Learn how to a build a cloud-first strategyRegister Now


ISA Server 2004 VPN Client access DHCP Relay

Posted on 2006-05-26
Medium Priority
Last Modified: 2012-06-21
Hello all!

I am having an issue with setting up a VPN for remote access using DHCP. I have configured the DHCP relay agent, using the internal nic, I have setup the access rules for DHCP Relay and DHCP request, followed every article I could find on ISASERVER.ORG, MS articles and what ever else I could dig up. I still can't seem to get this to work correctly. The clients can authenticate, but if I do an Ipconfig it shows the PPP interface's address as this is not the correct address that it should be getting. I can ping and RDP to servers and other devices on using the internal IP address scheme. However nothing can be resolved by name (even though ipconfig shows the correct DNS Servers.) Does anyone know what I am missing? Has anyone had this issue before.

Thank you in advance for any helpful comments!
Question by:TimMcGrath
  • 4
  • 2

Author Comment

ID: 16769906
Ok, I am still getting the auto ip address of  I read a thread stating that you need to change the setting "allow ras to select nic to obtain dhcp" to the internal nic that is provided by RRAS. When tried to change this I did not see the internal interface. I see, my perimeter interface, internal interace for the FW and my external interface? Is this the problem?
LVL 10

Expert Comment

ID: 16777881
Try Internal Interface', OR you need to look at networks to see which interface is connected to your internal network, and select it.

Do you have DHCP on your Internal Network ? What scope is it using, can you configure your ISA server to use a scope?

Did you follow all the steps like listed on the following article?



Author Comment

ID: 16784217

Thanks for the response. I though that you were not suppose to use the internal interface of the ISA server???????

I am running dhcp on the internal network, sits behind the isa server. We have 2 servers that are our DHCP servers. One is configured for to the other is to Each server is only using about 10% of their ip address. Both servers are configured with the DNS servers, so all clients get their dns settings from the dhcp server.

I have followed most of the steps in that article (along with several other articles from that site) I am not using Radius (the isa server is a member of the domain) and I am not using CA server. (not yet was planning on implmenting it down the line. wanted to see if I could get the VPN working first) When I test the VPN it allows me to authenticate, I just do not get the right IP address. I can ping internal servers by Ip address and can RDP to servers with IP address.
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 10

Accepted Solution

naveedb earned 1000 total points
ID: 16784888
 I though that you were not suppose to use the internal interface of the ISA server?

Explain, we are only using the Internal interface to obtain an IP address and pass it to the remote client. Why do you think it will be a problem?


Author Comment

ID: 16784937
Reading through the book, "Configureing ISA Server 2004" there is a note that states "make sure you select the internal interface (named internal by RRAS) not the internal interface of the ISA server" I have seen several referneces to this and was not sure why. I am new to the ISA server. I have not seen any explanation for this, just references in articles and on some blogs that it has caused problems. I can give that a shot tomorrow morning and see what happens.

Expert Comment

ID: 16808199
First Check Your DHCP connectivity in Dashboard in Monitoring. It is Showing Good or Not.
Then Right Click on VPN & Go in Properties. In Access Network Select External & Internal, Then in Address Assignment select DHCP & Internal from Drop Down. Then Select Authentication & leave the RADIUS.
In Firewall Policy You have to Make Two Rules:-
1. Internal Rule :- Action:- Allow, Protocol:- All Outbound Traffic, From:- Internal, Local Host, To:- Internal Local Host, User:- All Users (If have your DHCP server running on some other machine).
2. VPN Rule :- Action:- Allow, Protocol:- L2TP Client & PPTP, From:- Local Host, Quarantined VPN Client, VPN Client, To:- External, Local Host, Internal & VPN Client, User:- Which Ever You Want (Or All User).

If still you didn't get your internal IP address range, then check Configuration --> Networks, & Network Rule, in VPN Network Rule Relation shuld be Route.


Author Comment

ID: 16809291
Hey all,

Thanks for the comments. Got it all working!!! I created a virual interface off one of the internal nics. Configured that with "obtain ip address from dhcp" When back into RRAS and selected that to be the internal nic to use. My VPN clients are authenticating and getting the correct ip range, dns and wins addresses

Naveedb, thank you for your comment about the internal interface, made me take another look into things.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question