Configuring the DHCP Relay Agent on ISA Server 2004

  • Article

There may be some configurations in which you want to install Microsoft® Internet Security and Acceleration (ISA) Server 2004 on a Dynamic Host Configuration Protocol (DHCP) relay agent server. This document addresses issues you may encounter when configuring such a scenario.

Creating DHCP Rules

Ordering DHCP Request Rules

Creating DHCP Rules

By default, when you install ISA Server on a DHCP relay agent, the DHCP relay agent will not respond to requests. To allow the DHCP relay agent to work, you need to create the following rules:

  • A rule to allow the DHCP request from the network in which DHCP clients are situated to the Local Host network. (The DHCP relay agent acts as a DHCP server for the DHCP clients.)
  • A rule to allow the DHCP reply from the Local Host network to the network in which DHCP clients are situated. (The DHCP relay agent acts as a DHCP server for the DHCP clients.)
  • A rule to allow the DHCP relay agent to communicate with DHCP servers, as follows:
    • Create a DHCP protocol definition.
    • Create a computer set for DHCP servers.
    • Create a rule from the Local Host network to DHCP servers.

Allow the DHCP (Request) Protocol to the Local Host Network

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (request) protocol, do the following:

  1. In the Firewall Policy node of ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
  2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Requests. Then, click Next.
  3. In the Rule Action page, click Allow. Then, click Next.
  4. In the Protocols page, in This rule applies to, select Selected protocols. Then, click Add.
  5. In Add Protocols, in the All Protocols section, click DHCP (request). Click Add, click Close, and then click Next.
  6. In the Access Rule Sources page, click Add.
  7. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and then click Next.
  8. In the Access Rule Destinations page, click Add.
  9. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and then click Next.
  10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.

Allow the DHCP (Reply) Protocol from the Local Host Network

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (reply) protocol, do the following:

  1. In the Firewall Policy node of ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
  2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Replies. Then, click Next.
  3. In the Rule Action page, click Allow. Then, click Next.
  4. In the Protocols page, in This rule applies to, select Selected protocols. Then, click Add.
  5. In Add Protocols, in the All Protocols section, click DHCP (reply). Click Add, click Close, and then click Next.
  6. In the Access Rule Sources page, click Add.
  7. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and then click Next.
  8. In the Access Rule Destinations page, click Add.
  9. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and then click Next.
  10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.

Create a DHCP Protocol Definition

You must create a DHCP protocol definition to allow DHCP requests and replies for the DHCP relay agent. There is a predefined DHCP reply protocol, but it only allows DHCP replies to the DHCP client port (port 68), while the DHCP relay agent uses port 67. To create the protocol definition, do the following:

  1. In the Firewall Policy node of ISA Server Management, click Firewall Policy.
  2. On the Toolbox tab, click Protocols.
  3. On the menu, click New, and then click Protocol.
  4. In the Welcome page of the New Protocol Definition Wizard, type a name for the protocol (for example DHCPRelay). Then, click Next.
  5. On the Primary Connection Information page, click New.
  6. In the New/Edit Protocol Connection dialog box, do the following:
    1. In Protocol Type, select UDP.
    2. In Direction, select Send Receive.
    3. In Port Range, in From, type 67. In To, type 67.
  7. Click OK, and then click Next.
  8. On the Secondary Connections page, click Next, and then click Finish to complete the wizard.
  9. Click Apply to apply the changes.

Create a DHCP Server Computer Set

To create a computer set containing the IP addresses of the DHCP servers, do the following:

  1. In ISA Server Management, click Firewall Policy.
  2. On the Toolbox tab, click Networks.
  3. Click the New menu, and then click Computer Sets.
  4. In the New Computer Set Rule Element dialog box, type a name for the computer set (for example, DHCP_Servers).
  5. For each DHCP server that you want to add to the computer set, do the following:
  6. Click Add, and then click Computer.
    1. In Name, type a reference name for the DHCP server computer.
    2. In Computer IP Address, type the name of the DHCP server. Then, click OK.
    3. Click OK to close the New Computer Set Rule Element dialog box.
  7. Click Apply to apply the changes.

Allow the DHCP Relay Agent (Local Host Network) to DHCP Servers

To allow the DHCP relay agent to communicate with the DHCP server, do the following:

  1. In the Firewall Policy node of ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
  2. In the New Access Rule Wizard, type a name for the rule (for example Allow DHCP Relay Agent). Then, click Next.
  3. In the Rule Action page, click Allow. Then, click Next.
  4. In the Protocols page, in This rule applies to, click Selected protocols. Then, click Add.
  5. In Add Protocols, in the User-Defined section, click DHCPRelay, which is the protocol that you created earlier. Click Add, click Close, and then click Next.
  6. In the Access Rule Sources page, click Add.
  7. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and then click Next.
  8. In the Access Rule Destinations page, click Add.
  9. In Add Network Entities, in the Computer Sets section, click DHCP_Servers, which is the computer set that you created earlier. Click Add, click Close, and then click Next.
  10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.
  11. Click Apply to apply the changes.

Ordering DHCP Request Rules

The destination of DHCP requests is a broadcast address. ISA Server does not perform name resolution for broadcast traffic, but rather denies it. If there is an allow or deny rule that may match the DHCP request and requires name resolution, and that rule is higher in the rule order than the DHCP request rule you have created, DHCP traffic may be denied.

A rule requiring name resolution contains either a domain name set or a URL set in the destination (To) criterion. Note that if there are other criteria in the rule that do not match a DHCP request, there is no conflict.

To avoid conflict, ensure that the rule you have configured to allow DHCP requests is higher in the rule order than any other rule that uses name resolution that may match the DHCP request. This principle is shown in the following example.

This rule will not work:

  • Deny all protocols from www.attack.com
  • Allow DHCP requests from internal to local host

This rule will work:

  • Deny HTTP protocol from www.attack.com
  • Allow DHCP requests from internal to local host

This rule will work:

  • Allow DHCP requests from internal to local host
  • Deny all protocols from www.attack.com