SonicWALL DHCP server Vendor Classes

[Jonathan Raper]

Hi all,

So I’ve been given a directive by the client to move all DHCP from Windows server to their SonicWALL because servers are being retired. Makes sense.

However…. On the existing Windows Server there is a custom DHCP vendor class….which is in use by one of the scopes.

For the life of me, I cannot figure out how to create a custom vendor class on the SonicWALL. I’ve read through the documentation I have found, and my Google/bing-fu is coming up short. Maybe it’s just not advanced enough?

Anyone ever run into this?

Thanks,

Jonboy

Get Outlook for iOS

[Michael B. Smith]

I ran into this once before and had to open a case. I can’t find what we did, exactly, online, but it was something like this:

 

https://www.sonicwall.com/support/knowledge-base/multiple-routes-with-hex-string-in-dhcp-option-249/170802115553818/

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BN8PR06MB541157DBB6508B117850985CA9719%40BN8PR06MB5411.namprd06.prod.outlook.com.

[Kurt Buff]

Sorry I can't help with the SonicWall DHCP.

But, I disagree that it makes sense to locate DHCP on a network appliance, unless they're doing away with Windows servers entirely, and if they are doing that, I'd say it's a poor move.

Reasons why I think it's a bad idea to put DHCP on network appliances:

- They're giving up AD DDNS integration with DHCP. I fought this very battle with our CIO - so far I haven't lost that battle. That integration is critical to good security management - SEIM depends on being able to track this information for attribution within the network.

- Except in the smallest environments, managing static DNS entries for non-Windows machines is a real burden. It's way easier to set a reservation and let the DHCP server update DNS.

- I've found that most non-MSFT solutions have a hard time configuring, or just plain can't configure, the MSFT option to turn off NBT. While that can be done via powershell in a startup script, that feels very clumsy.

But, it's the customer's call, and this is the only page I could find with a quick search that discusses the advanced options for SonicWall DHCP configuration - I'm sure you've already seen it.

http://help.sonicwall.com/help/sw/eng/published/1334883822_5.8.1/PANEL_dhcpStatProps.html

Kurt

--

[Jonathan Raper]

Thanks guys - turns out after all that, I got a "Oh, we're no longer using those options...." (when I had literally been told the day before "we have to have those options") 

*facepalm*

Kurt - you're preaching to the choir here. I agree completely, but this is a directive form on high in a multinational organization. And yes, they are doing away with on-premises servers entirely.

Side note - to your point about enhanced security because of AD Integrated DNS being tied into DHCP....They are doing a TON of stuff around security - Cisco ISE, CyberArk Privileged Identity Management, video recording of all activity done on Domain Controllers, disabling of local administrators groups on member servers...it's been quite the adventure. For one existing application, the vendor's guidance had been to run their app using a local admin account on the server. With the new rules, the higher-ups said, "No. Figure it out". Vendor said, "we don't know - we tell all our clients to run it this way, and no one has ever pushed back." So, they brought me into the conversation...and it took a bit, but I figured out what was required to give a regular non-privileged local user account the correct access to be able to run the app. Fun times!

Cheers,

Jonboy

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4ZgBw%3D_S%2BGHStsuCqT6H3p_gDQDoJ7T0_%3DAwGd1OEN-g%40mail.gmail.com.

[Kurt Buff]

Oh man, they've gone way overboard on at least one thing - maybe. If the video recording is an actual camera, that's not very bright. However, I think what is happening is that Cyberark can do screen captures of admin activity. Still, it sounds like they've gone down the security road, but not on the path I would have taken.

Have the turned up a solution that monitors memberships in privileged groups? Is their staff still mostly in-office, or are they going to a distributed workforce - but regardless, have they implemented WPA Enterprise for their wireless, and if they have, are they using a private CA?

Sounds like something happened that got their knickers in a twist, or else they've got an ambitious new C-level exec

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAgW6%2BbuQ%3D463pR_5yWmWUzgiWEqibu01%2ByDKvkmL3BiWZ9qYg%40mail.gmail.com.

[Jonathan Raper]

Yeah, that’s what I meant - screen captures every few seconds.

I know they replaced their wired and wireless networking stack very recently, and the SonicWALLs are slated for replacement with something newer and better, and I’ll leave it at that.

Not entirely sure about the rest, as I’m not involved in those projects.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Kurt Buff <kurt...@gmail.com>
Sent: Friday, December 10, 2021 12:18 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] SonicWALL DHCP server Vendor Classes

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4pN%2BPPA%3D3aXEUH7zOOSEviM2Eh7nXNLw1uTBS3W11ojQ%40mail.gmail.com.