Configuring the ISA Server Computer as a DHCP Server

There may be some configurations in which you want to install Microsoft Internet Security and Acceleration (ISA) ServerĀ 2004 on a DHCP server. This document addresses issues you may encounter when configuring such a scenario.

Creating DHCP Rules

Ordering DHCP Request Rules

Creating DHCP Rules

By default, when you install ISA Server on a DHCP server, the DHCP server will not respond to requests. To allow the DHCP server to work, you need to create the following rules:

  • A rule to allow DHCP requests from the network in which DHCP clients are situated to the Local Host network.
  • A rule to allow DHCP replies from the Local Host network to the network in which DHCP clients are situated.

Allowing the DHCP (Request) Protocol

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (request) protocol, use the following steps.

  1. In the Firewall Policy node of ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
  2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Requests. Then click Next.
  3. In the Rule Action page, click Allow. Then click Next.
  4. In the Protocols page, in This rule applies to, click Selected protocols. Then click Add.
  5. In Add Protocols, in the All Protocols section, click DHCP (request). Click Add, click Close, and then click Next.
  6. In the Access Rule Sources page, click Add.
  7. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and then click Next.
  8. In the Access Rule Destinations page, click Add.
  9. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and then click Next.
  10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.

Allowing the DHCP (Reply) Protocol

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (reply) protocol, use the following steps.

  1. In the Firewall Policy node of ISA Server Management, right-click Firewall Policy, point to New, and then click Access Rule.
  2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Replies. Then click Next.
  3. In the Rule Action page, click Allow. Then click Next.
  4. In the Protocols page, in This rule applies to, click Selected protocols. Then click Add.
  5. In Add Protocols, in the All Protocols section, click DHCP (reply). Click Add, click Close, and then click Next.
  6. In the Access Rule Sources page, click Add.
  7. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and then click Next.
  8. In the Access Rule Destinations page, click Add.
  9. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and then click Next.
  10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.

Ordering DHCP Request Rules

The destination of DHCP requests is a broadcast address. ISA Server does not perform name resolution for broadcast traffic, but rather it denies it. If there is an allow or deny rule that may match the DHCP request and requires name resolution, and that rule is higher in the rule order than the DHCP request rule you have created, DHCP traffic may be denied.

A rule requiring name resolution contains either a Domain Name set or a URL set in the destination (To) criteria. Note that if there are other criteria in the rule that do not match a DHCP request, there is no conflict.

To avoid conflict, ensure that the rule you have configured to allow DHCP requests is higher in the rule order than any other rule that uses name resolution that may match the DHCP request. This principle is shown in the following example.

This rule will not work:

  1. Deny all protocols from www.attack.com
  2. Allow DHCP requests from internal to local host

This rule will work:

  1. Deny HTTP protocol from www.attack.com
  2. Allow DHCP requests from internal to local host

This rule will work:

  1. Allow DHCP requests from internal to local host
  2. Deny all protocols from www.attack.com