Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options

 

You can use DHCP to assign DHCP options to VPN clients if your organization has a DHCP server. DHCP servers can do a lot more than assign an IP address and subnet mask to network hosts. VPN clients can benefit from the following TCP/IP settings assignments via DHCP:

 

• IP address
• Subnet mask
• Primary domain name
• WINS server address
• DNS server address

 

WINS and DNS server addresses are assigned to VPN clients based on the interface you select in the VPN server’s Properties dialog box when you use a static address pool to assign IP addressing information to VPN clients. You can assign DNS and WINS server addresses that are different from the ones configured on the ISA Server firewall/VPN server when you use DHCP to assign IP addressing information to the VPN clients. All you need to do is create a scope on the DHCP server that services these clients.

 

You need to do the following if you want to assign custom IP addressing information to your VPN clients:

 

• Place a DHCP server on a directly connected segment (relative to the ISA Server firewall/VPN server)
• Create a DHCP Scope for the VPN clients
• Configure the ISA Server firewall/VPN server to use DHCP for VPN client address assignment
• Install and configure the DHCP Relay Agent on the ISA Server firewall/VPN server

 

Installing the DHCP Server and Configure the Scope

 

In this example we will install the DHCP Server service on a domain controller connected to the same network segment as the internal interface of the ISA Server firewall/VPN server.

 

Perform the following steps to install the DHCP Server service:

 

1. Click Start, point to Settings and click Control Panel. In the Control Panel, open the Add/Remove Programs applet.
2. Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs window.
3. In the Windows Components dialog box, click on the Networking Services entry and click the Details button (figure 1).

 

Figure 1 (Fig1)

 

4. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox (figure 2). Click OK.

 

Figure 2 (Fig2)

 

5. Click Next in the Windows Components dialog box. Click Finish on the Completing the Windows Components Wizard page (figure 3).

 

Figure 3 (Fig3)

 

 

Configuring the DHCP Server and Creating a DHCP Scope

 

A DHCP scope is a collection of IP addresses the DHCP server can assign to DHCP clients requesting IP addressing information. You then create DHCP scope options after creating the DHCP scope. The DHCP server must assign DHCP client an IP address and a subnet masks. Any additional IP addressing information, such as WINS address, DNS address and primary domain name, is assigned to the DHCP client via a DHCP scope option.

 

       Note:
You must configure DHCP clients with “on subnet” addresses. You won’t be able to use DHCP to provide an off-subnet address because of how DHCP works. There is no method available that allows you to direct the DHCP Relay Agent to “point” to a particular scope from which the DHCP server should to assign IP addressing information to the VPN clients. Your scope should contain enough IP addresses to support all DHCP clients who will require an address from that scope.

 

You must authorize the DHCP server in the Active Directory before you create the scope,. This authorization process prevents the DHCP server from being detected as a “rogue” DHCP server.

 

Perform the following steps to authorize the DHCP server in the Active Directory and create a scope for your VPN clients:

 

1. Click Start and point to Programs. Point to Administrative Tools and click DHCP.
2. In the left pane of the DHCP console, you’ll notice that the server name has a red, down-pointing arrow on it. Right click the server name and click the Authorize command (figure 4).

 

Figure 4 (Fig4)

 

3. Click the Action menu in the DHCP console, then click Refresh. You will see the DHCP server icon change from having a red down-pointing arrow to having a green, up-pointing arrow (figure 5).

 

Figure 5 (Fig5)

 

4. In the left pane of the DHCP console, right click on your server name and click the New Scope command (figure 6).

 

Figure 6 (Fig6)

 

5. Click Next on the first page of the New Scope Wizard (figure 7).

 

Figure 7 (Fig7)

 

6. Type a Name and Description for the scope on the Scope Name page. In this example we’ll call it VPN Clients and provide no description (figure 8). Click Next.

 

Figure 8 (Fig8)

 

7. Put in the range of IP addresses used by the scope on the IP Address Range page. Type the first IP address in the range in the Start IP address text box and the last IP address in the range in the End IP address text box. Note that the subnet mask is entered for you automatically. You can change the default subnet mask if you require a custom mask. In most cases the subnet mask you enter here will not matter for VPN clients because VPN clients use a classfull subnet mask. Click Next (figure 9).

 

Figure 9 (Fig9)

 

8. In this example we entered a subset of addresses in the 10.0.0.0/24 network ID instead of the entire range. Because of this, we won’t enter any exclusions. However, its more typical to include an entire network ID in a single scope. The purpose of exclusions is to remove IP addresses in the network ID that have already been statically assigned to servers so that these addresses won’t be assigned to DHCP clients. Click Next on the Add Exclusions page (figure 12).

 

Figure 12 (Fig10)

 

9. You can set a lease duration on the Lease Duration page (figure 13). The lease for the VPN clients isn’t important, since VPN clients keep their IP address for the duration of the call. The IP address used by the VPN client is available to other VPN clients after the current VPN client ends the call. From the viewpoint of the DHCP server, the leased IP addresses are assigned to the ISA Server firewall/VPN server, not the VPN clients. Click Next.

 

Figure 13 (Fig11)

 

10. Select the Yes, I want to configure these options now on the Configure DHCP Options page (figure 14). Click Next.

 

Figure 14 (Fig12)

 

11. You can enter a default gateway on the Router (Default Gateway) page (figure 15). VPN clients don’t recognize this option because the VPN client’s default route is based on the VPN client software configuration. When the Use default gateway on remote network option is selected on the VPN client, the VPN virtual PPP interface is the VPN client’s default gateway. If the Use default gateway on remote network option is not selected on the VPN client, then the VPN client keeps its current default gateway and only uses the VPN interface to route packets to the network ID directly connected to the ISA Server firewall/VPN server’s internal interface.  Click Next.

 

Figure 15 (Fig13)

 

12. You can enter a Parent domain and a DNS server address on the Domain Name and DNS Servers page (figure 16). The parent domain entry is very important. The parent domain name is the name used to qualify unqualified requests VPN clients send when resolving names on your private network. Always enter a parent domain as this allows VPN clients that are not members of the internal network domain to resolve names of servers on the internal network using DNS. Enter the IP address(es) of your DNS server(s) in the IP address text box and click OK after entering each one. Click Next.

 

Figure 16 (Fig14)

 

13. Type the IP address of your WINS server in the IP address text box on the WINS Server page. You do not need to include a WINS server address. However, WINS servers help when VPN clients need to browse for resources on the internal network using Network Neighborhood or My Network Places. Click Add and then click Next.

 

Figure 17 (Fig15)

 

14. On the Activate Scope page (figure 18), select the Yes, I want to activate the scope now option and click Next. The scope must be activated before VPN clients can use it to obtain IP addressing information.

 

Figure 18 (Fig16)

 

15. Click Finish on the Completing the New Scope Wizard page (figure 19).

 

Figure 19 (Fig17)

 

 

Configuring the ISA Server firewall/VPN Server to Use DHCP for VPN Client Address Assignment

 

By default, the ISA Server firewall/VPN server uses DHCP to assign IP addressing information to VPN clients. However, if you changed the default from DHCP to Static address pool, then you will need to change the settings back to DHCP.

 

Perform the following steps on the ISA Server firewall/VPN server to allow the VPN server component to obtain addresses for VPN clients from the DHCP server:

 

1. Click Start, point to Administrative Tools and click on Routing and Remote Access.
2. Right click on the server name in the left pane of the Routing and Remote Access console and click the Properties command (figure 20).

 

Figure 20 (Fig19)

 

3. Click on the IP tab in the server Properties dialog box. Select the Dynamic Host Configuration Protocol (DHCP) option and click Apply. The ISA Server firewall/VPN server will immediately broadcast requests for IP addresses after you click the Apply button. Click OK to close the Properties dialog box.

 

Figure 21 (Fig20)

 

4. Go back to the DHCP server computer. Click Start, point to Administrative Tools and click DHCP.
5. In the DHCP console, expand the server name and then expand the Scope node. Click on the Address Leases node. You’ll see the block of ten IP addresses obtained by the ISA Server firewall/VPN server list in the right pane (figure 22).

 

Figure 22 (Fig21)

 

 

Configure the DHCP Relay Agent on the ISA Server firewall/VPN Server

 

Although the the Routing and Remote Access service is started by the ISA Server VPN Wizard, we still have a couple things we need to do before connecting VPN clients to the network.

 

1. Click Start, point to Programs, point to Administrative Tools and click on Routing and Remote Access.
2. In the Routing and Remote Access console, expand the IP Routing node in the left pane of the console and right click on the General node. Click on the New Routing Protocol command (figure 23).

 

Figure 23 (Fig22)

 

3. In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and click OK (figure 24).

 

Figure 24 (Fig23)

 

4. A new node, the DHCP Relay Agent node, appears in the left pane of the Routing and Remote Access console. Right click on the DHCP Relay Agent node and click Properties (figure 25).

 

Figure 25 (Fig24)

 

5. In the DHCP Relay Agent Properties dialog box (figure 26), type in the IP address of the DHCP server in the Server address text box and click the Add button. Click Apply and then click OK.

 

Figure 26 (Fig25)

 

6. Right click on the DHCP Relay Agent node in the left pane of the console and click the New Interface command (figure 27).

 

Figure 27 (Fig26)

 

7. Select the Internal interface (this is an internal interface used by the Routing and Remote Access Service; its not the LAN (internal) interface of the ISA Server firewall/VPN server). Click OK (figure 28).

 

Figure 28 (Fig27)

 

8. Accept the default settings in the DHCP Relay Properties – Internet Properties dialog box and click OK (figure 29).

 

Figure 29 (Fig28)

 

The DHCP server and DHCP Relay Agent are now ready to use. You can connect your VPN clients to the ISA Server firewall/VPN server and the clients will now receive the DHCP scope options you configured for their use.