SBS2003 SP1 + ISA2004 SP2 = No DHCP?

Does this sound familiar?   Well it should because all the symptoms are exactly the same as my good friend Chad Gross’s post.

However, there is one key difference.    On the three sites that we started to see this on, we had already ensured that the Local Address Table included “255” for DHCP Broadcasts.  Yet, no matter what we tried, DHCP leases were expiring and clients were loosing connection to the network.

I knew that all of these sites had recently had GFI Webmonitor 3 installed, but even uninstalling this did not rectify the issue.    After a call to the Partner line in GFI, we still could not see the issue.   Therefore, we opened a case with the excellent SBS support team in Microsoft and found the following:

“This can happen if there is an access rule set to apply to all protocols for a destination/to that are made up of URL Sets. If this access rule is before the access rule that allows traffic from the Internal to the LocalHost (SBS Protected Networks Access Rule), the broadcast traffic will be dropped as ISA cannot properly do a reverse lookup on the broadcast traffic to determine if it belongs to the URL Set or not.”

Ah ha!  Of course, how did I miss it…?  (Maybe I’m stoopid).  As part of the GFI Webmonitor setup, you are instructed to install a rule based upon a URL set to block Adult sites.   This rule, by default, is put above the SBS Protected Networks rule.  Of course, the uninstall of GFI Webmonitor does not actually remove this rule, you have to do that manually.

Resolution Options include, but are not limited to:

Create a DHCP access rule above the access rules that apply to specific URL sets.
See here

Modify the access rules that apply to specific URL sets to apply to HTTP/HTTPS traffic instead of all protocols.
See Here

Move the access rules that apply to specific URL sets below the SBS Protected Networks access rule and above the SBS Internet Access rule.
See here

 

I am on to GFI to hopefully get them to update their documentation.  Also, thanks to Chris Puckett in Microsoft for his usual excellent support.

  2 Replies to “SBS2003 SP1 + ISA2004 SP2 = No DHCP?”

  1. March 9, 2009 at 10:21 pm

    Nick,

    I want you to know that you are a life saver. I was doing a major redo replacement SBS for a client of mine. Reading your post lead me completely in the right direction. They have a web-based LOB that wouldn’t work correctly. After calling their support they said since I was going through a proxy (ISA 2004) that they wouldn’t support me and I was on my own. Determined to resolve the issue without having to uninstall ISA 2004, I watched the logging and found out all what was needed. I created a rule that used an URL Set to their websites and everything other sites it was going to, I did have it apply to All Outbound, thinking nothing of it. Their program worked and I was the hero.

    Little did I know that DHCP stopped working and they have IP Phones that needed the custom DHCP scope that I had configured on SBS to put the phones into another VLAN. Phones started going offline and any computer that lost a connection could no longer get a DHCP request. I spent hours on this and had no idea that ISA was the culprit because it was working all weekend.

    Sure enough, I made the rule to use only HTTP/HTTPS (like I should of done in the first place) and bingo, all the phones that were offline started working and new clients starting getting IP’s.

    Thanks a million!

  2. Ben Morris
    March 18, 2010 at 9:08 am

    This is the strangest thing – not exactly simple to trace…

    Thanks for the pointers – fixed my problem – which was made all the weirder because machines with pre-existing leases were happily renewing (no broadcast I guess).

    Ben

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.