When a DHCP client starts up, it broadcasts a DHCP discovery packet looking for DHCP servers. DHCP servers respond to this packet with a DHCP offer packet. The client then chooses a server to obtain TCP/IP configuration information (such as an IP address). The configuration information is allocated (leased) to the client for a short period of time (such as seconds or minutes). The client must periodically renew its lease in order to continue to use the configuration.

If a DHCP client needs to find a DHCP server over the WAN, the Pipeline initiates a connection to enable the client to reach the DHCP server.

In this type of environment, the Ascend Password Protocol (APP) server must first authenticate a user before a call to the remote network can be made. APP authentication requires an IP address, but will accept a temporary (spoofed) address supplied by the Pipeline.

The Pipeline can be configured to temporarily act as a DHCP server for its local clients by "spoofing" a DHCP IP address before making a connection to a remote network and DHCP server. When the Pipeline receives a DHCP discover packet from a client, it gives the client a temporary IP address with a short lease time so that the client can successfully pass APP authentication (that is, enter the PIN from the SecurID card). After the client is authenticated via APP and attempts to renew its lease on the address, the Pipeline refuses the request and establishes the call to the remote network and the real DHCP server. The client then receives the address from the DHCP server and the spoofed address can be used for the next client.