My company uses a Juniper SA2500 for SSL VPN. I have a question about allocating IP addresses to Network Connect using a DHCP server.

I have found that Network Connect can sucessfully use DHCP if the DHCP scope configured on the DHCP server is the same network that the SA2500 internal port belongs too.

EXAMPLE #1
-----------------
DHCP Server Scope: 2.2.2.10-20/24
SA2500 Network Connect Server IP Address: 2.2.2.3/24

DHCP server 1.1.1.2/24 <-> 1.1.1.1/24 Cisco Router 2.2.2.1/24 <-> 2.2.2.2/24 SA2500 Internal Port

The SA2500 internal port is in a different network to the DHCP server, so the Cisco Router does DHCP relay.

This scenario works, however I want to use a DHCP scope that is a different network to the SA2500 Internal Port.

EXAMPLE #2
-----------------
DHCP Server Scope: 3.3.3.10-20/24
DHCP server 1.1.1.2/24 <-> 1.1.1.1/24 Cisco Router 2.2.2.1/24 <-> 2.2.2.2/24 SA2500 Internal Port

The SA2500 does not have an interface in the network 3.3.3.0/24. I can not add this network as a Virtual Port of the Internal Port. So I cant set the Network Connect Server IP Address to an IP address in the network 3.3.3.0/24. Therefore the GIADDRESS in the relayed DHCP Request is the IP address of the Internal Port 2.2.2.2/24. The DHCP Server does not match this with a configured scope and can not allocate any IP address.

How can I configure the SA2500 to use a DHCP scope for Network Connect that is different to the Internal Port network? Note I must use a DHCP server, I do not want to use a local IP Address Pool on the SA2500.