those changes, DHCP started working internally again.
Granted, these rules were high in the order processing, and if they had been lower in the order list, possibly even behind the Protected Network Access rule, we might not have seen the behavior. But something about the way those rules were created seemed to deny internal workstations access to DHCP.
I still have other sites with DHCP issues that I’ve only been able to get around by following the instructions in Amy’s post. But there has been some rumblings about denied access rules, so we’re starting down that road first to see what’s happening.
I’ll post updates here as I get them. Stay tuned…
6 Comments
January 17th, 2007 at 1:22 am
[...] ISA rules in the wrong place http://simultaneouspancakes.com/Lessons/2007/01/15/isa-and-dhcp/ When you start using ISA to restrict things… be careful about restricting too much….. Depending on where you put that ISA rule set you could end up shutting off DHCP services as a result….. ——– Original Message ——–Subject: Sharing info.. ISA RulesDate: Sat, 13 Jan 2007 22:25:44 -0000From: Pop <Iknowyouwantit@lol.com>Newsgroups: microsoft.public.windows.server.sbs If you already all knew it then sorry…
Set up a denied access rule for ‘banned sites’ a few days later noticed pcs were not getting an IP address from server DHCP (oh yes, router DHCP switched off…lol)Noticed the above rule was before the SBS Protected network rule, moved it below and DHCP working again… Interesting… Share this post: email it! | bookmark it! | digg it! | live it! [...]
January 17th, 2007 at 9:15 am
The real question is *why* though… internal DHCP should *not* be affected by a blocking rule, provided the rule is built correctly.
I do think that blocking rules should probably be more selective in the protocols that are blocked. I.e., when putting together a list of banned web sites, i would probably make sense to only block HTTP and HTTPS instead of all traffic (although arguments could be made for other protocols such as FTP, IM, etc) and that may well avoid this type of issue.
But again, if I choose to block all traffic to, say, http://www.myspace.com, why on earth would that affect internal DHCP?
And there are more DHCP issues that have nothing to do with site blocking, too. This one I was able to get pretty definitive on, though, hence the post…
-Q
January 17th, 2007 at 9:36 am
I have a rule that behaves as you described. I’ve narrowed it down to one rule (supposed to block gambling sites) that breaks internal DHCP. When I enable the rule, *poof* no DHCP. Diable the rule, everything works fine. The rule specifies HTPS/HTTP/FTP and a URL set plus a Domain Name set. I have no idea why it blocks DHCP.
Are you collecting specimens? I think actually it is one of the anti-MALware rules from ISATools.org. My deny rules are at the top of the list, per recommendations. Can I help in troubleshooting this?
January 17th, 2007 at 12:05 pm
Thanks for the offer, Tim. Let me check and see if that would help with the cause.
April 6th, 2007 at 2:22 pm
Likewise experienced same problem narrowed down to a rule blocking a url set placed prior to SBS protected network rule. Definitely suggests it is something to do with the way the rule is processed as setting the rule to allow instead of deny still causes DHCP to fail but work OK if rule disabled.
April 6th, 2007 at 2:36 pm
If it helps logs on ISA show failure as DHCP (request) port 67 denied connection