My company uses a Juniper SA2500 for SSL VPN. I have a question about allocating IP addresses to Network Connect using a DHCP server.
I have found that Network Connect can sucessfully use DHCP if the DHCP scope configured on the DHCP server is the same network that the SA2500 internal port belongs too.
EXAMPLE #1
-----------------
DHCP Server Scope: 2.2.2.10-20/24
SA2500 Network Connect Server IP Address: 2.2.2.3/24
DHCP server 1.1.1.2/24 <-> 1.1.1.1/24 Cisco Router 2.2.2.1/24 <-> 2.2.2.2/24 SA2500 Internal Port
The SA2500 internal port is in a different network to the DHCP server, so the Cisco Router does DHCP relay.
This scenario works, however I want to use a DHCP scope that is a different network to the SA2500 Internal Port.
EXAMPLE #2
-----------------
DHCP Server Scope: 3.3.3.10-20/24
DHCP server 1.1.1.2/24 <-> 1.1.1.1/24 Cisco Router 2.2.2.1/24 <-> 2.2.2.2/24 SA2500 Internal Port
The SA2500 does not have an interface in the network 3.3.3.0/24. I can not add this network as a Virtual Port of the Internal Port. So I cant set the Network Connect Server IP Address to an IP address in the network 3.3.3.0/24. Therefore the GIADDRESS in the relayed DHCP Request is the IP address of the Internal Port 2.2.2.2/24. The DHCP Server does not match this with a configured scope and can not allocate any IP address.
How can I configure the SA2500 to use a DHCP scope for Network Connect that is different to the Internal Port network? Note I must use a DHCP server, I do not want to use a local IP Address Pool on the SA2500.
You can use external pools, but you need to specify option 118 in the DHCP settings in the NC profile. Format is: <option number> <network-address for the ip-subnet> <type ip-address>.
The option 118 tells DHCP-server from which pool is should lease an IP.
Fex. if you specify network 10.1.1.0 for the option the DHCP-server looks a pool which is from that network.
The option number might change regarding the server software, 118 is used in ISC DHCP.