Windows Advisor

Taking ISA Server into the Danger Zone

A reader wants to have ISA Server obtain an IP address from an externally facing DHCP server.

Q. I'd like my ISA Server to get an IP address from a DHCP server on the external interface. I've tried different network cards, cables and everything else, but for some reason the external network interface card isn't cooperating. What am I doing wrong?

A. What you've described is the default behavior on ISA Server versions 2004 and 2006, and so, ideally, you should always use a static IP address for servers. ISA Server's system policy is configured, by default, to not permit DHCP replies from outside DHCP servers to the ISA Server itself. Normally, there shouldn't really be a reason for allowing DHCP replies from the outside world to your ISA Server computer.

Some people sign up with their ISP for Internet access and want to run an ISA Server at home or in their small business with a dynamic IP obtained from their ISP's DHCP server. Whatever your reasoning might be, follow these steps to change the default behavior:

  1. Start ISA Server Management Console and click on the Firewall Policy.
  2. In the right pane, click Tasks and then click Show System Policy Rules.
  3. Click the rule "Allow DHCP replies from DHCP servers to ISA Server."
  4. Right-click the rule; select Edit System Policy.
  5. Click on the From tab.
  6. Click Add and add the IP address of the external DHCP server.
  7. Apply the changes to update your ISA Server configuration.

Note in step 6 that although you have the option to add an external network rather than the IP address of the DHCP server, that makes your ISA Server more vulnerable to potential attacks. It's best that you keep the exposure to a minimum by adding only a specific DHCP server.

And here's one more thing you need to know: According to Microsoft Knowledge Base article 841141, this trick works only with renewals of IP addresses. What you'll have to do is allow DHCP packets from any network until you get an IP address. Once you have an IP address, you can change the rule to allow traffic from a specific DHCP server.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site,, is dedicated to technical resources for IT professionals. Zubair may be reached at


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.