Enabling DHCP Relay for DMZ Segments

Enabling DHCP Relay for DMZ Segments

by Thomas W Shinder MD, MVP

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Get the New Book!

The situation is different when you have non-VPN client hosts on a DMZ segment or on an additional internal network. In contrast to the VPN clients, the DHCP clients on these DMZ and other ISA firewall Networks are directly connected to the LAN via their Ethernet connections. These hosts need IP addressing information and DHCP options, and this information must be specific to hosts on that ISA firewall Network. In addition, the RRAS service does not provide non-VPN clients IP addressing information; the DHCP Relay Agent is used to provide both IP addressing information and DHCP options.

For example, consider the network diagram below.


Figure 1

There are three NICs installed on the ISA firewall: one connected to the Default External Network (the NIC with the default gateway), one connected to the Default Internal Network, and one connected to a second internal network. Clients on the second internal network need to obtain IP addressing information from the DHCP server on the corpnet (the Default Internal Network).

We can accomplish this by installing and configuring the DHCP Relay Agent on the ISA firewall. In contrast to the situation with the VPN clients, clients on the second internal network will not only require DHCP options from the DHCP server, they will need an IP address and subnet mask. This requires that we create a scope on the DHCP server containing IP addresses valid on the second internal network. In this example the sample internal network is on network ID 172.16.0.0/24.

The procedures required to make this work include:

  • Creating a scope on the DHCP server to support the second internal network
  • Installing and configuring the DHCP Relay Agent on the ISA firewall
  • Creating the ISA firewall Network for the second internal network
  • Creating the Access Rules required to allow the DHCP communications
  • Test the configuration

We will build on the configuration set forth in the article Enabling DHCP Relay for ISA Firewall VPN Clients. If you haven’t read that article yet, give it a quick read before continuing with this article, as many of the basic concepts are discussed there.

We will start with the DHCP server already installed on the default Internal Network and the default Internal Network DHCP scope already configured. We will create the scope for the second internal network on this DHCP server. I will assume that you have already installed and configured the DHCP Relay Agent as described in Enabling DHCP Relay for ISA Firewall VPN Clients. We will build on the configuration by adding the DMZ network interface of the “listeners” for the DHCP Relay Agent. We’ll then create the ISA firewall Network for the second internal network and create Access Rules supporting DHCP communications.

Get the New Book!

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Creating a scope on the DHCP server to support the second internal network

You will need to create a second scope on the DHCP server to support the clients on the second internal network. The DHCP server will see the IP address of the DHCP Relay Agent listener to determine what scope to use to provide IP addresses to the hosts on the second internal network.

When the DHCP Relay Agent forwards the request to the DHCP server, it includes its own IP address in the giaddr field, which is the gateway address field. You can see this in the figure below. You must create a scope on the DHCP server that is valid on the same network ID as the IP address provided in the giaddr field. The address in the giaddr field is the address of the interface on the ISA firewall that accepted the DHCP message.


Figure 2

In our example we created a scope that included IP addresses 172.16.0.100-172.16.200 with a subnet mask of 255.255.255.0 (24 bit mask). Create a scope on your DHCP server that is valid for the second internal network on your network before proceeding to the next step. You should also configure the scope with a default gateway that points to the IP address on the NIC connected to the second internal network (if you plan on supporting SecureNAT clients on that network).

Get the New Book!

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Installing and configuring the DHCP Relay Agent on the ISA firewall

The next step is to configure the DHCP Relay Agent to listen on the interface on the second internal network. I will assume that you have already installed and configured the DHCP Relay Agent to support VPN clients, as described in the article Enabling DHCP Relay for VPN Clients http://isaserver.org/tutorials/2004dhcprelay.html. The only step we need to take now is to add the interface on the second internal network to the DHCP Relay Agents list of interfaces.

Perform the following steps to add the second interface:

  1. Click Start, point to Administrative Tools and click Routing and Remote Access.
  2. In the Routing and Remote Access console, expand the server name and then expand the IP Routing node. Click the DHCP Relay Agent node and then right click it. Click New Interface.
  3. Select the DMZ interface (or whatever you named the interface on the second internal network) and click OK in the New Interface of DHCP Relay Agent dialog box.


Figure 3

  1. Click OK in the DHCP Relay Properties – Internal Properties dialog box.
  2. Click Apply and then click OK.

Creating the ISA firewall Network for the Second Internal Network

Now we need to create an ISA firewall Network for the second internal network. I’m going to name this ISA firewall Network DMZ, but you can call it whatever you like. The fact is that when creating ISA firewall Networks, there is no difference between Internal and Perimeter networks in terms of their definitions as ISA firewall Networks.

Perform the following steps to define the second internal network’s ISA firewall Network:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and then click the Networks node.
  2. Click the Networks tab in the Details pane of the console. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
  3. On the Welcome to the New Network Wizard page, enter a name for the network in the Network name text box. In this example, we’ll name the network DMZ. Click Next.
  4. On the Network Type page, select the Internal Network option. Click Next.
  5. On the Address Ranges page, click the Add Adapter button.
  6. In the Select Network Adapter dialog box, put a checkmark in the checkbox next to the DMZ interface. In this example, we have renamed the interface using the name DMZ. We will put a checkmark into that checkbox. Note the Network Interfaces Information that appears in the lower part of the dialog box. Click OK.


Figure 4

  1. Click Next on the Network Addresses page.


Figure 5

  1. Click Finish on the Completing the New Network Wizard page.
  2. The new Network appears in the list of Networks on the Networks tab.


Figure 6

Note that in the example discussed in this article, we do not need to create a Network Rule defining the route relationship between the DMZ and the Internal Network. The reason for this is that DHCP messages are communicated either to or from the ISA firewall itself, not from the DMZ Network to the Internal Network. If you want hosts on the DMZ and Internal Network to communicate with each other directly, then you’ll need to create a Network Rule to connect the Networks.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Get the New Book!

Creating the Access Rules required to allow the DHCP communications

The figure below shows the DHCP Access Rules required to allow VPN clients to obtain DHCP options from the DHCP server on the Default Internal Network. DHCP requests must be allowed from the VPN Clients Network to the Local Host Network, which is where the DHCP Relay Agent is located. DHCP replies must be allowed from the Internal Network to the VPN Clients Network. Note that the VPN clients do not obtain responses from the DHCP server for their DHCPDISCOVER requests, as the RRAS server provides the VPN clients their IP addressing information via IPCP (Internet Protocol Control Protocol).


Figure 7

The figure below shows the Access Rules required allowing the hosts on the DMZ internal Network access to the DHCP server. As you can see, the requirements are a bit different. DHCP requests must be allowed from Anywhere, since there will be DHCP clients that do not have IP addresses (such as 0.0.0.0) to the Local Host Network, where the DHCP Relay Agent is located. DHCP replies must be allowed from the Local Host Network to the DMZ Network (which is the second internal network in this example).


Figure 8

We can combine these policies by creating the rules seen in the figure below.


Figure 9

The first rule allows DHCP replies from the Default Internal Network and Local Host Network to the DMZ Network and the VPN Clients Network. The second rule allows DHCP requests from Anywhere to the Local Host Network (which is where the DHCP Relay Agent is located).

If you have already create the VPN policy, then you just need to reconfigure your existing rules to support the DHCP communications from the second internal network as seen in the figure above. However, if you’re not using the DHCP Relay Agent for your VPN clients, then you can create the two rules required for your DMZ or second internal network clients. Perform the following steps to create the first rule that allows DHCP Requests from the DMZ network:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. Click the Tasks tab in the Task Pane and click Create New Access Rule.
  3. In the Welcome to the New Access Rule Wizard page, enter the name of the rule. In this example we’ll name the rule DHCP Request (Anywhere to LH) and click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
  6. In the Add Protocols dialog box, click the Infrastructure folder. Double click the DHCP (request) entry and click Close.
  7. Click Next on the Protocols page.
  8. Click Add on the Access Rule Sources page.
  9. In the Add Network Entities dialog box, click the Computers Sets folder. Double click the Anywhere entry and click Close.
  10. Click Next on the Access Rule Sources page.
  11. Click Add on the Access Rule Destinations page.
  12. In the Add Network Entities dialog box, click the Networks folder. Double click the Local Host entry and click Close.
  13. Click Next on the Access Rule Destinations page.
  14. Click Next on the User Sets page.
  15. Click Finish on the Completing the New Access Rule Wizard page.

Perform the following steps to create the Access Rule allows DHCP replies from the ISA firewall to the DMZ network:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. Click the Tasks tab in the Task Pane and click Create New Access Rule.
  3. In the Welcome to the New Access Rule Wizard page, enter the name of the rule. In this example we’ll name the rule DHCP Reply (LH to DMZ) and click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
  6. In the Add Protocols dialog box, click the Infrastructure folder. Double click the DHCP (reply) entry and click Close.
  7. Click Next on the Protocols page.
  8. Click Add on the Access Rule Sources page.
  9. In the Add Network Entities dialog box, click the Networks folder. Double click the Local Host entry and click Close.
  10. Click Next on the Access Rule Sources page.
  11. Click Add on the Access Rule Destinations page.
  12. In the Add Network Entities dialog box, click the Networks folder. Double click the DMZ entry and click Close.
  13. Click Next on the Access Rule Destinations page.
  14. Click Next on the User Sets page.
  15. Click Finish on the Completing the New Access Rule Wizard page.

Get the New Book!

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Test the configuration

Now we can test the configuration. On a client in the DMZ network (or additional internal Network), either configure the machine to be a DHCP client, or if the machine is already a DHCP client, then open a command prompt and enter the command ipconfig /release and then after that command completes, enter ipconfig /renew. After issuing the /renew command, you’ll see in Network Monitor the DHCP Discover, Offer, Request and ACK messages, as seen in the fire below.


Figure 10

The figure below shows what you’ll see in the ISA firewall’s log viewer.


Figure 11

The first line shows the DHCP request issued by the DHCP relay agent to the DHCP server on the internal network. Notice the name of the rule that allowed the request: Allow DHCP request from ISA Server to all networks. We didn’t create that rule because that rule is part of the default System Policy on the ISA firewall.

The second line shows the response from the DHCP server sent to the DHCP Relay Agent. The rule allowing this communication is the DHCP Request (Anywhere to LH) allowed this connection.

The third lines shows the DHCP replay forwarded from the DHCP Relay Agent to the DHCP client on the DMZ network. What’s interesting about these log entries is that they don’t appear to record all four communications: the DHCP discover from the client to the local network broadcast address (255.255.255.255), the DHCP offer from the DHCP server (which would be sent from the DHCP server to the DHCP Relay Agent), the DHCP request from the DMZ client to the DHCP server (indicating that the DHCP client is accepting the address), and the DHCP ACK from the DHCP server indicating acknowledgement of acceptance of the offer.

If you open a command prompt and issue the ipconfig command, you’ll see the basic IP addressing information, including the DHCP options. In the example in the figure below the primary domain name was assigned via a DHCP options and appears as the Connection-specific DNS Suffix.


Figure 12

Get the New Book!

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000383

Summary

In this article we followed up on our previous article on how to configure a DHCP Relay Agent on the ISA firewall to support VPN clients. In this article we moved the focus of the DHCP Relay Agent to hosts on non-VPN Networks, such as DMZ Networks and additional internal Networks. We went through configuration of the required Access Rules and then tested the configuration. In the next installment of our DHCP Relay Series, we’ll talk about how to install the DHCP server on the ISA firewall and how to make the DHCP Relay Agent work with an on-box DHCP server. See you then!

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top