Taking ISA Server Into the Danger Zone
Reader wants to have ISA Server obtain an IP address from an externally facing DHCP server.
I would like my ISA Server to get an IP address from a DHCP server
on the external interface. I've tried different network cards, cables and everything
else, but for some reason the external NIC isn't cooperating. What am I doing
A. What you've described is the default behavior on ISA Server versions
2004 and 2006, and so, Ideally, you should always use a static IP address for
servers. ISA Server's system policy is configured by default to not permit DHCP
replies from outside DHCP servers to the ISA Server itself. Normally, there
shouldn't really be a reason for allowing DHCP replies from the outside world
to your ISA Server computer.
Some people sign up with their ISP for Internet access and want to run ISA
Server at home or in their small business with a dynamic IP obtained from their
ISP's DHCP server. Whatever your reasoning might be, follow these steps to change
the default behavior:
- Start ISA Server Management Console and click on the Firewall Policy.
- In the right pane, click Tasks and then click Show System Policy Rules.
- Click the rule "Allow DHCP replies from DHCP servers to ISA Server."
- Right-click the rule and select Edit System Policy.
- Click on the From tab.
- Click Add and add the IP address of the external DHCP server.
- Apply the changes to update your ISA Server configuration.
Note in step 6 that although you have the option to add an External network
rather than the IP address of the DHCP server, that makes your ISA server
more vulnerable to potential attacks. It's best that you keep the exposure
to a minimum by adding only a specific DHCP server.
And here's one more thing you need to know: According to Microsoft's KB Article
this trick works only with renewals of IP addresses. What you'll have to do
is allow DHCP packets from any network until you get an IP address. Once you
have an IP address, you can change the rule to allow traffic from a specific
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at firstname.lastname@example.org.