How to configure the Microsoft DHCP server for use with the Symantec DHCP Enforcer

Article:TECH102475  |  Created: 2007-01-12  |  Updated: 2008-01-17  |  Article URL http://www.symantec.com/docs/TECH102475
Article Type
Technical Solution


Issue



How to configure the Microsoft DHCP server for use with the Symantec Integrated DHCP Enforcer.
These steps are applicable also if you are using the DHCP Enforcer appliance and would like to use the same DHCP server for both the Normal and Quarantine scopes.


Solution



The general steps to follow are outlined in product documentation for Symantec Endpoint Protection 11.0 (SEP11) or Symantec Enterprise protection 5.1 (SEP5). The process is also illustrated in detail using screenshots below.
    For Symantec Endpoint Protection 5.1 see:
      • "SSEP_5_1_Integrated_Enforcer_for_Microsoft_DHCP_Servers.pdf", page 16+
      • "SSEP_5_1_Enforcer_Installation_and_Administration_Guide.pdf", page 45+.
    For Symantec Endpoint Protection 11.0 see:
      • "Enforcer_Implementation_Guide.pdf", page 235+.

Note: For the SEP11 version of the Integrated DHCP Enforcer many of the steps below can be performed automatically by the Enforcer software. The "Automatic Quarantine Configuration" feature in the Enforcer GUI can be used instead of manually configuring the User Class and Static Routes on the DHCP server as outlined below.



The following steps assume that you already have a working DHCP setup, with the standard scope options configured on the DHCP server.

First, a separate User Class with the SYGATE_ENF tag needs to be defined in the DHCP server. This is done by right-clicking on the server in the DHCP management tool.
(SYGATE_ENF is a tag the Enforcer adds to the DHCP requests from clients machines, to let the DHCP server know when to assign quarantine addresses)



Add a new DHCP User Class in the dialog, and type in SYGATE_ENF (case sensitive) in the ASCII part of the New Class dialog. You can give the new class any name you want.
(When using Automatic Quarantine Configuration in SEP11 the default name for the user class is SNAC_QUARANTINE - the ASCII string is SYGATE_ENF for both products)



Once the User Class is set up you can Configure Options for the scope.



The new User Class you defined will be available in the drop-down list on the Advanced tab.




The specific scope options you need to configure for your new user class are
  • Router (Option 003) - fill in IP address 127.0.0.1
  • Lease (Option 051) - fill in an interval of 120 seconds (78 in hexadecimal)
  • Static Routes, entered as either of the following:
    • Static Route (Option 033)
    • Classless Static Route (Option 249)

Filling in the Router Option...


(A Gateway IP address of 127.0.0.1 is given to clients when in the quarantine. This combined with a Subnet Mask of 255.255.255.255 (given automatically by the Integrated DHCP Enforcer) fully isolates the client on the network.)

Filling in the Lease option...


(A short Lease ensures the client will not stay in the quarantine needlessly long after the machine has been remediated and is ready to be let on the network.)


Static Routes needs to be configured for:
  • The Policy Manage Server
  • The DHCP Server
  • The DHCP Enforcer Internal and External NIC (not needed if using the Integrated Enforcer)
  • Any remediation servers that needs to be accessible from the quarantine

You can configure the Static Routes using either Option 033 (Static Route) or Option 249 (Classless Static Route). Option 249 does not work on Windows 2000 and earlier (See this knowledge base document: Database 'Enterprise Security', View 'Support\All Documents (CLF)', Document 'Problem configuring static routes for Windows 2000 clients when using the Symantec DHCP Enforcer' ).

Option 033 (Static Route) is configured like this. You enter the IP address first then the Route to the machine (the Gateway IP address, or if in the same subnet you can also just enter same IP address twice).
Repeat the steps for each of the servers listed above.



Option 249 (Classless Static Route) is configured like this. You enter the IP address first, then the Mask and the Route to the machine (the Gateway IP address, or if in the subnet you can also just enter same IP address again).
Repeat the steps for each of the servers listed above.


(The Static Routes allow the client to contact the needed servers also when isolated in the quarantine network configuration.)


The final DHCP server configuration should look something like this:




On the client side, verify with ipconfig/all that you are given the correct network configuration both when failing and passing Host Integrity.


The Default Gateway should be blank when in the quarantine, and the lease time should be short.







Legacy ID



2007091212133148


Article URL http://www.symantec.com/docs/TECH102475


Terms of use for this information are found in Legal Notices