cancel
Showing results for 
Search instead for 
Did you mean: 

Migrate from IP Address Pool to DHCP Server for Network Connect

Highlighted
Contributor

Migrate from IP Address Pool to DHCP Server for Network Connect

We are trying to move the assignment of IP addresses off of the SSL VPN appliance and onto an MS DHCP server. In research I have done and open support case, VLAN settings have to be configured when using a MS DHCP server since the DHCP scope is on a different subnet from the internal interface of the SSL VPN.

The appliance is currently handing out a DHCP scope that is on a different subnet from the internal interface of the SSL VPN - which works.

Has anybody configured this successfully?

1 REPLY 1
Highlighted
Super Contributor

Re: Migrate from IP Address Pool to DHCP Server for Network Connect

I've not done it with MS DHCP server, but I have done it with ISC bind 9 on Linux.

My SA Network Connection Profile is defined like this:

DHCP Servers:

10.30.126.77

10.30.127.77

DHCP Options

option value type

224 discworld string

225 sslvpn string

On my DHCP server I check for the value of these two variables and assign the appropriate values.

If you only have a single device that you need to do this for, you can get by with a single variable. I have two,so my two SA's (option 225) are sslvpn and sslvpn2 and the realms (option 224) allow me to assign a separate dhcp scope to each realm on each SA.

The ISC bind config is here:

option ive-role code 224 = text;
option ive-system code 225 = text;

class "local clients" {
match if not (option vendor-class-identifier = "JNPR.IVE");
}

class "sslvpn datalink clients" {
match if (( option vendor-class-identifier = "JNPR.IVE" ) and
( option ive-system = "sslvpn") and
( option ive-role = "discworld")) ;
}


I have a class defined for each realm+role combination. (the option values are arbitrary).

Actually, I use the vendor-class-identifier value to indicate that this is an SSLVPN user, otherwise, my dhcp server sends back an address based on the dhcp relay address.

This should give you an idea of what the SA is sending/can send, but I can't help you configure MS DHCP server.