Configuring the DHCP Relay Agent on ISA Server 2004

7/29/2019 Configuring the DHCP Relay Agent on ISA Server 2004

1/4

TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 >Technical Library > Planning, Deployment, and Integration

Configuring the DHCP Relay Agent on ISA Server 2004Published: January 19, 2005

On This Page

Overview

There may be some configurations in which you want to install Microsoft Internet Security and

Acceleration (ISA) Server 2004 on a Dynamic Host Configuration Protocol (DHCP) relay agent server. This

document addresses issues you may encounter when configuring such a scenario.

Top of page

Creating DHCP Rules

By default, when you install ISA Server on a DHCP relay agent, the DHCP relay agent will not respond to

requests. To allow the DHCP relay agent to work, you need to create the following rules:

Allow the DHCP (Request) Protocol to the Local Host Network

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (request)

protocol, do the following:

Overview

Creating DHCP Rules

Ordering DHCP Request Rules

A rule to allow the DHCP request from the network in which DHCP clients are situated to the Local Hostnetwork. (The DHCP relay agent acts as a DHCP server for the DHCP clients.)

A rule to allow the DHCP reply from the Local Host network to the network in which DHCP clients are

situated. (The DHCP relay agent acts as a DHCP server for the DHCP clients.)

A rule to allow the DHCP relay agent to communicate with DHCP servers, as follows:

Create a DHCP protocol definition.

Create a computer set for DHCP servers.

Create a rule from the Local Host network to DHCP servers.

1. In the Firewall Policy node ofISA Server Management, right-click Firewall Policy, point to

New, and then click Access Rule.

2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Requests.

Then, click Next.

3. In the Rule Action page, click Allow. Then, click Next.

4. In the Protocols page, in This rule applies to, select Selected protocols. Then, click Add.

5. In Add Protocols, in the All Protocols section, click DHCP (request). Click Add, click Close,

and then click Next.

6. In the Access Rule Sources page, click Add.

7. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and

Page 1 of 4Configuring the DHCP Relay Agent on ISA Server 2004

22. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/isadhcprelay.mspx?pf=true


2/4

Allow the DHCP (Reply) Protocol from the Local Host Network

In this procedure, the DHCP clients are located in the Internal network. To allow the DHCP (reply) protocol,

do the following:

Create a DHCP Protocol Definition

You must create a DHCP protocol definition to allow DHCP requests and replies for the DHCP relay agent.

There is a predefined DHCP reply protocol, but it only allows DHCP replies to the DHCP client port (port 68),

while the DHCP relay agent uses port 67. To create the protocol definition, do the following:

then click Next.

8. In the Access Rule Destinations page, click Add.

9. In Add Network Entities, in the Networks section, click Local Host. Click Add, click Close, and

then click Next.

10. In the User Sets page, All Users is selected by default. Click Next, and then click Finish.



2. In the New Access Rule Wizard, type a name for the rule. For example: Allow DHCP Replies.

Then, click Next.


4. In the Protocols page, in This rule applies to, select Selected protocols. Then, click Add.

5. In Add Protocols, in the All Protocols section, click DHCP (reply). Click Add, click Close, and

then click Next.



then click Next.


9. In Add Network Entities, in the Networks section, click Internal. Click Add, click Close, and

then click Next.


1. In the Firewall Policy node ofISA Server Management, click Firewall Policy.

2. On the Toolbox tab, click Protocols.

3. On the menu, click New, and then click Protocol.

4. In the Welcome page of the New Protocol Definition Wizard, type a name for the protocol (for

example DHCPRelay). Then, click Next.

5. On the Primary Connection Information page, click New.

6. In the New/Edit Protocol Connection dialog box, do the following:

1. In Protocol Type, select UDP.

2. In Direction, select Send Receive.

3. In Port Range, in From, type 67. In To, type 67.

7. Click OK, and then click Next.

8. On the Secondary Connections page, click Next, and then click Finish to complete the wizard.




3/4

Create a DHCP Server Computer Set

To create a computer set containing the IP addresses of the DHCP servers, do the following:

Allow the DHCP Relay Agent (Local Host Network) to DHCP Servers

To allow the DHCP relay agent to communicate with the DHCP server, do the following:

Top of page

Ordering DHCP Request Rules

The destination of DHCP requests is a broadcast address. ISA Server does not perform name resolution for

broadcast traffic, but rather denies it. If there is an allow or deny rule that may match the DHCP request

and requires name resolution, and that rule is higher in the rule order than the DHCP request rule you havecreated, DHCP traffic may be denied.

A rule requiring name resolution contains either a domain name set or a URL set in the destination (To)

9. Click Apply to apply the changes.

1. In ISA Server Management, click Firewall Policy.

2. On the Toolbox tab, click Networks.

3. Click the New menu, and then click Computer Sets.

4. In the New Computer Set Rule Element dialog box, type a name for the computer set (for

example, DHCP_Servers).

5. For each DHCP server that you want to add to the computer set, do the following:

1. Click Add, and then click Computer.

2. In Name, type a reference name for the DHCP server computer.

3. In Computer IP Address, type the name of the DHCP server. Then, click OK.

6. Click OK to close the New Computer Set Rule Element dialog box.




2. In the New Access Rule Wizard, type a name for the rule (for example Allow DHCP Relay Agent).

Then, click Next.


4. In the Protocols page, in This rule applies to, click Selected protocols. Then, click Add.

5. In Add Protocols, in the User-Defined section, click DHCPRelay, which is the protocol that you

created earlier. Click Add, click Close, and then click Next.



then click Next.


9. In Add Network Entities, in the Computer Sets section, click DHCP_Servers, which is the

computer set that you created earlier. Click Add, click Close, and then click Next.






4/4

criterion. Note that if there are other criteria in the rule that do not match a DHCP request, there is no

conflict.

To avoid conflict, ensure that the rule you have configured to allow DHCP requests is higher in the rule

order than any other rule that uses name resolution that may match the DHCP request. This principle is

shown in the following example.

This rule will not work:

This rule will work:

This rule will work:

Deny all protocols from www.attack.com

Allow DHCP requests from internal to local host

Deny HTTP protocol from www.attack.com



Deny all protocols from www.attack.com

Top of page

Manage Your Profile

2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement


22 1 2007http://www microsoft com/technet/isa/2004/plan/isadhcprelay mspx?pf=true

Configuring the DHCP Relay Agent on ISA Server 2004

Documents

Transcript of Configuring the DHCP Relay Agent on ISA Server 2004