Re: Any Way to Pass DHCP From Internal to Perimiter?
- From: "ZVR" <nospamever@xxxxxx>
- Date: Sat, 24 Sep 2005 09:30:41 -0400
You are guessing wrong because of two reasons:
1) If you create an additional perimeter network in ISA as you intend that
has to be on a totally different subnet than your internal LAN, otherwise IT
WON'T BE a separate network. You cannot have an "external" (DMZ) network
using addreses from the same IP subnet as the LAN. And reason #2,
2) Regardless of the above DHCP operations are confined to the "physical"
subnet where the DHCP server resides. In order to make broadcast DHCP
queries travel from a given subnet to the one where the DHCP server is, you
have to install and configure the DHCP relay service on a machine in the
first subnet (your LAN in your case), that will relay all the queries to the
DHCP server on the other network segment. You could for example install the
DHCP relay service on your ISA server itself, then of course you will have
to configure the firewall rules to allow required traffic to flow. Remember
that in this scenario ISA server acts as both a DHCP server (for the
machines in the LAN) and a DHCP client (to the DHCP server on your AD
controller). You will therefore need the following:
-in the system policy you need to enable the Network Services/DHCP node and
specify domain controller's subnet as the "source" in the From tab
-for running the DHCP relay service (which behaves like a DHCP server to
clients in the Internal subnet), on the ISA computer, you can refer to the
following articles:
Configuring the DHCP Relay Agent on ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isadhcprelay.mspx
Configuring the ISA Server computer as a DHCP server:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isaondhcpserver.mspx
Virgil
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:%236Nm5JMwFHA.3188@xxxxxxxxxxxxxxxxxxxxxxx
> We want to put our Active Directory server on a perimiter network in order
> to restrict access from rogue machines on the Internal network.
> Unfortunately, the Active Directory server also runs DHCP. How can you
> configure ISA Server so that DHCP broadcasts (requests) on the Internal
> network will pass through ISA to the Active Directory server?
>
> I'm guessing that you could subclass a single Class C network and have the
> Active Directory servers occupy a small address space within the same
> Class
> C used by your Internal network. But could you configure ISA to allow
> DHCP Broadcasts from the Internal network to pass to the subclass where
> the
> Active Directory servers reside?
>
> What other rules would be required? Probably you would need a separate
> rule to allow the DHCP replies travel from Active Directory to the
> Internal
> network?
>
> If anyone has an example of this configuration I would like to see it.
>
> --
> Will
>
>
.
- References:
- Prev by Date: Re: Putting Active Directory Server On Its Own Segment
- Next by Date: netfee 3.22 released!
- Previous by thread: Any Way to Pass DHCP From Internal to Perimiter?
- Next by thread: netfee 3.22 released!
- Index(es):
Relevant Pages
|
