CONFIGURING THE DHCP RELAY AGENT TO SUPPORT VPN CLIENT TCP/IP ADDRESSING

OPTIONS

You can use DHCP to assign DHCP options to VPN clients if your organization has a DHCP
server. DHCP servers can do a lot more than assign an IP address and subnet mask to network
hosts. VPN clients can benefit from the following TCP/IP settings assignments via DHCP:

• IP address
• Subnet mask
• Primary domain name
• WINS server address
• DNS server address

WINS and DNS server addresses are assigned to VPN clients based on the interface you select
in the VPN server’s Properties dialog box when you use a static address pool to assign IP
addressing information to VPN clients. You can assign DNS and WINS server addresses that are
different from the ones configured on the ISA Server firewall/VPN server when you use DHCP to
assign IP addressing information to the VPN clients. All you need to do is create a scope on the
DHCP server that services these clients.

You need to do the following if you want to assign custom IP addressing information to your VPN
clients:

• Place a DHCP server on a directly connected segment (relative to the ISA Server
firewall/VPN server)
• Create a DHCP Scope for the VPN clients
• Configure the ISA Server firewall/VPN server to use DHCP for VPN client address
assignment
• Install and configure the DHCP Relay Agent on the ISA Server firewall/VPN server

Installing the DHCP Server and Configure the Scope

In this example we will install the DHCP Server service on a domain controller connected to the
same network segment as the internal interface of the ISA Server firewall/VPN server.

Perform the following steps to install the DHCP Server service:

1. Click Start, point to Settings and click Control Panel. In the Control Panel, open the
Add/Remove Programs applet.
2. Click the Add/Remove Windows Components button on the left side of the
Add/Remove Programs window.
3. In the Windows Components dialog box, click on the Networking Services entry and
click the Details button (figure 1).

Figure 1 (Fig1)
 4. In the Networking Services dialog box, put a checkmark in the Dynamic Host
Configuration Protocol (DHCP) checkbox (figure 2). Click OK.

Figure 2 (Fig2)
 5. Click Next in the Windows Components dialog box. Click Finish on the Completing
the Windows Components Wizard page (figure 3).

Figure 3 (Fig3)
Configuring the DHCP Server and Creating a DHCP Scope

A DHCP scope is a collection of IP addresses the DHCP server can assign to DHCP clients
requesting IP addressing information. You then create DHCP scope options after creating the
DHCP scope. The DHCP server must assign DHCP client an IP address and a subnet masks.
Any additional IP addressing information, such as WINS address, DNS address and primary
domain name, is assigned to the DHCP client via a DHCP scope option.

• Note:
You must configure DHCP clients with “on subnet” addresses. You won’t be able to use
DHCP to provide an off-subnet address because of how DHCP works. There is no method
available that allows you to direct the DHCP Relay Agent to “point” to a particular scope from
which the DHCP server should to assign IP addressing information to the VPN clients. Your
scope should contain enough IP addresses to support all DHCP clients who will require an
address from that scope.

You must authorize the DHCP server in the Active Directory before you create the scope,. This
authorization process prevents the DHCP server from being detected as a “rogue” DHCP server.

Perform the following steps to authorize the DHCP server in the Active Directory and create a
scope for your VPN clients:
 1. Click Start and point to Programs. Point to Administrative Tools and click DHCP.
2. In the left pane of the DHCP console, you’ll notice that the server name has a red, down-
pointing arrow on it. Right click the server name and click the Authorize command (figure
4).

Figure 4 (Fig4)

3. Click the Action menu in the DHCP console, then click Refresh. You will see the DHCP
server icon change from having a red down-pointing arrow to having a green, up-pointing
arrow (figure 5).

Figure 5 (Fig5)
 4. In the left pane of the DHCP console, right click on your server name and click the New
Scope command (figure 6).

Figure 6 (Fig6)
 5. Click Next on the first page of the New Scope Wizard (figure 7).
Figure 7 (Fig7)
 6. Type a Name and Description for the scope on the Scope Name page. In this example
we’ll call it VPN Clients and provide no description (figure 8). Click Next.

Figure 8 (Fig8)
 7. Put in the range of IP addresses used by the scope on the IP Address Range page.
Type the first IP address in the range in the Start IP address text box and the last IP
address in the range in the End IP address text box. Note that the subnet mask is
entered for you automatically. You can change the default subnet mask if you require a
custom mask. In most cases the subnet mask you enter here will not matter for VPN
clients because VPN clients use a classfull subnet mask. Click Next (figure 9).

Figure 9 (Fig9)
 8. In this example we entered a subset of addresses in the 10.0.0.0/24 network ID instead
of the entire range. Because of this, we won’t enter any exclusions. However, its more
typical to include an entire network ID in a single scope. The purpose of exclusions is to
remove IP addresses in the network ID that have already been statically assigned to
servers so that these addresses won’t be assigned to DHCP clients. Click Next on the
Add Exclusions page (figure 12).

Figure 12 (Fig10)
 9. You can set a lease duration on the Lease Duration page (figure 13). The lease for the
VPN clients isn’t important, since VPN clients keep their IP address for the duration of the
call. The IP address used by the VPN client is available to other VPN clients after the
current VPN client ends the call. From the viewpoint of the DHCP server, the leased IP
addresses are assigned to the ISA Server firewall/VPN server, not the VPN clients. Click
Next.

Figure 13 (Fig11)
 10. Select the Yes, I want to configure these options now on the Configure DHCP
Options page (figure 14). Click Next.

Figure 14 (Fig12)
 11. You can enter a default gateway on the Router (Default Gateway) page (figure 15). VPN
clients don’t recognize this option because the VPN client’s default route is based on the
VPN client software configuration. When the Use default gateway on remote network
option is selected on the VPN client, the VPN virtual PPP interface is the VPN client’s
default gateway. If the Use default gateway on remote network option is not selected
on the VPN client, then the VPN client keeps its current default gateway and only uses
the VPN interface to route packets to the network ID directly connected to the ISA Server
firewall/VPN server’s internal interface. Click Next.

Figure 15 (Fig13)
 12. You can enter a Parent domain and a DNS server address on the Domain Name and
DNS Servers page (figure 16). The parent domain entry is very important. The parent
domain name is the name used to qualify unqualified requests VPN clients send when
resolving names on your private network. Always enter a parent domain as this allows
VPN clients that are not members of the internal network domain to resolve names of
servers on the internal network using DNS. Enter the IP address(es) of your DNS
server(s) in the IP address text box and click OK after entering each one. Click Next.

Figure 16 (Fig14)
 13. Type the IP address of your WINS server in the IP address text box on the WINS Server
page. You do not need to include a WINS server address. However, WINS servers help
when VPN clients need to browse for resources on the internal network using Network
Neighborhood or My Network Places. Click Add and then click Next.

Figure 17 (Fig15)
 14. On the Activate Scope page (figure 18), select the Yes, I want to activate the scope
now option and click Next. The scope must be activated before VPN clients can use it to
obtain IP addressing information.

Figure 18 (Fig16)
 15. Click Finish on the Completing the New Scope Wizard page (figure 19).
Figure 19 (Fig17)
Configuring the ISA Server firewall/VPN Server to Use DHCP for VPN Client Address
Assignment

By default, the ISA Server firewall/VPN server uses DHCP to assign IP addressing information to
VPN clients. However, if you changed the default from DHCP to Static address pool, then you
will need to change the settings back to DHCP.

Perform the following steps on the ISA Server firewall/VPN server to allow the VPN server
component to obtain addresses for VPN clients from the DHCP server:

1. Click Start, point to Administrative Tools and click on Routing and Remote Access.
2. Right click on the server name in the left pane of the Routing and Remote Access
console and click the Properties command (figure 20).

Figure 20 (Fig19)
 3. Click on the IP tab in the server Properties dialog box. Select the Dynamic Host
Configuration Protocol (DHCP) option and click Apply. The ISA Server firewall/VPN
server will immediately broadcast requests for IP addresses after you click the Apply
button. Click OK to close the Properties dialog box.

Figure 21 (Fig20)
 4. Go back to the DHCP server computer. Click Start, point to Administrative Tools and
click DHCP.
5. In the DHCP console, expand the server name and then expand the Scope node. Click
on the Address Leases node. You’ll see the block of ten IP addresses obtained by the
ISA Server firewall/VPN server list in the right pane (figure 22).

Figure 22 (Fig21)
Configure the DHCP Relay Agent on the ISA Server firewall/VPN Server

Although the the Routing and Remote Access service is started by the ISA Server VPN Wizard,
we still have a couple things we need to do before connecting VPN clients to the network.

1. Click Start, point to Programs, point to Administrative Tools and click on Routing and
Remote Access.
2. In the Routing and Remote Access console, expand the IP Routing node in the left
pane of the console and right click on the General node. Click on the New Routing
Protocol command (figure 23).

Figure 23 (Fig22)
 3. In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and click
OK (figure 24).

Figure 24 (Fig23)
 4. A new node, the DHCP Relay Agent node, appears in the left pane of the Routing and
Remote Access console. Right click on the DHCP Relay Agent node and click
Properties (figure 25).

Figure 25 (Fig24)
 5. In the DHCP Relay Agent Properties dialog box (figure 26), type in the IP address of the
DHCP server in the Server address text box and click the Add button. Click Apply and
then click OK.

Figure 26 (Fig25)
 6. Right click on the DHCP Relay Agent node in the left pane of the console and click the
New Interface command (figure 27).

Figure 27 (Fig26)
 7. Select the Internal interface (this is an internal interface used by the Routing and Remote
Access Service; its not the LAN (internal) interface of the ISA Server firewall/VPN server).
Click OK (figure 28).

Figure 28 (Fig27)
 8. Accept the default settings in the DHCP Relay Properties – Internet Properties dialog
box and click OK (figure 29).

Figure 29 (Fig28)
The DHCP server and DHCP Relay Agent are now ready to use. You can connect your VPN
clients to the ISA Server firewall/VPN server and the clients will now receive the DHCP scope
options you configured for their use.