PXE and SCCM

Satory · ‎04-07-2023

We have the following setup:

A FortiGate router in the middle of the network with few cisco switches, which host several VLAns.

Also we have a MS SCCM server in vlan 10 and a bunch of workstations in vlan 20, which should be booted trough PXE/SCCM and network install the OS.

So far we installed IP and DHCP on vlan 20, the PCs go till getting an IP address, but the SCCM boot and install is failing with "no boot device detected". How may I setup an working environment - the DHCP should stay on FortiGate. I tried to put ip helper-address on cisco in vlan 20, but that did not helped.

gfleming · ‎04-07-2023

Is the FortiGate doing the inter-VLAN routing? Or is the Cisco?

If the FortiGate is doing the routing you need to ensure there is a FW policy allowing the PXE Boot traffic.

Do you know what protocol/ports the PXE boot is using? DO you need to make any special DHCP server configurations to make it work? Have you done that?

Cheers,
Graham

Satory · ‎04-10-2023

Yes, the FortiGate is doing the routing and there is a rule, allowing the traffic.

gfleming · ‎04-10-2023

And the rest of my questions?

Do you know what protocol/ports the PXE boot is using? DO you need to make any special DHCP server configurations to make it work? Have you done that?

Cheers,
Graham

Satory · ‎04-11-2023

To be honest I have no idea - this is a standard laptop, which uses PXE boot from the boot menu. I believe it is using DHCP and then TFTP to download the files needed.
But this is completely different to the previous setup, where we have a IP Helper targeting the DHCP and SCCM server, which worked without problems. We have replaced the CISCO inter-vlan routing with the Fortigate device.

gfleming · ‎04-11-2023

Given this is a Fortinet support forum we can't really help you with your SCCM and PXE boot configs. You'll need to know what the requirements are for those to work before we can help you on the FortiGate side—if it even is a FortiGate issue.

Has your DHCP server changed? Was it on the Cisco before? What was/is the DHCP config options?

Have you confirmed TFTP is being used? Have you seen policy hits on the FortiGate? Have you looked at packet caps/sniffers?

Cheers,
Graham

Wi3tse · ‎04-19-2023

Hi Graham,

For PXE to work with SCCM we need a SECOND IP helper, next to the DHCP IP helper.

This is because the DHCP scope options are officially not support by Microsoft.

(I know it works, but running unsupported configs is never a good idea)

PXE clients don't start - Windows Server | Microsoft Learn

You can set an EXTRA IP helper on Cisco with cli: Router(config-if)# ip helper-address 172.16.1.2

On a Checkpoint with: set iphelper 172.16.1.2

What is the Fortinet equivalent of these commands?

Kind regards,

Wietse van Assema

Can you tell us how the above is done on a Fortinet

gfleming · ‎04-20-2023

It is very simple to do the same on FortiGate:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/783526/dhcp-servers-and-rela...

Cheers,
Graham

Satory · ‎04-20-2023

The only solution I have found is to use the CISCO switch and define ip helper addresses.
The drawback - you have to define IP address of the switch in the same VLan, which is a security issue and we cannot use the FortiGate itself to do the ip helper, which is NOT OK!

gfleming · ‎04-20-2023

You can absolutely use FortiGate to do DHCP relay (helper):

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/783526/dhcp-servers-and-rela...

Cheers,
Graham

PXE and SCCM

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website