Wednesday, March 31, 2010

Misc 18

Now suppose that we switch the relay router with a Windows 2008 server, like this:

The first question is, can Windows 2008 server actually act as a DHCP relay agent? That is definitely a YES. However, unlike what most might think, DHCP relaying is NOT a feature of the DHCP role at all.

Just think of it this way, if you want your Windows Server to route packets like a router, there is only one role that could do that. Depending on your edition, you need to install Routing and Remote Access (on 2003) or Network Policy and Access Services (on 2008). Features like NAT, RIP, DHCP Relaying and IGMP are all found in RRAS/NPAS.

I will now walk you through the installation of NPAS on Windows 2008. I'll assume that your server is already joined to the active directory domain (this is not important for DHCP relaying, but will come into play when we go into NPS and PPTP VPN later on).

Now I'll begin with a clean installation with ADDS enabled. (You can also join another domain. You need not be the domain controller) The first thing to do is to set up the network connections. I'm currently on the W2K8 server depicted in the topology, so I have these two interfaces:

Outside -
Inside -

The DNS for both is set to

Now we'll need to set up NPAS. Simply select this role and click next.

Now we'll need to install NPS and RRAS. Even if don't select NPS, it will be automatically installed after RRAS is set up (without notifying you).

After installing, browse over to the RRAS console from Administrative Tools.

Now you'll have to enable the service. To do this, right click on your computer name and select Configure and Enable RRAS.

If you need access lists automatically set up for you to block non-VPN traffic, select VPN. If you still want to allow normal traffic to go through, select Custom Configuration. In this case, we want something simple so we'll select Custom Configuration.

At this screen, select VPN and LAN routing:

At this point your server should route packets through from 192.168.1.x to 172.16.1.x. It was not possible previously to ping from 192.168.1.x. Now add a new interface to the relay agent list. This interface is the one that will relay DHCP requests (or in other words, this interface is where clients will request).

Note that upon setting up your RRAS service, you may suddenly have a chunk of addresses leased from the inside interface. Do not worry as this is not a bug. This is due to the RRAS server pre-leasing IP addresses for assignment to VPN users. This behavior only applies to the VPN agent. The normal DHCP Relay Agent will relay requests as per normal. Now you will need to add the Relay Agent listener to the outside interface as shown:

Finally you'll have to populate the DHCP list. Press OK and go to the relay agent's properties:

Add in the IP address of your DHCP server here. Now you're done!

In the next article I'm going to talk about enabling PPTP VPN connectivity. By going through this article, you're already 80% done, so the next article is going to be short.

No comments :

Post a Comment