Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

configuring the dhcp relay agent to support vpn client tcp/ip

advertisement 
CONFIGURING THE DHCP RELAY AGENT TO
SUPPORT VPN CLIENT TCP/IP ADDRESSING
OPTIONS
You can use DHCP to assign DHCP options to VPN clients if your organization has a DHCP server.
DHCP servers can do a lot more than assign an IP address and subnet mask to network hosts. VPN
clients can benefit from the following TCP/IP settings assignments via DHCP:





IP address
Subnet mask
Primary domain name
WINS server address
DNS server address
WINS and DNS server addresses are assigned to VPN clients based on the interface you select in the
VPN server’s Properties dialog box when you use a static address pool to assign IP
addressing information to VPN clients. You can assign DNS and WINS server addresses that are
different from the ones configured on the ISA Server firewall/VPN server when you use DHCP to assign
IP addressing information to the VPN clients. All you need to do is create a scope on the DHCP server
that services these clients.
You need to do the following if you want to assign custom IP addressing information to your VPN clients:




Place a DHCP server on a directly connected segment (relative to the ISA Server firewall/VPN
server)
Create a DHCP Scope for the VPN clients
Configure the ISA Server firewall/VPN server to use DHCP for VPN client address assignment
Install and configure the DHCP Relay Agent on the ISA Server firewall/VPN server
Installing the DHCP Server and Configure the Scope
In this example we will install the DHCP Server service on a domain controller connected to the same
network segment as the internal interface of the ISA Server firewall/VPN server.
Perform the following steps to install the DHCP Server service:
1. Click Start, point to Settings and click Control Panel. In the Control Panel, open
the Add/Remove Programs applet.
2. Click the Add/Remove Windows Components button on the left side of the Add/Remove
Programs window.
3. In the Windows Components dialog box, click on the Networking Services entry and click
the Details button (figure 1).
Figure 1 (Fig1)
4. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration
Protocol (DHCP) checkbox (figure 2). Click OK.
Figure 2 (Fig2)
5. Click Next in the Windows Components dialog box. Click Finish on the Completing the
Windows Components Wizard page (figure 3).
Figure 3 (Fig3)
Configuring the DHCP Server and Creating a DHCP Scope
A DHCP scope is a collection of IP addresses the DHCP server can assign to DHCP clients requesting IP
addressing information. You then create DHCP scope options after creating the DHCP scope. The DHCP
server must assign DHCP client an IP address and a subnet masks. Any additional IP
addressing information, such as WINS address, DNS address and primary domain name, is assigned to
the DHCP client via a DHCP scope option.
Note:
You must configure DHCP clients with “on subnet” addresses. You won’t be able to use DHCP to
provide an off-subnet address because of how DHCP works. There is no method available that allows
you to direct the DHCP Relay Agent to “point” to a particular scope from which the DHCP server
should to assign IP addressinginformation to the VPN clients. Your scope should contain enough IP
addresses to support all DHCP clients who will require an address from that scope.
You must authorize the DHCP server in the Active Directory before you create the scope,. This
authorization process prevents the DHCP server from being detected as a “rogue” DHCP server.
Perform the following steps to authorize the DHCP server in the Active Directory and create a scope for
your VPN clients:
1. Click Start and point to Programs. Point to Administrative Tools and click DHCP.
2. In the left pane of the DHCP console, you’ll notice that the server name has a red, down-pointing
arrow on it. Right click the server name and click the Authorizecommand (figure 4).
Figure 4 (Fig4)
3. Click the Action menu in the DHCP console, then click Refresh. You will see the DHCP server
icon change from having a red down-pointing arrow to having a green, up-pointing arrow (figure
5).
Figure 5 (Fig5)
4. In the left pane of the DHCP console, right click on your server name and click the New
Scope command (figure 6).
Figure 6 (Fig6)
5. Click Next on the first page of the New Scope Wizard (figure 7).
Figure 7 (Fig7)
6. Type a Name and Description for the scope on the Scope Name page. In this example we’ll call
it VPN Clients and provide no description (figure 8). Click Next.
Figure 8 (Fig8)
7. Put in the range of IP addresses used by the scope on the IP Address Range page. Type the
first IP address in the range in the Start IP address text box and the last IP address in the range
in the End IP address text box. Note that the subnet mask is entered for you automatically. You
can change the default subnet mask if you require a custom mask. In most cases the subnet
mask you enter here will not matter for VPN clients because VPN clients use a classfull subnet
mask. ClickNext (figure 9).
Figure 9 (Fig9)
8. In this example we entered a subset of addresses in the 10.0.0.0/24 network ID instead of the
entire range. Because of this, we won’t enter any exclusions. However,its more typical to include
an entire network ID in a single scope. The purpose of exclusions is to remove IP addresses in
the network ID that have already been statically assigned to servers so that these addresses
won’t be assigned to DHCP clients. Click Next on the Add Exclusions page (figure 12).
Figure 12 (Fig10)
9. You can set a lease duration on the Lease Duration page (figure 13). The lease for the VPN
clients isn’t important, since VPN clients keep their IP address for the duration of the call. The IP
address used by the VPN client is available to other VPN clients after the current VPN client ends
the call. From the viewpoint of the DHCP server, the leased IP addresses are assigned to the ISA
Server firewall/VPN server, not the VPN clients. Click Next.
Figure 13 (Fig11)
10. Select the Yes, I want to configure these options now on the Configure DHCP Options page
(figure 14). Click Next.
Figure 14 (Fig12)
11. You can enter a default gateway on the Router (Default Gateway) page (figure 15). VPN clients
don’t recognize this option because the VPN client’s default route is based on the VPN client
software configuration. When the Use default gateway on remote network option is selected on
the VPN client, the VPN virtual PPP interface is the VPN client’s default gateway. If the Use
default gateway on remote network option is not selected on the VPN client, then the VPN
client keeps its current default gateway and only uses the VPN interface to route packets to the
network ID directly connected to the ISA Server firewall/VPN server’s internal
interface. Click Next.
Figure 15 (Fig13)
12. You can enter a Parent domain and a DNS server address on the Domain Name and DNS
Servers page (figure 16). The parent domain entry is very important. The parent domain name is
the name used to qualify unqualified requests VPN clients send when resolving names on your
private network. Always enter a parent domain as this allows VPN clients that are not members of
the internal network domain to resolve names of servers on the internal network using DNS.
Enter the IPaddress(es) of your DNS server(s) in the IP address text box and click OK after
entering each one. Click Next.
Figure 16 (Fig14)
13. Type the IP address of your WINS server in the IP address text box on the WINS Server page.
You do not need to include a WINS server address. However, WINS servers help when VPN
clients need to browse for resources on the internal network using Network
Neighborhood or My Network Places. Click Add and then clickNext.
Figure 17 (Fig15)
14. On the Activate Scope page (figure 18), select the Yes, I want to activate the scope
now option and click Next. The scope must be activated before VPN clients can use it to obtain
IP addressing information.
Figure 18 (Fig16)
15. Click Finish on the Completing the New Scope Wizard page (figure 19).
Figure 19 (Fig17)
Configuring the ISA Server firewall/VPN Server to Use DHCP
for VPN Client Address Assignment
By default, the ISA Server firewall/VPN server uses DHCP to assign IP addressing information to VPN
clients. However, if you changed the default from DHCP to Static address pool, then you will need to
change the settings back to DHCP.
Perform the following steps on the ISA Server firewall/VPN server to allow the VPN server component to
obtain addresses for VPN clients from the DHCP server:
1. Click Start, point to Administrative Tools and click on Routing and Remote Access.
2. Right click on the server name in the left pane of the Routing and Remote Access console and
click the Properties command (figure 20).
Figure 20 (Fig19)
3. Click on the IP tab in the server Properties dialog box. Select the Dynamic Host Configuration
Protocol (DHCP) option and click Apply. The ISA Server firewall/VPN server will immediately
broadcast requests for IP addresses after you click the Apply button. Click OK to close
the Properties dialog box.
Figure 21 (Fig20)
4. Go back to the DHCP server computer. Click Start, point to Administrative Tools and
click DHCP.
5. In the DHCP console, expand the server name and then expand the Scope node. Click on
the Address Leases node. You’ll see the block of ten IP addresses obtained by the ISA Server
firewall/VPN server list in the right pane (figure 22).
Figure 22 (Fig21)
Configure the DHCP Relay Agent on the ISA
Server firewall/VPN Server
Although the the Routing and Remote Access service is started by the ISA Server VPN Wizard, we still
have a couple things we need to do before connecting VPN clients to the network.
1. Click Start, point to Programs, point to Administrative Tools and click on Routing and Remote
Access.
2. In the Routing and Remote Access console, expand the IP Routing node in the left pane of the
console and right click on the General node. Click on the New Routing Protocol command
(figure 23).
Figure 23 (Fig22)
3. In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and
click OK (figure 24).
Figure 24 (Fig23)
4. A new node, the DHCP Relay Agent node, appears in the left pane of the Routing and Remote
Access console. Right click on the DHCP Relay Agent node and click Properties (figure 25).
Figure 25 (Fig24)
5. In the DHCP Relay Agent Properties dialog box (figure 26), type in the IP address of the DHCP
server in the Server address text box and click the Add button. Click Apply and then click OK.
Figure 26 (Fig25)
6. Right click on the DHCP Relay Agent node in the left pane of the console and click the New
Interface command (figure 27).
Figure 27 (Fig26)
7. Select the Internal interface (this is an internal interface used by the Routing and Remote Access
Service; its not the LAN (internal) interface of the ISA Server firewall/VPN server).
Click OK (figure 28).
Figure 28 (Fig27)
8. Accept the default settings in the DHCP Relay Properties – Internet Properties dialog box and
click OK (figure 29).
Figure 29 (Fig28)
The DHCP server and DHCP Relay Agent are now ready to use. You can connect your VPN clients to the
ISA Server firewall/VPN server and the clients will now receive the DHCP scope options you configured
for their use.
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
Establishment of the VPN connection with the
Establishment of the VPN connection with the
DHCP Security Analysis
DHCP Security Analysis
CSUN CECS Information Systems JD1112 x3919 Page 2
CSUN CECS Information Systems JD1112 x3919 Page 2
Windows 2000 DHCP Installation and Configuration
Windows 2000 DHCP Installation and Configuration
Configuring DHCP Scopes and Options
Configuring DHCP Scopes and Options
Setting DHCP Server via Winbox on Mikrotik PC Router
Setting DHCP Server via Winbox on Mikrotik PC Router
Networking in Linux
Networking in Linux
Download
advertisement