setting default gateway of RAS clients

I have a 2003 ras server setup  that is working fine contacting subnet 1. I have added additional subnet 2,  that now my VPN clients can not connect to. I configured the route for subnet 2  in my router, so thats not the issue. Heres the problem, but I need help solving it.... When the VPN client gets its IP information, and i do a ROUTE PRINT, its using its ppp ip address as its gateway to get to subnet 1 which works fine.  but when i try to get to servers on subnet 2, its looks externally. (and i do NOT want to use the option "Use remote gateway" because users don't want to use the VPN tunnnel to browse the internet. I need to know where the Client gets its route table from the RAS server and have to tell the client to use its own ip as the gateway to get to subnet 2. If i create a static route myself on the mobile client end, i can get there. But i need this to happen automatically for the client. Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Though I have never used it there is an option in Active Directory just for this purpose.
Open the users profile in active directory, on the dial-in tab the last item is to add a static route. This will apply to VPN clients.

Note: If the option is grayed out:
Usually this is due to the server (DC)'s "Domain functional level" being set to "Windows 2000 mixed" . To verify, open active directory, right click on the server name and choose, raise domain functional level. DO NOT click raise !!!!  Just check what it says as "current domain functional level", and choose cancel. If this is the problem then you need to raise the level. Easy to do, but DO NOT make this change without carefully examining the repercussions. It is not reversible. The primary issue is NT domain controllers will no longer be supported. It may just still be set to that from the default installation. You can see details regarding raising Domain Functional Levels at:
itly09Author Commented:
Anyone have any other solutions ?
Rob WilliamsCommented:
Is there a problem with the above suggestion? That is a built-in function of the server specifically for applying custom routes to the VPN client.

The only 2 other ways I have seen of doing this are:
1) Use the same page in the user's profile of active directory to assign a static IP to the VPN client, then add a route to the client. At least this way the IP and route are always the same
2)  Write a script that determines the assigned VPN IP and then incorporate that in a route add command.

However both of those require adding a batch file to the VPN client.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

itly09Author Commented:
Well I find this difficult as I have over 200 Mobile Users. So its a lot of administration overhead. I been reading around in forums and supposedly there is a way to send the default gateway from the RAS server itself. This would be ideal.
Rob WilliamsCommented:
I can well imagine 200 entries would be a bit extreme. I have not heard of a way in RRAS to do that, but perhaps it is possible. It may be possible though RRAS policies but I know of none that will address that.
If it needs to be dynamic, as mentioned above, I can only suggest a batch file installed on the client PC one way or another, even if they have to download from a source. The batch file (or VBS script) would parse the IPConfig results, locate the current IP and insert it into a route command. Despich near the bottom of the following link outlines how they were able to achieve this.

Just for the record: You did mention you do not want to use the "default gateway"option, but please keep in mind you are not only giving 200 users access to your domain, but by disabling that security feature you are attaching 200 networks to your domain, greatly increasing vulnerability.
itly09Author Commented:
As a solution, I I have setup a separate DHCP server for this and through the scope options, i forced static routes to the VPN Client. Once the client logs in, they then have static routes automatically created for them. Thank you for your input.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.