Microsoft KB Archive/252432
Article ID: 252432
Article Last Modified on 5/2/2000
- Microsoft Proxy Server 2.0 Standard Edition
This article was previously published under Q252432
If you set up Proxy Server 2.0 on a multihomed computer with packet filtering enabled and the external network adapter obtains an IP address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter may not be able to renew the IP address lease for the external interface after the lease has expired.
When the external interface attempts to renew the IP address from the DHCP server at a predetermined time (determined by the DHCP server), a DHCP renewal request is sent from the local client's User Datagram Protocol (UDP) port 68 to the DHCP server's UDP port 67. These ports are closed by default when packet filtering in Proxy Server 2.0 is enabled, so the request never leaves the proxy server's external interface.
To resolve this issue, create a custom packet filter exception for UDP ports 67 and 68. To create this custom filter click Start, point to Programs, click Microsoft Proxy Server, click Microsoft Management Console), right-click either Web Proxy or Winsock Proxy, click Properties, and then click Security.
There are two custom filters that you can create to resolve this issue:
- Create a custom packet filter for UDP with the direction set to Both. Specify local port 68 and destination port 67.
- Create a custom packet filter for UDP with the direction set to Both with any local port and destination port. Set a specific remote host and type for the IP address of the DHCP server.
To work around this behavior, disable packet filtering. Microsoft does not recommend this method because it introduces a security risk if the computer is connected to an Internet service provider (ISP) or directly to the Internet. Microsoft recommends using the method that is described in the "Resolution" section.
This behavior is by design.
When a proxy server that is running packet filtering obtains the external IP address from a DHCP server, the method that is described in the "Resolution" section allows the interface only to renew the IP address. If the IP address is released before a renew attempt is made, the DHCP renew attempt may not succeed. This occurs because the IP address of the adapter is set to 0.0.0.0 when a release occurs. The Proxy 2.0 Packet Filter driver requires that external adapters have an IP address that resides in the proxy local address table (LAT). If the DHCP address is released and the address is set to 0.0.0.0, the Proxy Server-based computer must be rebooted to obtain a new IP address and ensure that packet filtering is working properly.
Keywords: kbenv kbnetwork kbprb KB252432