Comments on: ISA and DHCP

By: Graham Chapman

Graham Chapman — Fri, 06 Apr 2007 20:36:39 +0000

If it helps logs on ISA show failure as DHCP (request) port 67 denied connection

By: Graham Chapman

Graham Chapman — Fri, 06 Apr 2007 20:22:47 +0000

Likewise experienced same problem narrowed down to a rule blocking a url set placed prior to SBS protected network rule. Definitely suggests it is something to do with the way the rule is processed as setting the rule to allow instead of deny still causes DHCP to fail but work OK if rule disabled.

By: Q

Wed, 17 Jan 2007 18:05:59 +0000

Thanks for the offer, Tim. Let me check and see if that would help with the cause.

By: Tim Long

Tim Long — Wed, 17 Jan 2007 15:36:53 +0000

I have a rule that behaves as you described. I’ve narrowed it down to one rule (supposed to block gambling sites) that breaks internal DHCP. When I enable the rule, *poof* no DHCP. Diable the rule, everything works fine. The rule specifies HTPS/HTTP/FTP and a URL set plus a Domain Name set. I have no idea why it blocks DHCP.

Are you collecting specimens? I think actually it is one of the anti-MALware rules from ISATools.org. My deny rules are at the top of the list, per recommendations. Can I help in troubleshooting this?

By: Q

Wed, 17 Jan 2007 15:15:06 +0000

The real question is *why* though… internal DHCP should *not* be affected by a blocking rule, provided the rule is built correctly.

I do think that blocking rules should probably be more selective in the protocols that are blocked. I.e., when putting together a list of banned web sites, i would probably make sense to only block HTTP and HTTPS instead of all traffic (although arguments could be made for other protocols such as FTP, IM, etc) and that may well avoid this type of issue.

But again, if I choose to block all traffic to, say, http://www.myspace.com, why on earth would that affect internal DHCP?

And there are more DHCP issues that have nothing to do with site blocking, too. This one I was able to get pretty definitive on, though, hence the post…

-Q

By: E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : ISA rules in the wrong place

Wed, 17 Jan 2007 07:22:33 +0000

[...] ISA rules in the wrong place http://simultaneouspancakes.com/Lessons/2007/01/15/isa-and-dhcp/ When you start using ISA to restrict things… be careful about restricting too much….. Depending on where you put that ISA rule set you could end up shutting off DHCP services as a result….. ——– Original Message ——–Subject: Sharing info.. ISA RulesDate: Sat, 13 Jan 2007 22:25:44 -0000From: Pop Newsgroups: microsoft.public.windows.server.sbs If you already all knew it then sorry… Set up a denied access rule for ‘banned sites’ a few days later noticed pcs were not getting an IP address from server DHCP (oh yes, router DHCP switched off…lol)Noticed the above rule was before the SBS Protected network rule, moved it below and DHCP working again… Interesting… Share this post: email it! | bookmark it! | digg it! | live it! [...]