Home | Services
| About Us | Reference Area
TFTP Server with SBS 2003 Premium
Another butt-kicking problem solved, I spent hours trying to figure this one out.
Here is the scenario (and keywords for search engines):
- Microsoft Windows Small Business Server 2003 Premium Edition
- ISA Server 2004 installed and configured
- Symantec Ghost Solution Suite 2.0
- Using the included 3Com Boot Services
- 3Com PXE Server v1.10 build 3
- 3Com TFTP Server v2.02 build 4
Note that this TFTP issue will also be present for Microsoft RIS services.
I use Ghost with PXE boot to Net-Boot a workstation into a DOS environment with a mapped
network drive-letter, then run Ghost and GhostWalk from the command line. This solution
works very nice for customers with relatively low count workstations, for maintaining
images of the workstation. No dealing with floppies (PXE BIOS machines), and the
flexibility to quickly choose which image to use, and choose upload or download. With
very few different hardware configurations at the workstations, it is very easy to
maintain 2 or 3 images.
Problem was, I could not get PXE to boot and TFTP correctly. I kept getting at the
client: "TFTP..." (a series of progressing dots), and sometimes "PXE-35 error". And in
the 3Com TFTP Server console, I could see the TFTP request come in, but the send would
"request timed out".
Once I figured out the workstation PXE boot issue was due to TFTP failing, I used another
machine already booted into Windows to troubleshoot/test TFTP from the command prompt.
Interestingly, I could TFTP from the same machine the TFTP Server was running, but
not from another machine. So I figured it must be a firewall issue. (I discovered
TFTP.exe was not on the SBS machine, so I copied the exe file from the System32 directory
of another machine, I must not have all the ResKit and SupportTools installed on this SBS
After considerable trial and error (and locking myself out of Remote Desktop requiring a
trip to on-site), I was able to figure out the fix. For those that are interested, the
biggest frustration is that Microsoft ISA Server 2004 has the TFTP protocol pre-defined,
but it is apparently intended for TFTP client, and will NOT work for TFTP Server.
Give credit where it's due, I was pointed in the right direction with this article:
RIS on SBS 2003 + ISA 2004, but I needed to use a different range of ports. (I
needed to begin the port range at 69 instead of 1024 per the article, another hour
figuring that out). It is worth noting that perhaps port 69 should be added as an
additional range (now most UDP ports are open to the LAN), but I wasn't going to refine
To get TFTP Server to respond to clients on the LAN, in ISA Server 2004 I created a new
protocol definition and then added a rule allowing this new protocol.
1) Add new protocol: in ISA Server, On left expand the server > Firewall Policy -
then on the right, choose the Toolbox tab > New > Protocol... New Protocol Definition
Wizard: Name (I used "TFTP Server" > Primary Connection Information: New... > Protocol
Type: UDP > Direction: Send Receive > Port From: 69 > Port To: 65000 > Next > secondary
connections?: No > Next > Finish. (Should you need to edit the protocol, you find it
in the Toolbox Tree under "User-Defined").
2) Add new firewall policy: Tasks Tab (or right-click) > Create New Access Rule >
New Access Rule Wizard: Name (I used "Allow TFTP Server to LAN") > Action to take: Allow
> This rule applies to: Selected protocols > Add... > Expand User-Defined > TFTP Server
(or whatever you named the protocol) > Add > Close > Next > ...from these sources: >
Add... > Networks, Internal > Add > Networks, Local Host > Add > Close > Next > ...to
these destinations: > Add... > Networks, Internal > Add > Networks, Local Host > Add >
Close > Next > ...user sets: All Users (or per your needs) > Next > Finish.
3) Click Apply.
Quick side note: the referenced article indicates to restart ISA, but considering
I had to get on-site to the console after locking myself out of Remote Desktop, I did
not restart the ISA service. However, the ISA service did essentially restart when I
rebooted the server, so perhaps this is needed.
Remote Desktop Lock-out prevention: before restarting a service that may lock-out
Remote Desktop, I began using the "shutdown.exe" command line utility to initiate a
shutdown & restart in 300 seconds (5 minutes) BEFORE restarting a potential
lock-out service. If I do not get locked-out, then it is very easy to abort the shutdown
& restart command.
Hopefully, this write-up will save someone all the headache I suffered.
|Copyright © 1996-2017 Ohman Automation Corp. All rights reserved.