15.1 Installation Overview

When Novell ZENworks Network Access Control does not sit inline with the DHCP server, you need to set up a remote host for Device Activity Capture (DAC) to allow Novell ZENworks Network Access Control to listen on the network. This is done by installing a small program on the DHCP server or other remote (non-Novell ZENworks Network Access Control) host, which then sends relevant endpoint device information back to Novell ZENworks Network Access Control.

NOTE:Windows Server 2003 is the only server supported for this release.

To install the DHCP plug-in:

The DHCP plug-in requires that you first configure your system with RDAC as described in Section 13.1, Creating a DAC Host.
On the Novell ZENworks Network Access Control MS, enter the following commands and follow the on-screen instructions:
1. /usr/local/nac/bin/MakeDHCPCert
  
  This command generates a file named server.pem in the current directory. This file contains a key and certificate signed by the CA. The DHCP plug-in responds to SSL connections from Novell ZENworks Network Access Control by providing this certificate.
2. Copy the server.pem file (from the directory where it was created in Step 2.a above) to the C:\WINDOWS\system32\dhcp directory.
3. After copying the server.pem file from the Novell ZENworks Network Access Control server, delete the file from its temporary location on the Novell ZENworks Network Access Control server
Download and install the DHCP plug-in as described in Section 15.2.1, Installing the Plug-in.

The DHCP Plug-in is configured using confg.xml that resides on the Windows 2003 Server in c:\WINDOWS\SYSTEM32\DHCP\confg.xml. The following Table 15-1 shows options used in confg.xml:

Table 15-1 DHCP Plug-in Configuration File Values

Group	Item	Description
listener	failopen	failopen=“true” means that if the Novell ZENworks Network Access Control DHCP connection goes down, the DHCP server goes in to allow all mode. failopen=“false” means that if the Novell ZENworks Network Access Control DHCP connection goes down, the DHCP server goes in to deny all mode.
	port	Specifies the port on which the Dynamic Link Library (DLL) file should listen for Novell ZENworks Network Access Control connections.
	looprate	The rate in seconds at which the DHCP server will check for a broken connection.
certificates	certfile	A Privacy Enhanced Mail (PEM) formatted file containing the server key and certificate along with any CA trusted entities.
logging	location	The location to save the DLL’s log file. The log file is an ASCII file.
	level	The level of verbosity in the log. 1 - Errors only (logs unexpected behavior, such as unable to parse configuration file) 2 - Errors and warnings (logs mode changes, such as No Connection to Novell ZENworks Network Access Control or Entering allow all mode) 3 - Errors, warnings, and information messages (logs major processing steps, such as clearing ACL) 4 - Errors, warnings, information, and debug messages
	maxsize	The size in kB at which the log file should be rotated. When the maximum size specified is exceeded the current log file is closed and renamed as <current file name>.<integer>. NOTE:If the current log file is open for reading, Windows cannot rename the file. In that case, the DLL is unable to rotate the log file, and attempts to re-open the current log file and continue logging to it.

The following text shows a DHCP plug-in example configuration file with default values:

<?xml version="1.0" encoding="utf-8" ?>
<dhcpconnector>
    <listener failopen="true">
        <port>*:4433</port>
        <looprate>10</looprate> 
    </listener>
    <certificates>
        <cadir />
        <certfile>c:\windows\system32\dhcp\server.pem</certfile>
        <clientCN enforce="false">nac</clientCN>
    </certificates>
    <logging>
        <location>c:\windows\system32\dhcp\nac_DHCP.log</location>
        <level>3</level>
        <maxsize>1024</maxsize>
    </logging>
</dhcpconnector>