DHCP and ISA Server

I have a pretty simple question I was wondering if I can have DHCP hand out
private ip address based on domain name? The reason is that there are a set
of class ip address that we use here to that I would like them to use the
Proxy Server on ISA. This way I can restrict them from access the internet.
These computer are on a manufacturing domain that we have here and I just
though that if I could restrict them then Websense can handle all the other
business users on the business domains. Both of these domain are on a
completely different forest with two way trust between them. So it the DHCP
server can hand out 10.0.x.x address for manufacturing domain I think we
would be in good shape. TIA.

"WooYing" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a pretty simple question I was wondering if I can have DHCP hand out
>private ip address based on domain name?

No. There is no security in DHCP for such things. DHCP is neither
OS, nor domain, or pretty much anything else aware except where
on the network the client is located (broadcast domain) and IF YOU
set it manually "Reservations by MAC" address.

> The reason is that there are a set of class ip address that we use here to
> that I would like them to use the Proxy Server on ISA. This way I can
> restrict them from access the internet.

You can set CLASSID to give different settings (but you need to do this
on each machine) and setup a ClassID on the DHCP server.

But there are easier ways, just block all Internet access that doesn't go
through
your ISA.

Are you saying you have multiple domains (not in the same forest/trust
relationship)
which use DIFFERENT ISA servers?

> These computer are on a manufacturing domain that we have here and I just
> though that if I could restrict them then Websense can handle all the
> other business users on the business domains. Both of these domain are on
> a completely different forest with two way trust between them.

Then ISA can grant and deny access based on User acocunt (groups are better
but you get the idea.)

> So it the DHCP server can hand out 10.0.x.x address for manufacturing
> domain I think we would be in good shape. TIA.

No, not unless they are in different broadcast domains and receive a
different scope.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

Herb thanks for your input, the idea of setting groups might be a good way
to go. Since these two domain are on different forest which might be able
to help me out. For our business users we are using Websense to block and
filter out web content. One thing I am wondering is if I create a group for
the business users and I add them to ISA and set them to no restrictions and
let Websense handle the content but use the ISA as a Web Cache Server if
that would work out? Thanks again for your input


"Herb Martin" <(E-Mail Removed)> wrote in message
news:%23UUMO%(E-Mail Removed)...
>
> "WooYing" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I have a pretty simple question I was wondering if I can have DHCP hand
>>out private ip address based on domain name?
>
> No. There is no security in DHCP for such things. DHCP is neither
> OS, nor domain, or pretty much anything else aware except where
> on the network the client is located (broadcast domain) and IF YOU
> set it manually "Reservations by MAC" address.
>
>> The reason is that there are a set of class ip address that we use here
>> to that I would like them to use the Proxy Server on ISA. This way I can
>> restrict them from access the internet.
>
> You can set CLASSID to give different settings (but you need to do this
> on each machine) and setup a ClassID on the DHCP server.
>
> But there are easier ways, just block all Internet access that doesn't go
> through
> your ISA.
>
> Are you saying you have multiple domains (not in the same forest/trust
> relationship)
> which use DIFFERENT ISA servers?
>
>> These computer are on a manufacturing domain that we have here and I just
>> though that if I could restrict them then Websense can handle all the
>> other business users on the business domains. Both of these domain are
>> on a completely different forest with two way trust between them.
>
> Then ISA can grant and deny access based on User acocunt (groups are
> better
> but you get the idea.)
>
>> So it the DHCP server can hand out 10.0.x.x address for manufacturing
>> domain I think we would be in good shape. TIA.
>
> No, not unless they are in different broadcast domains and receive a
> different scope.
>
>
> --
> Herb Martin, MCSE, MVP
> http://www.LearnQuick.Com
> (phone on web site)
>

"WooYing" <(E-Mail Removed)> wrote in message
news:O6D$(E-Mail Removed)...
> Herb thanks for your input, the idea of setting groups might be a good way
> to go.

Groups would be with ISA.

[DHCP doesn't use "Groups". ClassIDs are not groups.]


> Since these two domain are on different forest which might be able to help
> me out. For our business users we are using Websense to block and filter
> out web content. One thing I am wondering is if I create a group for the
> business users and I add them to ISA and set them to no restrictions and
> let Websense handle the content but use the ISA as a Web Cache Server if
> that would work out? Thanks again for your input

I don't know precisely what websense does, nor how it would cooperate or
interfere (if either) with ISA.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

"WooYing" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed)...
>I have a pretty simple question I was wondering if I can have DHCP hand out
>private ip address based on domain name? The reason is that there are a
>set of class ip address that we use here to that I would like them to use
>the Proxy Server on ISA. This way I can restrict them from access the
>internet. These computer are on a manufacturing domain that we have here
>and I just though that if I could restrict them then Websense can handle
>all the other business users on the business domains. Both of these domain
>are on a completely different forest with two way trust between them. So
>it the DHCP server can hand out 10.0.x.x address for manufacturing domain I
>think we would be in good shape. TIA.
>

This really isn't a "pretty simple question". It is more like one of those "ye
know not what ye ask" things...:-)

Domains don't have IP#s. Domains are just an Administrative Tool.

IP Addresses and the breakdown of the subnets follows the physical cabling
structure, or the logical structure in the case of VLans.
So Domains and Trusts have absolutely nothing to do with it.

What you need is for the Manufacturing Equipment to be on it's own physical LAN
segment. Then you use a LAN Router (a real router, not a soho broadband box) and
set the LAN Router to forward DHCP Queries to a DHCP Server that can litterally
be anywhere on the LAN. The DHCP Server simply needs a separate, distinct,
independent Scope created for the LAN segment in Manufacturing.

Your LAN's routing of course needs to function properly. I cannot tell you
anything about that since I know nothing about the design of the LAN.

Then after that, and the manufacturing equipment all have their correct IP# for
their correct LAN segment (whether via DHCP or static doesn't matter), then you
create Access Rules on the ISA for what you want the IP segment to be allowed to
do. Then the ISA has to be aware of the "topology". Typically this means that
all (*all*) the LAN's IP Ranges are listed in ISA's Internal Network Definition
and the ISA has a static route added that tells it to use the correct LAN Router
as the "path" to get to any of the LAN's segments.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------


"Bodo Schulz" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "WooYing" <(E-Mail Removed)> schrieb im Newsbeitrag
> news:(E-Mail Removed)...
>>I have a pretty simple question I was wondering if I can have DHCP hand out
>>private ip address based on domain name? The reason is that there are a set
>>of class ip address that we use here to that I would like them to use the
>>Proxy Server on ISA. This way I can restrict them from access the internet.
>>These computer are on a manufacturing domain that we have here and I just
>>though that if I could restrict them then Websense can handle all the other
>>business users on the business domains. Both of these domain are on a
>>completely different forest with two way trust between them. So it the DHCP
>>server can hand out 10.0.x.x address for manufacturing domain I think we would
>>be in good shape. TIA.
>>
>
>