setting default gateway of RAS clients

I have a 2003 ras server setup  that is working fine contacting subnet 1. I have added additional subnet 2,  that now my VPN clients can not connect to. I configured the route for subnet 2  in my router, so thats not the issue. Heres the problem, but I need help solving it.... When the VPN client gets its IP information, and i do a ROUTE PRINT, its using its ppp ip address as its gateway to get to subnet 1 which works fine.  but when i try to get to servers on subnet 2, its looks externally. (and i do NOT want to use the option "Use remote gateway" because users don't want to use the VPN tunnnel to browse the internet. I need to know where the Client gets its route table from the RAS server and have to tell the client to use its own ip as the gateway to get to subnet 2. If i create a static route myself on the mobile client end, i can get there. But i need this to happen automatically for the client. Thanks in advance
itly09Asked:
Who is Participating?
 
itly09Connect With a Mentor Author Commented:
As a solution, I I have setup a separate DHCP server for this and through the scope options, i forced static routes to the VPN Client. Once the client logs in, they then have static routes automatically created for them. Thank you for your input.
0
 
Rob WilliamsCommented:
Though I have never used it there is an option in Active Directory just for this purpose.
Open the users profile in active directory, on the dial-in tab the last item is to add a static route. This will apply to VPN clients.

Note: If the option is grayed out:
Usually this is due to the server (DC)'s "Domain functional level" being set to "Windows 2000 mixed" . To verify, open active directory, right click on the server name and choose, raise domain functional level. DO NOT click raise !!!!  Just check what it says as "current domain functional level", and choose cancel. If this is the problem then you need to raise the level. Easy to do, but DO NOT make this change without carefully examining the repercussions. It is not reversible. The primary issue is NT domain controllers will no longer be supported. It may just still be set to that from the default installation. You can see details regarding raising Domain Functional Levels at:
http://support.microsoft.com/kb/322692
0
 
itly09Author Commented:
Anyone have any other solutions ?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Rob WilliamsCommented:
Is there a problem with the above suggestion? That is a built-in function of the server specifically for applying custom routes to the VPN client.

The only 2 other ways I have seen of doing this are:
1) Use the same page in the user's profile of active directory to assign a static IP to the VPN client, then add a route to the client. At least this way the IP and route are always the same
2)  Write a script that determines the assigned VPN IP and then incorporate that in a route add command.

However both of those require adding a batch file to the VPN client.
0
 
itly09Author Commented:
Well I find this difficult as I have over 200 Mobile Users. So its a lot of administration overhead. I been reading around in forums and supposedly there is a way to send the default gateway from the RAS server itself. This would be ideal.
0
 
Rob WilliamsCommented:
I can well imagine 200 entries would be a bit extreme. I have not heard of a way in RRAS to do that, but perhaps it is possible. It may be possible though RRAS policies but I know of none that will address that.
If it needs to be dynamic, as mentioned above, I can only suggest a batch file installed on the client PC one way or another, even if they have to download from a source. The batch file (or VBS script) would parse the IPConfig results, locate the current IP and insert it into a route command. Despich near the bottom of the following link outlines how they were able to achieve this.
http://www.experts-exchange.com/Networking/Windows_Networking/Q_22737128.html

Just for the record: You did mention you do not want to use the "default gateway"option, but please keep in mind you are not only giving 200 users access to your domain, but by disabling that security feature you are attaching 200 networks to your domain, greatly increasing vulnerability.
0
All Courses

From novice to tech pro — start learning today.