SBS2003 SP1 + ISA2004 SP2 = No DHCP?

 • 2 Comments

Does this sound familiar?   Well it should because all the symptoms are exactly the same as my good friend Chad Gross’s post.

However, there is one key difference.    On the three sites that we started to see this on, we had already ensured that the Local Address Table included “255” for DHCP Broadcasts.  Yet, no matter what we tried, DHCP leases were expiring and clients were loosing connection to the network.

I knew that all of these sites had recently had GFI Webmonitor 3 installed, but even uninstalling this did not rectify the issue.    After a call to the Partner line in GFI, we still could not see the issue.   Therefore, we opened a case with the excellent SBS support team in Microsoft and found the following:

“This can happen if there is an access rule set to apply to all protocols for a destination/to that are made up of URL Sets. If this access rule is before the access rule that allows traffic from the Internal to the LocalHost (SBS Protected Networks Access Rule), the broadcast traffic will be dropped as ISA cannot properly do a reverse lookup on the broadcast traffic to determine if it belongs to the URL Set or not.”

Ah ha!  Of course, how did I miss it…?  (Maybe I’m stoopid).  As part of the GFI Webmonitor setup, you are instructed to install a rule based upon a URL set to block Adult sites.   This rule, by default, is put above the SBS Protected Networks rule.  Of course, the uninstall of GFI Webmonitor does not actually remove this rule, you have to do that manually.

Resolution Options include, but are not limited to:

Create a DHCP access rule above the access rules that apply to specific URL sets.
See here

Modify the access rules that apply to specific URL sets to apply to HTTP/HTTPS traffic instead of all protocols.
See Here

Move the access rules that apply to specific URL sets below the SBS Protected Networks access rule and above the SBS Internet Access rule.
See here

 

I am on to GFI to hopefully get them to update their documentation.  Also, thanks to Chris Puckett in Microsoft for his usual excellent support.

  2 Replies to “SBS2003 SP1 + ISA2004 SP2 = No DHCP?”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.