Setting up a PowerFuse connection via DHCP options

Here’s a quite useful feature which was introduced with PowerFuse 2010. At some customer sites, it was not possible/allowed to create DNS alias’s for the PowerFuse datastore. Imagine you’ve got multiple sites across the planet and you want to ensure that travelling workers alwas hit the local PowerFuse datastore. The way you can ensure this, is by using DHCP options.

This generic approach can be supported by most infrastructure components, that offers a DHCP service with Options support.  The article at hand will take you through the steps necessary to configure it correctly.

1. Get the connection string. First of all, you need to obtain the encrypted connection string from the PowerFuse console. Note this string contains the Site ID, so a PowerFuse managed laptop already associated with another environment cannot use the connect string. This also prevents someone from tampering with a managed laptop by hooking it up to their DHCP server at home. Go to the Setup | Datastore | Connection node. Use the Export button to extract the string.
2. Use the copy button to copy the encrypted string to your clipboard. Alternatively you can use the button on the right to export the connection string to a file.
3. Create the DHCP option. This article will show you how to do this on a Windows server only. Goto Adminsitrative Tools and start the DHCP manager snapin.
4. Rightclick on the DHCP server in the tree and select the option ‘Set predefined options’. This will allow you to create the option we need for configuring RES PowerFuse to grab it’s connection settings when the RES service starts
5. In the Option Class dropdown list, select ‘Microsoft Windows 2000 options’. Then click add. It is important to remember the optionclass, as it is a prerequisite for the DHCP connection string configuration to work.
6. Fill out the option type fields. For the Name field, you can chose anything, however for the sake of compatability stick with regular A-Z chars. Set the Data type field to String. In the Code field, chose the option number you wish to use. Any number between 72 – 223 should be fine. You may also use options number 2 – 71, although bear in mind Windows may use some of these. Finally, fill out the Description field with anything you like.
7. Preconfigure the DHCP option. nce the option type has been defined, you are returned to the previous screen, which now has changed to accomodate a string.  In the value field, paste in the connection string which you grabbed in step 2 above, as shown on the right.
8. Attach the option to your scope. At this point, it is presumed you have one or more scopes configured on your DHCP server (if not, it wouldn’t do you much good anyway :) Rightclick the scope and select Configure options on the context menu.
9. On the dialog box, you need to 1) go to the Advanced tab.  2) Select “Microsoft Windows 2000 Options” from the Vendor Class  dropdown. Leave the User Class dropdown alone. Finally 3) in the Available Options list, scroll down and find your newly created option. Select it and click OK.

You’re done now, and the settings will take effect for any client renewing it’s IP address at boot. If you already have a test client configured, the easy way is just blowing out the entire HKLM\Software\RES\PowerFuse key on the computer, then restart it. What happens is that the IP stack will initialize via DHCP before the RES Service is started. The RES Service will look for any DHCP option that begins with RESPFDB=. If valid settings are found, the connection settings are written back to the registry and everything is synced back to order again.

An important security note on the encrypted portion of the DHCP connection string. One might think that using DHCP options leaves the managed workspace vunerable to highjacking, as someone might attempt to spoof PowerFuse client to use an alternate connection string. To ensure against this, the PowerFuse Site-ID on the license node, is encrypted into the connection string. Once a PowerFuse enabled computer has picked up the DHCP string and connected to a valid PowerFuse datastore, it will henceforth only accept new connectionstrings which has the same site ID. This way a user is prevented from bringing his managed laptop home, connecting it to his own DHCP server, which connects him to a trialversion of PowerFuse, in which he’d given himself full access to the computer. Since the SiteID won’t match, the connection is refused by the client.

Finally, a couple of tips on how to query your DHCP server. If you would like to have absolute certainity that the connection string is available through your DHCP infrastructure, you can use the built-in NETSH command to check it out.

1) Create a file with the following contens:

add helper dhcpmon.dll
dhcp
server 10.5.5.200
scope 10.5.0.0
show optionvalue

2) In the script above, change the server IP to your DHCP server’s IP and change the scope IP to the IP address of the scope. If you are unsure of the Scope IP, you can see it in your DHCP admin console in square brackets right next to the scope name. Once you’ve got the netsh script ready, just run it like this: netsh -f scriptfile.

When you’re done, you can query the options available from the DHCP server. The result should look something like this below:

On the other hand, if you like me hate to Fly-Mo when you can import a Wisdom buildingblock, I took the opportunity to create a little something for you. The Wisdom buildingblock below, will prompt you for the necesary input and let you query your DHCP server scopes

Click here to download: