by
Etienne Liebetrau
At first look, Sophos UTM's DHCP server capabilities look very simple. However, you can unlock a more robust DHCP feature set if you know where to look and what to set. This article will take you through some of these hidden DHPC features you might want to use.
Features such as:
Depending on your network, you will have varying requirements for Dynamic Host Configuration Protocol (DHCP). Large companies will almost always have Active Directory Integrated or standalone DHCP servers, where as smaller networks may only have Sophos UTM as both the router and DHCP server.
As you start to define VPN or WiFi networks, you will find yourself needing to choose between using the UTM as a DHCP server or using it as a DHCP forwarder to pass on to a full DHCP server.
Before you choose to forward DHCP to another server, read this article to make sure you're aware of the full capabilities of Sophos UTM's DHCP functionality, as some of it is a little hidden away.
If you are coming from a Windows Server DHCP perspective, the first thing you need to know is that Sophos UTM uses different terminology. The following list defines the Windows term and the Sophos UTM term.
Before you can define a DHCP scope, you need an interface to connect it to. This interface could be physical or it could be a VPN segment or VLAN. You also can edit an existing server in this step.
In this example, I am going to edit a scope that was created for a RED deployment.
Setting the Start range and End range allows you to exclude certain IPs. Here, I excluded the first 10 IP addresses for non-DHCP clients in addition to excluding the last 10 IPs in the range.
Because it is a RED, the DNS server would be itself by default, but if your rules permit, you can specify the DNS servers directly as I have done here.
The default gateway for this network segment is the RED’s own IP. Normally you would not change this but you can if you want to.
A nice touch here is how easy it is to enable HTTP Proxy Auto Configuration. This defines DHCP Option 252 and gives it the value of http://gatewayip:8080/wpad.dat. This is handy for clients set to automatically detect proxy settings.
Having your client devices receive additional configuration through DHCP is useful, especially for tasks such as changing the primary DNS server or introducing a secondary NTP server. These additional configuration settings are called "options" and they consist of a code and a value. The value can be string or integer or hex values. Options can then be applied to a specific subnet or globally to all of them.
Sophos UTM makes this possible on the Options tab. Simply define your additional options, then assign the Scope as Server (scope options in Windows) or Global (server options in Windows). When testing, be aware that regardless of which options you define, Sophos UTM will only send the options the client requests.
A great way to check which setting you have received from your DHCP server is to simply check the network configuration.
From a Windows machine you can use the following, and it will show you most of the info:
ipconfig /all
If, however, you are using an alternative setting, such as 252, you can check those on your Mac OSX by looking at
ipconfig getpacket en0
This will show you the options your machine has requested and received.
If you want a client to always retain the same IP address, you can define a reservation or a static mapping for it.
There are two ways to do this.
You can list, check and manage your DHCP reservation by:
The reservation created with either method contains both DNS and DHCP information. Because of this, Sophos UTM no longer needs explicit DHCP and DNS objects. It is a single unified object that contains the information that can be used in rules. For more on this, check out the Sophos Knowledge base article: How to create a 'Unified Host Object' in your Sophos UTM.
Another advanced DHCP server setting is the Clients with static mappings only option that is available when adding or editing your server in Network Services | DHCP | Servers.
The Clients with static mappings only options will prevent the DHCP server from issuing an IP to a client on the network unless you have explicitly defined it. This is handy in an environment that might have poor physical security to network points, and allow someone to simply walk by and plug in.
Someone could, of course, assign a static IP on the device with the correct network and subnet, but at least you are not advertising that information.
If you decide to use Sophos UTM for connectivity but would like to use your existing DHCP server, you can do so by configuring the UTM as a DHCP relay agent. This will instruct Sophos UTM to pass the requests on to your DHCP server. You need a DHCP relay to explicitly listen and forward DHCP DORA requests because DHCP is a broadcast, something that is not typically routed.
On your existing DHCP server (not the UTM) you need to define a scope with the relevant ranges, exclusions, reservations and options.
On the UTM, make the following changes:
We have seen the Sophos UTM DHCP functionality is quite full featured. Now that you know where all the rich functionality hides, you can unlock and use the features.
You can define scope lease times, domain suffixes, DNS servers, time servers, as well as your own options. I prefer to let the Windows AD Integrated DHCP servers handle DHCP for my large network, but for anything attached to the UTM by means of WiFi, RED, or VPN I prefer using the UTM.
The built-in DHCP functionality is capable and sufficient for all but the most complex of DHCP duties.
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Configure Multiple Site-to-Site SSL VPNs with Sophos UTM
Easy WAN Emulation for Application Testing