Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall
Many smaller organizations may wish to install a DHCP server on the ISA firewall itself. This allows smaller companies the ability to automatically assign IP addressing information to hosts on the corporate network without requiring them to install the DHCP server on a separate server on the corporate network. Many of these companies may have only one other Windows Server on their network, and that server is often a Windows domain controller. Because there are potential negative security implications of putting a DHCP server on a Windows domain controller, we consider placing the DHCP server on the ISA firewall a viable alternative.
The ISA firewall has a System Policy that enables the firewall itself to be a DHCP client. There are two System Policy Rules are listed in Table 9.1.
Rule # | Rule Name | Action | Protocols | From/Listener | To | Condition |
---|---|---|---|---|---|---|
8 | Allow DHCP requests from ISA Server to all networks | Allow | DHCP (request) | Local Host | AnywhereAll | |
9 | Allow DHCP replies from DHCP servers to ISA Server | Allow | DHCP (reply) | Internal | Local Host | All Users |
The DHCP System Policy Rules allow DHCP requests from the ISA firewall, and DHCP replies from the Internal Network to the ISA firewall. These rules won't help us when we want to run the DHCP server on the ISA firewall itself because we want to allow DHCP requests from the Internal Network to the ISA firewall. We also want to allow DHCP Replies from the ISA firewall to the Internal Network. We'll need to create Access Rules to allow the required DHCP communications to and from the ISA firewall.
Perform the following steps to create the Access Rules allowing DHCP Requests to the ISA firewall and DHCP Replies from the ISA firewall:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click the Firewall Policy node.
In the Firewall Policy node, click Create a New Access Rule on the Tasks tab in the Task pane.
On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter DHCP Request. Click Next.
On the Rule Action page, select Allow and Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
In the Protocols dialog box, click the Infrastructure folder and double-click the DHCP (request) entry. Click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder and double-click the Internal entry. If you want clients from multiple Protected Networks to access the DHCP server on the ISA firewall, make sure to include those Networks, too. Click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and double-click the Local Host network.
Click Next on the Access Rule Destinations page.
Click Next on the User Sets page.
Click Finish on the Completing the New Access Rule Wizard page.
Next, we'll create the rule for the DHCP reply from the ISA firewall:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click the Firewall Policy node.
In the Firewall Policy node, click Create a New Access Rule on the Tasks tab in the Task pane.
On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we'll name it DHCP Reply. Click Next.
On the Rule Action page, select Allow and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
In the Protocols dialog box, click the Infrastructure folder and double-click the DHCP (reply) entry. Click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder and double-click the Local Host entry. Click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder and double-click the Internal network. If you want the ISA firewall to respond to clients from multiple Protected Networks to access the DHCP server on the ISA firewall, make sure to include those Networks, too. Click Close.
Click Next on the Access Rule Destinations page.
Click Next on the User Sets page.
Click Finish on the Completing the New Access Rule Wizard page.