DHCP behind a firewall

Hello,

I am planning to deploy a ISA Server to seperate in different subnets my
clients and my servers. The problem occurs is for DHCP. DHCP will be in my
server group and will be in a different subnet then clients. I am wondering
if there is a way for ISA to publish a DHCP server that will be handing it's
addresses to a seperate subnet?

G.

You can't use it for that. It is a Proxy/Firewall designed to sit that the
"network edge" where it meets the Internet or DMZ. You can not use it like
a LAN router between LAN segments and expect the LAN to function.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"George Spiro" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello,
>
> I am planning to deploy a ISA Server to seperate in different subnets my
> clients and my servers. The problem occurs is for DHCP. DHCP will be in my
> server group and will be in a different subnet then clients. I am
wondering
> if there is a way for ISA to publish a DHCP server that will be handing
it's
> addresses to a seperate subnet?
>
> G.
>
>

I am sure it is possible to configure some of the ISA servers to respond the
way you are asking, but it was not the way subnets are designed to work and
would make administration a nightmare.

How about a suggestion? if you are working with subnets you will need some
sort of router so that the different subnets will recognize one another.
Most routers will do DHCP, so without any additional HW cost you can make
the routers do your dirty work
-> If you are doing Windows Domain Authentication, I am fairly sure you will
need a Windows server on each Subnet, It will be easier to manage if you use
DHCP on the subnet servers.

I hope this helps,
and If I am wrong on the details, PSS, please feel free to correct me.

David Bock
"George Spiro" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello,
>
> I am planning to deploy a ISA Server to seperate in different subnets my
> clients and my servers. The problem occurs is for DHCP. DHCP will be in my
> server group and will be in a different subnet then clients. I am
wondering
> if there is a way for ISA to publish a DHCP server that will be handing
it's
> addresses to a seperate subnet?
>
> G.
>
>

Crazy setup......but that's your choice....

Anyway, what you're trying to do is doable....

Julian Dragut

No matter how crazy it sounds, I'm always up for a challenge!!!!!


"George Spiro" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello,
>
> I am planning to deploy a ISA Server to seperate in different subnets my
> clients and my servers. The problem occurs is for DHCP. DHCP will be in my
> server group and will be in a different subnet then clients. I am
> wondering if there is a way for ISA to publish a DHCP server that will be
> handing it's addresses to a seperate subnet?
>
> G.
>

Yes.
1. Install RRAS as a LAN router (no NAT)
2. Add the DHCP Relay Agent to the IP Routing protocols list
3. Create an Access rule allowing DHCP Request and DHCP Reply from "All protected Networks" to "All Protected Networks"

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"George Spiro" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Hello,

I am planning to deploy a ISA Server to seperate in different subnets my
clients and my servers. The problem occurs is for DHCP. DHCP will be in my
server group and will be in a different subnet then clients. I am wondering
if there is a way for ISA to publish a DHCP server that will be handing it's
addresses to a seperate subnet?

G.

You see my goal is to Firewall my users from all my servers that is why I am
doing this.

Do you see this has a good solution or do you think that it will be a
administration nightmare for me if I do this?

G.
"Jim Harrison (MSFT)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes.
> 1. Install RRAS as a LAN router (no NAT)
> 2. Add the DHCP Relay Agent to the IP Routing protocols list
> 3. Create an Access rule allowing DHCP Request and DHCP Reply from "All
> protected Networks" to "All Protected Networks"
>
> --
> --
> Jim Harrison [ISA SE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "George Spiro" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> Hello,
>
> I am planning to deploy a ISA Server to seperate in different subnets my
> clients and my servers. The problem occurs is for DHCP. DHCP will be in my
> server group and will be in a different subnet then clients. I am
> wondering
> if there is a way for ISA to publish a DHCP server that will be handing
> it's
> addresses to a seperate subnet?
>
> G.
>
>
>

First of all a Firewall is a layer 3 device so it can route traffic.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> You can't use it for that. It is a Proxy/Firewall designed to sit that the
> "network edge" where it meets the Internet or DMZ. You can not use it
> like
> a LAN router between LAN segments and expect the LAN to function.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "George Spiro" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hello,
>>
>> I am planning to deploy a ISA Server to seperate in different subnets my
>> clients and my servers. The problem occurs is for DHCP. DHCP will be in
>> my
>> server group and will be in a different subnet then clients. I am
> wondering
>> if there is a way for ISA to publish a DHCP server that will be handing
> it's
>> addresses to a seperate subnet?
>>
>> G.
>>
>>
>
>

I agree with you regarding this, but you see my main need is to Firewall my
users. I want all my users to go through a Firewall so I could track them
much easier. (BIGBROTHER) and secure my servers against internal attacks.

G.

"David Bock" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I am sure it is possible to configure some of the ISA servers to respond
>the
> way you are asking, but it was not the way subnets are designed to work
> and
> would make administration a nightmare.
>
> How about a suggestion? if you are working with subnets you will need some
> sort of router so that the different subnets will recognize one another.
> Most routers will do DHCP, so without any additional HW cost you can make
> the routers do your dirty work
> -> If you are doing Windows Domain Authentication, I am fairly sure you
> will
> need a Windows server on each Subnet, It will be easier to manage if you
> use
> DHCP on the subnet servers.
>
> I hope this helps,
> and If I am wrong on the details, PSS, please feel free to correct me.
>
> David Bock
> "George Spiro" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hello,
>>
>> I am planning to deploy a ISA Server to seperate in different subnets my
>> clients and my servers. The problem occurs is for DHCP. DHCP will be in
>> my
>> server group and will be in a different subnet then clients. I am
> wondering
>> if there is a way for ISA to publish a DHCP server that will be handing
> it's
>> addresses to a seperate subnet?
>>
>> G.
>>
>>
>
>

Few running a corporate network use firewall to route subnets. Use a router
or layer-3 switch for that.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

I agree but at this moment I am looking to FW my users from my core systems.
That is why I am using a Firewall. Do you see a problem with this? I would
like to get some input in this....

G.


"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Few running a corporate network use firewall to route subnets. Use a
> router
> or layer-3 switch for that.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>