Network Access Control

Greetings,

We are currently reviewing implementation options for handling DHCP enforcement across a Wide Area Network.  The question has arisen as to the place reauirements of the DHCP enforcer appliance in relation to a single windows 2k3 dhcp server.  Can the DHCP enforcer appliance correctly handle DHCP requests submitted by DHCP forwarders (in this case, routers at the far end of the WAN) .  We are trying to minimize the number of enforcers placed on the network and are trying to determine if it is possible to funnel all DHCP traffic from various WAN points and forwarders into a single DHCP Enforcer appliance placed in front of the DHCP server. 

 

Thanks in advance

If you are using MS DHCP, I suggest you to use the DHCP Integrated Enforcer, which is a software installed on your DHCP server. Then you don't need to overload one DHCP server. 

 

 

Hi Mandy,

 

We were initially considering the software plug-in for enforcement, however there is a need to utilize SoDP as a component of teh remediation strategy on the internal network.  Based on current information, while the enablelegacysupport flag could potentially permit authentication between SoDP and the software plugin, the only currently documented (and fully supported) infrastructure enforcement mechanisms which authenticate SoDP are the hareware appliances (in Gateway or DHCP enforcement mode).  As the client is currently supporting this infrasturcture off the MS DHCP Server I had mentioned, I am not worried about adding much in the way of additional overhead beyond what it is currently tasked with today (or would be tasked with if the Plug-in were utilized).  The driving factor is the interoperability (and support thereof) with SoDP.

 

Thanks,

Christian

I don't see any problem having the DHCP appliance handles forward requests. So you should be ok with the DHCP appliance.