When you try to configure the external network adapter on your Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer to obtain its Internet Protocol (IP) address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter does not receive a valid IP address.
This behavior occurs because the default ISA Server or Forefront Threat Management Gateway, Medium Business Edition system policy does not permit DHCP replies from external DHCP servers to the ISA Server or Forefront Threat Management Gateway, Medium Business Edition computer.
To resolve this behavior, follow these steps:
- Click Start, point to Programs, point to Microsoft ISA Server or to Microsoft Forefront TMG Server, and then click ISA Server Management or TMG Server Management.
- In the console tree, click Firewall Policy.
- In the right pane, click the Tasks tab, and then click Show System Policy Rules.
- Click Allow DHCP replies from DHCP servers to ISA Server.
- In the details pane, click Edit System Policy.
- Click the From tab.
- Click Add.
- If you know the IP address of the external DHCP server, follow these steps:
To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.
- In the New list, click Computer.
- In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
- Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.
Note Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.
- Click OK, and then click Apply to save the changes and update the configuration.
This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the "specific DHCP server" setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.
Article ID: 841141 - Last Review: December 4, 2007 - Revision: 4.3
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition
- Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
- Microsoft Internet Security and Acceleration Server 2006 Standard Edition
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
- Microsoft Forefront Threat Management Gateway, Medium Business Edition
- Windows Essential Business Server 2008 Standard
|kbisa2006swept kbfirewall kbprb KB841141|