the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
You can use
DHCP to assign DHCP options to VPN clients if your organization has a DHCP
server. DHCP servers can do a lot more than assign an IP address and subnet mask
to network hosts. VPN clients can benefit from the following TCP/IP settings
assignments via DHCP:
- IP address
- Subnet mask
- Primary domain name
- WINS server address
- DNS server address
DNS server addresses are assigned to VPN clients based
on the interface you select in the VPN server’s Properties dialog box when you use a static address pool to assign IP addressing information to VPN clients. You can
assign DNS and WINS server addresses that are different from the ones
configured on the ISA Server firewall/VPN server when you use DHCP to assign IP
addressing information to the VPN clients. All you need to do is create a scope on the
DHCP server that services these clients.
You need to
do the following if you want to assign custom IP addressing
information to your VPN clients:
- Place a DHCP server on a
directly connected segment (relative to the ISA Server firewall/VPN
- Create a DHCP Scope for the VPN
- Configure the ISA Server
firewall/VPN server to use DHCP for VPN client address assignment
- Install and configure the DHCP
Relay Agent on the ISA Server firewall/VPN server
Installing the DHCP Server and
Configure the Scope
example we will install the DHCP Server service on a domain controller
connected to the same network segment as the internal interface of the ISA
Server firewall/VPN server.
following steps to install the DHCP Server service:
- Click Start, point to Settings
and click Control Panel. In the
Control Panel, open the Add/Remove Programs applet.
- Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs window.
- In the Windows Components dialog box, click on the Networking Services entry and
click the Details button
- In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol
(DHCP) checkbox (figure 2). Click OK.
- Click Next in the Windows Components dialog box.
Click Finish on the Completing the Windows Components Wizard page (figure 3).
Configuring the DHCP Server and
Creating a DHCP Scope
A DHCP scope
is a collection of IP addresses the DHCP server can assign to DHCP clients
requesting IP addressing information. You then create DHCP
scope options after creating the DHCP scope. The DHCP server must assign
DHCP client an IP address and a subnet masks. Any additional IP addressing
information, such as WINS address, DNS
address and primary domain name, is assigned to the
DHCP client via a DHCP scope option.
You must configure DHCP clients with “on subnet” addresses. You won’t be able
to use DHCP to provide an off-subnet address because of how DHCP works. There
is no method available that allows you to direct the DHCP Relay Agent to
“point” to a particular scope from which the DHCP server should to assign IP
addressing information to the VPN clients. Your scope should contain enough IP
addresses to support all DHCP clients who will require an address from that
authorize the DHCP server in the Active Directory before you create the scope,. This authorization process prevents the DHCP server from being detected as a “rogue” DHCP server.
following steps to authorize the DHCP server in the Active Directory and create
a scope for your VPN clients:
- Click Start and point to Programs.
Point to Administrative Tools
and click DHCP.
- In the left pane of the DHCP console, you’ll notice that
the server name has a red, down-pointing arrow on it. Right click the
server name and click the Authorize
command (figure 4).
- Click the Action menu in the DHCP
console, then click Refresh.
You will see the DHCP server icon change from having a red down-pointing
arrow to having a green, up-pointing arrow (figure 5).
- In the left pane of the DHCP console, right click on your
server name and click the New Scope
command (figure 6).
- Click Next on the first page of
the New Scope Wizard (figure 7).
- Type a Name and Description
for the scope on the Scope Name
page. In this example we’ll call it VPN
Clients and provide no description (figure 8). Click Next.
- Put in the range of IP
addresses used by the scope on the IP
Address Range page. Type the first IP address in the range in the Start IP address text box and the
last IP address in the range in the End
IP address text box. Note that the subnet mask is
entered for you automatically. You can change the default subnet
mask if you require a custom mask. In most cases the subnet mask you enter
here will not matter for VPN clients because VPN clients use a classfull
subnet mask. Click Next (figure
- In this example we entered a subset
of addresses in the 10.0.0.0/24 network ID instead of the entire range.
Because of this, we won’t enter any exclusions.
However, its more typical to include an entire
network ID in a single scope. The purpose of exclusions is to remove IP
addresses in the network ID that have already been
statically assigned to servers so that these addresses won’t be
assigned to DHCP clients. Click Next on the Add
Exclusions page (figure 12).
- You can set a
lease duration on the Lease
Duration page (figure 13). The lease for the VPN clients isn’t
important, since VPN clients keep their IP address for the duration of the
call. The IP address used by the VPN client is available to other VPN
clients after the current VPN client ends the call. From the viewpoint of
the DHCP server, the leased IP addresses are assigned
to the ISA Server firewall/VPN server, not the VPN clients. Click Next.
- Select the Yes, I want to configure these options now on the Configure DHCP Options page
(figure 14). Click Next.
- You can enter a default gateway
on the Router (Default Gateway)
page (figure 15). VPN clients don’t recognize this option because the VPN
client’s default route is based on the VPN client
software configuration. When the Use
default gateway on remote network option is selected
on the VPN client, the VPN virtual PPP interface is the VPN client’s
default gateway. If the Use default
gateway on remote network option is not selected
on the VPN client, then the VPN client keeps its current default gateway
and only uses the VPN interface to route packets to the network ID
directly connected to the ISA Server firewall/VPN server’s internal
interface. Click Next.
- You can enter a Parent domain and a DNS server
address on the Domain Name and DNS
Servers page (figure 16). The parent domain entry is very important.
The parent domain name is the name used to qualify unqualified requests VPN clients send when resolving
names on your private network. Always enter a parent domain as this allows
VPN clients that are not members of the internal network domain to resolve
names of servers on the internal network using DNS. Enter the IP address(es) of your DNS
server(s) in the IP address
text box and click OK after
entering each one. Click Next.
- Type the IP address of your
WINS server in the IP address text
box on the WINS Server page.
You do not need to include a WINS server address. However, WINS servers
help when VPN clients need to browse for resources on the internal network
using Network Neighborhood or My Network Places. Click Add and then click Next.
- On the Activate Scope page (figure 18), select the Yes, I want to activate the scope now
option and click Next. The
scope must be activated before VPN clients can
use it to obtain IP addressing information.
- Click Finish on the Completing
the New Scope Wizard page (figure 19).
Configuring the ISA Server
firewall/VPN Server to Use DHCP for VPN Client Address Assignment
the ISA Server firewall/VPN server uses DHCP to assign IP addressing
information to VPN clients. However, if
you changed the default from DHCP to
Static address pool, then you will
need to change the settings back to DHCP.
following steps on the ISA Server firewall/VPN server to allow the VPN server
component to obtain addresses for VPN clients from the DHCP server:
- Click Start, point to Administrative
Tools and click on Routing and
- Right click on the server name
in the left pane of the Routing and
Remote Access console and click the Properties command (figure 20).
- Click on the IP tab in the server Properties dialog box. Select the Dynamic Host Configuration Protocol
(DHCP) option and click Apply.
The ISA Server firewall/VPN server will immediately broadcast requests for
IP addresses after you click the Apply
button. Click OK to close the Properties dialog box.
- Go back to the DHCP server
computer. Click Start, point to
Administrative Tools and click DHCP.
- In the DHCP console, expand the server name and then expand the Scope node. Click on the Address Leases node. You’ll see
the block of ten IP addresses obtained by the ISA Server firewall/VPN
server list in the right pane (figure 22).
Configure the DHCP Relay Agent on
the ISA Server firewall/VPN Server
the the Routing and Remote Access service is started
by the ISA Server VPN Wizard, we still have a couple things we need to do
before connecting VPN clients to the network.
- Click Start, point to Programs,
point to Administrative Tools
and click on Routing and Remote
- In the Routing and Remote Access console, expand the IP Routing node in the left pane
of the console and right click on the General
node. Click on the New Routing
Protocol command (figure 23).
- In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and click OK (figure 24).
- A new node, the DHCP Relay Agent node, appears in
the left pane of the Routing and
Remote Access console. Right click on the DHCP Relay Agent node and click Properties (figure 25).
- In the DHCP Relay Agent Properties dialog box (figure 26), type in
the IP address of the DHCP server in the Server address text box and click the Add button. Click Apply
and then click OK.
- Right click on the DHCP Relay Agent node in the left
pane of the console and click the New
Interface command (figure 27).
- Select the Internal interface (this is an internal interface used by the
Routing and Remote Access Service; its not the
LAN (internal) interface of the ISA Server firewall/VPN server). Click OK (figure 28).
- Accept the default settings in
the DHCP Relay Properties –
Internet Properties dialog box and click OK (figure 29).
server and DHCP Relay Agent are now ready to use. You can connect your VPN
clients to the ISA Server firewall/VPN server and the clients will now receive
the DHCP scope options you configured for their use.