How to Use Caisey to Isolate a Rogue DHCP Server Without Broadcasting Across the Client Network

The ticket reads "users getting wrong IP range, internet broken, help." You know the pattern: a rogue DHCP server is handing out leases from 192.168.1.0/24 while the real infrastructure expects 10.0.4.0/22. But your traditional tools make this harder than it should be. RMM PowerShell windows time out. Screen sharing into a production server disrupts the finance team. And every arp -a you run vanishes when the connection hiccups.

Caisey handles this differently. The browser-coordinated console lets you inspect network state from enrolled endpoints without broadcasting discovery traffic across the client network, and without the fragility of screen-share-dependent workflows. Here's how a technician works through it.

The Problem: DHCP Conflicts Expose RMM Fragility

Most MSPs have seen this failure mode. A user reports they can reach the printer but not Salesforce. Their IP is 192.168.1.105. The domain controller is at 10.0.4.10. Something on the network is answering DHCP requests with the wrong scope.

Standard RMM approach: remote into a domain workstation, open PowerShell, run ipconfig /all to check the DHCP server identity, then arp -a to map MAC addresses. But this breaks in three predictable ways:

• The PowerShell session window dies mid-command, especially on congested networks or when the endpoint is already under load from the DHCP conflict itself.
• The output scrolls by, unlogged, and the technician has to re-run everything if the RMM reconnects.
• Screen sharing into the endpoint broadcasts the investigation to anyone walking by, and on a server, that's a compliance conversation waiting to happen.

Step 1: Enroll the Right Endpoint Without Touching It Twice

In Caisey, you start from the cloud UI search. The affected device is already enrolled—maybe it's the user's workstation, maybe it's a switch-connected server that saw the conflict first. You filter by client group, find the machine card, and click through. No second enrollment step, no installer to push because the Caisey runtime is already resident.

The machine card shows you what matters for triage: last seen timestamp, OS version, network profile (domain/private/public), and whether the runtime is currently reachable via its bridge. If the endpoint is online, the card goes green. If it's behind a restrictive firewall, the bridge status tells you whether commands will flow or queue.

Step 2: Request Approval for Network State Inspection

Here's where Caisey's approval model matters. You're about to collect network configuration data that could, in a PCI-DSS or HIPAA environment, constitute sensitive operational information. Caisey gates this.

You queue ipconfig /all and arp -a as separate commands. The runtime on the endpoint surfaces a permission prompt to the logged-in user—or, if unattended, follows the pre-configured approval policy for that client group. The technician sees the prompt status in the cloud UI: pending, approved, or denied with reason.

This isn't UAC. UAC elevates privilege locally and logs nothing to your operational system. Caisey's approval prompt creates a durable record: who approved, when, for what command hash. If the client audits you later, you have the consent chain. If the user denies, you know to escalate rather than brute-forcing through.

Step 3: Execute and Persist the Output

Once approved, the commands run headlessly. The ipconfig /all output streams back to the browser, line by line, but more importantly, it writes into the session transcript stored in Caisey's SQLite Durable Objects layer. The arp -a table follows.

Now the critical difference: you refresh your browser because the VPN flapped. In a traditional RMM, your PowerShell window is gone, the output is gone, and you're starting over. In Caisey, you reconnect to the same session ID. The transcript is there. The arp table you collected thirty seconds ago is scrollable, searchable, and attached to this diagnostic session permanently.

You scan the ipconfig output and see the DHCP server is 192.168.1.1—not your domain controller. The lease obtained timestamp is fourteen minutes ago. The arp -a table shows 192.168.1.1 maps to 00-1a-2b-3c-4d-5e.

Step 4: Cross-Reference with Durable Session History

But is this new? You search Caisey's session history for this endpoint. Three days ago, a different technician ran ipconfig /all during an unrelated printer install. The DHCP server then was 10.0.4.10. The change is recent.

You expand the search to the client group—all endpoints at this site. Two other machines show leases from 192.168.1.1 in the last hour, both approved by the same technician who was investigating Wi-Fi coverage. The pattern is clear: something was plugged in around 9 AM and started answering DHCP.

This cross-referencing is only possible because Caisey treats session history as operational memory, not disposable log files. Every command, every output, every approval is queryable by endpoint, by client, by time range. You're not relying on ticket notes that say "checked network, seemed fine."

Step 5: Confirm the Rogue Without Disruption

You have the rogue MAC. Now you need to find the physical device without running broadcast discovery tools that could further pollute the network. Caisey lets you check the switch port mapping if the endpoint supports it, or you can queue a targeted ping sweep from an already-enrolled server on the same VLAN—again, approval-gated, again with full transcript preservation.

At no point did you screen-share into a production endpoint. At no point did you risk losing command output to a dropped RMM window. The finance team never knew you were there. The audit trail is complete: what you requested, what was approved, what you found, and when you found it.

Why This Beats Screen-Share-Plus-PowerShell

The comparison isn't hypothetical. PowerShell over RMM fails in production because it's built for automation, not interactive diagnostics under operational stress. The window is ephemeral. The output is client-side. The privilege escalation is invisible to your compliance system.

Caisey's architecture—Cloudflare Workers coordinating SQLite Durable Objects—means the session state lives in the control plane, not in your browser tab or the endpoint's memory. Sub-second round trips let you work interactively. Durable persistence lets you recover from any disconnect without losing context. Approval gating lets you operate in regulated environments without side-channel risk.

For the MSP technician at 2 PM on a Tuesday, this translates to: find the rogue DHCP server in ten minutes, document it in the same workflow, and move to the next ticket without the callback that says "you never told us which device it was."