Enabling DHCP Relay for ISA Firewall VPN Clients

ISA Firewall Alert:
In this article we’ll focus on DHCP and the DHCP Relay Agent. For more information on what makes the ISA firewall’s VPN component a one of a kind VPN server and gateway, check out the VPN chapter in our book Configuring ISA Server 2004.

We have a ton of documentation on how to install and configure the ISA firewall’s VPN services here on the www.isaserver.org site, and there’s a fantastic VPN Deployment Kit over at http://www.microsoft.com/isaserver/techinfo/guidance/2004/configuration.asp. Just use the Search feature at this site and look for VPN, or better, use Google to search the www.isaserver.org site for VPN.

One question I’ve been seeing a lot lately is how to get the DHCP Relay Agent on the ISA firewall to work correctly. These companies have a DHCP server on the corporate network and want to forward DHCP options to the VPN clients. Probably the most important DHCP option you want to forward to your VPN clients is the primary domain name suffix, so that the VPN clients will be able to correctly full qualify unqualified names in their requests. When the VPN clients correctly fully qualify their requests, they’ll be able to use your internal DNS server to resolve names of internal hosts. Of course, you can assign any DHCP option you like, such as the WPAD option, which will allow you to configure the VPN clients to use a specific Web proxy on the corporate network.

You need to do the following things to get the DHCP Relay Agent working on the ISA firewall:

In the following discussion, I’ll assume that you’ve already installed and configured your DHCP server on the internal network and now you just need to get the DHCP Relay Agent on the ISA firewall forward DHCP messages from the VPN clients to DHCP server on the corporate network.

In addition, I’ll assume that you’ve already installed your ISA firewall but haven’t enabled the VPN component. However, if you have already enabled the VPN component, that’s no problem, just ignore the steps relating to enabling the VPN component.

The following diagram shows the test network.

The scope options can be seen in the diagram. A single DC is both a domain controller and a DHCP server, and an ISA firewall on the edge of the network. The VPN clients will call the ISA firewall, and obtain IP addressing information from the ISA firewall for their VPN link.

The first step is to enable RRAS through the ISA firewall console if you haven’t enabled it already. Perform the following steps to enable the ISA firewall’s VPN component:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.

3. Click Apply to save the changes and update the firewall policy.
4. Click OK in the Apply New Configuration dialog box.

You have two options for assigning IP addressing information to VPN clients: DHCP or static address pools. I prefer DHCP because it gets around the problem of having to remove the addresses from the ISA firewall Network definition that overlaps the addresses used in the DHCP scope.

By default, the ISA firewall uses DHCP to assign IP addressing information to DHCP clients, but without the DHCP Relay Agent, the DHCP server only assigns an address to the VPN clients. The reason for this is that the VPN clients never directly communicate with the DHCP server. Instead, when the RRAS service starts up, it obtains a block of 10 IP addresses from the DHCP server (if the DHCP server has that many to give and if the RRAS server requires at least that many). Then the RRAS service assigns itself one of the addresses and assigns VPN clients addresses that remain. If the RRAS service needs more addresses, it obtains them from the DHCP server, but it never obtains DHCP options for VPN clients.

If you have configured a static address pool and want to switch to DHCP, perform the following steps:

1. In the ISA firewall console, click the Virtual Private Networking (VPN) node and then click the Tasks tab in the Task Pane.
2. Click the Define Address Assignments link in the Task Pane.
3. On the Address Assignment tab in the Virtual Private Networks (VPN) Properties dialog box, click the Dynamic Host Configuration Protocol (DHCP) option.
4. Click Apply and then click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.

We need to create two rules to support this configuration. They appear in the tables below.

Table 1: Settings for the DHCP Reply (Internal to VPN) Rule

Table 2: Settings for the DHCP Request (VPN to Local Host) Rule

Note that the rule order is for this example only. You should place the rules in the appropriate order for your configuration. Since they are unauthenticated Access Rules, make sure to put them above authenticated access rules (this is a general rule of thumb, though not required; if you already have a good understanding of ISA firewall Access Rule processing, you can put them in the appropriate place in your firewall policy).

We need to create the DHCP Reply (Internal to VPN) because the DHCP server on the corporate network sees the source IP address of the DHCP request as the IP address of the VPN client. The ISA firewall acts as a proxy ARP server for the VPN clients and does not change the source IP address of the VPN client.

We need to create the DHCP Request (VPN to Local Host) rule because the VPN clients need to be able to send their DHCPINFORM messages to the ISA firewall itself, since the DHCP Relay Agent is located on the ISA firewall.

Perform the following steps to create the DHCP Reply (Internal to VPN) Access Rule:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click the Create New Access Rule link.
3. On the Welcome to the New Access Rule Wizard page, enter the name for the rule DHCP Reply (Internal to VPN) in the Access Rule name text box and click Next.
4. Select the Allow option on the Rule Action page and click Next.
5. On the Protocols page, select the Selected protocols option and click Add.
6. In the Add Protocols dialog box, click the Infrastructure node and then double click the DHCP (reply) entry. Click Close.

7. Click Next on the Protocols page.
8. Click the Add button on the Access Rule Sources page.
9. In the Add Network Entities dialog box, click the Networks folder and double click the Internal entry. Click Close.
10. Click Next on the Access Rule Sources page.
11. Click the Add button on the Access Rule Destinations page.
12. In the Add Network Entities dialog box, click the Networks folder and double click VPN Clients. Click Close.
13. Click Next on the Access Rule Destinations page.
14. Click Next on the Users Sets page (accept the default setting).
15. Click Finish on the Completing the New Access Rule Wizard page.

Perform the following steps to create the DHCP Request (VPN to Local Host) Access Rule:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click the Create New Access Rule link.
3. On the Welcome to the New Access Rule Wizard page, enter the name for the rule DHCP Request (VPN to Local Host) in the Access Rule name text box and click Next.
4. Select the Allow option on the Rule Action page and click Next.
5. On the Protocols page, select the Selected protocols option and click Add.
6. In the Add Protocols dialog box, click the Infrastructure node and then double click the DHCP (request) entry. Click Close.

7. Click Next on the Protocols page.
8. Click the Add button on the Access Rule Sources page.
9. In the Add Network Entities dialog box, click the Networks folder and double click the VPN Clients entry. Click Close.
10. Click Next on the Access Rule Sources page.
11. Click the Add button on the Access Rule Destinations page.
12. In the Add Network Entities dialog box, click the Networks folder and double click Local Host. Click Close.
13. Click Next on the Access Rule Destinations page.
14. Click Next on the Users Sets page (accept the default setting).
15. Click Finish on the Completing the New Access Rule Wizard page.

Your firewall policy will look something like the figure below (I saw something like it, because you’ll certainly have other Access Rules in your firewall policy):

Now we’ll move away from the ISA firewall console and use the RRAS console to add the DHCP Relay Agent routing protocol. Perform the following steps to add the DHCP Relay Agent Routing Protocol and configure it to use your corporate network DHCP server:

1. Click Start, point to Administrative Tools and click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name and then expand the IP Routing node.
3. Right click the General node and click New Routing Protocol.
4. In the New Routing Protocol dialog box, click the DHCP Relay Agent protocol and click OK.

5. Click the DHCP Relay Agent node in the left pane of the console, then right click it and click Properties.
6. In the DHCP Relay Agent Properties dialog box, enter the IP address of your DHCP server in the Server address text box and click Add.

7. Right click the DHCP Relay Agent node in the left pane of the console and click New Interface. What we want to do here is select the RRAS internal interface; we do not want to select the internal interface of the ISA firewall computer. That is why I always rename the interfaces on the ISA firewall so that I can easily identify them. Select the internal interface for the RRAS service and click OK in the New Interface of DHCP Relay Agent dialog box.

8. Click OK in the DHCP Relay Properties – Internal Properties dialog box.
9. Click Apply and then click OK.

The next step is to restart the ISA firewall device. This might not be required if you have already enabled the VPN component of the ISA firewall and had it working before configuring the DHCP Relay Agent, but I know it always works when you restart the ISA firewall device, so go ahead and do it.

Now establish a VPN client connection to the ISA firewall. Once the VPN client connection is established, open a command prompt on the VPN client device and issue the ipconfig /all command. You will see something like in the figure below.

You’ll see in the PPP adapter VPN printout that the VPN client has been assigned a Connection-specific DNS Suffix of blah.com, a DNS Servers and a Primary WINS Server from the DHCP server through the DHCP Relay Agent. Notice that two DNS servers with the same IP address has been assigned to the VPN client – one from the DHCP Relay Agent connection and one from the ISA firewall’s DNS setting itself. This could end up being problematic since the entire point of using the DHCP Relay Agent is to assign VPN clients a unique setting. However, the good news is that the DHCP delivered DNS server is placed on the top of the DNS server search list.

At this time I haven’t identified a way around this issue, but if you have, write to me at [email protected] and we’ll update this article.

The figure below shows the communications being “proxied” by the DHCP Relay Agent between the VPN clients and DHCP server.

Notice that only a DHCPINFORM and a DHCPACK are involved here. The DHCP Relay forward the DHCPINFORM message to the DHCP server, and the DHCP server replies to the IP address of the VPN client with a DHCPACK that includes the DHCP options.

In this article we examined how you can use the ISA firewall and a DHCP Relay Agent installed on the ISA firewall to allow VPN clients to obtain DHCP options from an internal network DHCP server. In a future article, we’ll examine how to configure the ISA firewall with an on-box DHCP server to support the DHCP Relay Agent.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, I’ll inserted a link here to where you can post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy