Solved

Need to enable DHCP relay on Forefront TMG Standard

Posted on 2011-02-22
5
5,408 Views
Last Modified: 2012-05-11
We have a multi-homed Forefront TMG server and we want to use DHCP to manage addresses in multiple subnets.  The process for enabling DHCP relay in ISA no longer works, as TMG disables RRAS.

I simply need to know how to enable DHCP relay on the TMG so that a server in our lab can get an IP from our internal DHCP server (the scope has been created on the DHCP server).
0
Comment
Question by:shawnsouthern
  • 2
  • 2
5 Comments
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 34960432
Not sure if it can be done as research on google says it doens't work.
You can try your own using:
http://www.isaserver.org/tutorials/2004dhcprelay.html

Then, you can enable VPN access to start the RRAS service (maybe)
Found this http://support.microsoft.com/kb/973572/en-us, which seems to help sometimes.

Else, don't have you a switch with the capacity to server as DHCP relay on your network?
0
 
LVL 1

Author Comment

by:shawnsouthern
ID: 34960482
I hadn't even thought of using the switch... I'll check that.  Thanks.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34961563
Switches are Layer2, not Layer3,...I,ve never seen a switch do that.
Now if you guys mean an L3 Switch,...then that is really a router,...and if you had one of those you should be using it to route between the two LAN Segment instead of using the TMG,...then enable the DHCP Helper feature on it and you're done.

The other big problem with that is this form of DHCP cannot be authorized in AD.

Do it right,...run DHCP on a Server OS that is a member of the Domain that is physically sitting in the correct subnet ,...then authorize the DHCP Service against AD like you are supposed to do.

Then DHCP will also keep DNS Dynamically updated like it is supposed to do.
0
 
LVL 1

Author Comment

by:shawnsouthern
ID: 34961675
The TMG routes between multiple subnets - our DMZ, internal, devices that need internet access but don't need to talk to our systems, etc.

We could simply assign static IPs to those devices, but I'd rather do it properly and manage our IPs through DHCP.

Our switches are L3, however we only use L2 vlans as we want the added protection, logging, etc of the TMG to handle the routing.  We carefully control & log all network traffic on our infrastructure, and TMG is an important part of that.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34961805
TMG is a lousy "LAN Router",...there is no "added protection" by the TMG that the L3 box won't do except the logging may be easier to look at on the TMG,...but you get better service out of a "real" LAN Router, which is what the L3 Switch is...but that is your choice.

Anyway,...that doesn't change anything I said.  You need to run DHCP on a Windows Server OS that is physically sitting on the particular LAN Segment you are dealing with,...then authorize the DHCP Service against AD.  Everything takes care of itself and works like it is supposed to after that.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Printers  - Static vs using DHCP 21 132
DHCP for a guest wireless network 1 87
Public DNS? 10 113
windows server 2012 R2 DHCP clustering ? 5 54
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question