I’m going to attempt to explain this as simply as possible. Those of you who know me probably have noticed that I like things simple. I actually like ISA because it is simple. It has rules and it follows them. There they are right in front of me. It’s pretty intuitive and obvious. I like that.
In the last year or so I suddenly started hearing about SBS servers running ISA that stopped serving DHCP addresses. I couldn’t reproduce it. I run about 50 ISA servers and none of them have ever stopped serving DHCP addresses. I’ve helped a whole bunch of other consultants all over the Country and some in other parts of the World configure their servers and none of them stopped serving DHCP either. Until this week. I finally got lazy while troubleshooting an application issue and reproduced the problem. Then, another consultant posted the handy screenshots below to help illustrate the problem.
As usual laziness and attention to detail is the root of the problem. Add to that the magic of SBS integration and we have the recipe for denied DHCP requests.
This does not work:
Using the Sesame Street method of IT Troubleshooting (you know, “one of these things is not like the other, one of these things isn’t the same…”) I see that the only difference between those 2 screenshots is that in the first one the Liberty Program rule is above the SBS Protected Networks Access Rule and in the second one it’s below it. If you’ve heard me speak on ISA, one of the things I always mention is that your custom rules should be positioned BELOW the default rules and sitting right on top of the SBS Internet Access Rule. This is why.
The key is the SBS Protected Networks Access Rule. This is the rule that is unique to the SBS ISA configuration. The Connect To The Internet Wizard creates this rule for us. This rule says Allow, All Outbound Protocols, from All Protected Networks (that’s usually just LocalHost and Internal) to All Protected Networks. That means traffic can flow freely from any network behind your SBS server and the server itself, to any network behind the SBS server and the server itself. This is THE rule that gives ISA purists fits. Why? Because one of the fundamental tenants of ISA is that you don’t trust anyone or anything; even if it’s behind your ISA server and this rule breaks that down. It’s one of the compromises we make for allowing the integration of all the applications we have on SBS.
Ordinarily the System Policy in ISA handles how ISA can be accessed and the Firewall Policy handles what clients on the network can do and publishes websites. In SBS some of the System Policy rules don’t work because of what’s been done to make all of our server applications happily co-exist on the same box. The DHCP System Policy rule is one of those.
Now we need to understand how we break the SBS Protected Networks Access Rule when we create a rule like this:
Allow, All Outbound Protocols, from Internal, to a URL Set
and we put it above
Allow, All Outbound Protocols, from All Protected Networks, to All Protected Networks
So a DHCP request comes in. It’s a broadcast 255.255.255.255. As ISA moves through the rules it gets down to All, All Outbound Protocols, from Internal, to a URL Set. Opps! Broken rule. URL Sets are only for HTTP, HTTPS (and tunneled FTP). Bounce to the bottom rule Last Default Rule – Deny.
By putting All Outbound Protocols instead of just HTTP, HTTPS in the custom rule. We’ve broken DHCP.
The solution is don’t be lazy with your protocol choices and/or always put your custom access rules just above the SBS Internet Access rule.