TFTP Server with SBS 2003 Premium

Another butt-kicking problem solved, I spent hours trying to figure this one out.

Here is the scenario (and keywords for search engines):
- Microsoft Windows Small Business Server 2003 Premium Edition
   - ISA Server 2004 installed and configured
- Symantec Ghost Solution Suite 2.0
   - Using the included 3Com Boot Services
      - 3Com PXE Server v1.10 build 3
      - 3Com TFTP Server v2.02 build 4

Note that this TFTP issue will also be present for Microsoft RIS services.

I use Ghost with PXE boot to Net-Boot a workstation into a DOS environment with a mapped network drive-letter, then run Ghost and GhostWalk from the command line. This solution works very nice for customers with relatively low count workstations, for maintaining images of the workstation. No dealing with floppies (PXE BIOS machines), and the flexibility to quickly choose which image to use, and choose upload or download. With very few different hardware configurations at the workstations, it is very easy to maintain 2 or 3 images.

Problem was, I could not get PXE to boot and TFTP correctly. I kept getting at the client: "TFTP..." (a series of progressing dots), and sometimes "PXE-35 error". And in the 3Com TFTP Server console, I could see the TFTP request come in, but the send would "request timed out".

Once I figured out the workstation PXE boot issue was due to TFTP failing, I used another machine already booted into Windows to troubleshoot/test TFTP from the command prompt. Interestingly, I could TFTP from the same machine the TFTP Server was running, but not from another machine. So I figured it must be a firewall issue. (I discovered TFTP.exe was not on the SBS machine, so I copied the exe file from the System32 directory of another machine, I must not have all the ResKit and SupportTools installed on this SBS machine).

After considerable trial and error (and locking myself out of Remote Desktop requiring a trip to on-site), I was able to figure out the fix. For those that are interested, the biggest frustration is that Microsoft ISA Server 2004 has the TFTP protocol pre-defined, but it is apparently intended for TFTP client, and will NOT work for TFTP Server.

Give credit where it's due, I was pointed in the right direction with this article: RIS on SBS 2003 + ISA 2004, but I needed to use a different range of ports. (I needed to begin the port range at 69 instead of 1024 per the article, another hour figuring that out). It is worth noting that perhaps port 69 should be added as an additional range (now most UDP ports are open to the LAN), but I wasn't going to refine further.

To get TFTP Server to respond to clients on the LAN, in ISA Server 2004 I created a new protocol definition and then added a rule allowing this new protocol.

1) Add new protocol: in ISA Server, On left expand the server > Firewall Policy - then on the right, choose the Toolbox tab > New > Protocol... New Protocol Definition Wizard: Name (I used "TFTP Server" > Primary Connection Information: New... > Protocol Type: UDP > Direction: Send Receive > Port From: 69 > Port To: 65000 > Next > secondary connections?: No > Next > Finish. (Should you need to edit the protocol, you find it in the Toolbox Tree under "User-Defined").

2) Add new firewall policy: Tasks Tab (or right-click) > Create New Access Rule > New Access Rule Wizard: Name (I used "Allow TFTP Server to LAN") > Action to take: Allow > This rule applies to: Selected protocols > Add... > Expand User-Defined > TFTP Server (or whatever you named the protocol) > Add > Close > Next > ...from these sources: > Add... > Networks, Internal > Add > Networks, Local Host > Add > Close > Next > ...to these destinations: > Add... > Networks, Internal > Add > Networks, Local Host > Add > Close > Next > ...user sets: All Users (or per your needs) > Next > Finish.

3) Click Apply.

Quick side note: the referenced article indicates to restart ISA, but considering I had to get on-site to the console after locking myself out of Remote Desktop, I did not restart the ISA service. However, the ISA service did essentially restart when I rebooted the server, so perhaps this is needed. Remote Desktop Lock-out prevention: before restarting a service that may lock-out Remote Desktop, I began using the "shutdown.exe" command line utility to initiate a shutdown & restart in 300 seconds (5 minutes) BEFORE restarting a potential lock-out service. If I do not get locked-out, then it is very easy to abort the shutdown & restart command.

Hopefully, this write-up will save someone all the headache I suffered.