Link to home
Start Free TrialLog in
Avatar of jackhess
jackhessFlag for United States of America

asked on

How to pass the client's IP address through a VPN connection

The short version of this question is: Is there a way to set up a VPN firewall rule that does not NAT the clients IP address and instead just passes the client assigned IP address through?

I have two applications sitting behind an ISA 2006 server that are apparently not returning the requested information back to the ISA Server in a way that it, the ISA Server, understands and can then send back to the connected VPN computer.  One application is called Munis and is a municipal accounting program.  I can login to and get to a terminal session that allows me select where I want to go from there.  It displays the address it believes me to be at.  As an example, I obtain as my VPN client IP address but Munis displays the address of the ISA Server.  When I select the Munis module I want it thinks for a minute then dies.

This is my theory and you have a better one I'm game to hear it.  I am new to ISA Server and welcome any suggestions.


Avatar of Qlemo
Flag of Germany image

ISA does not NAT (normally), instead uses proxy arp meaning it answers instead of your client when asked for MAC addresses. Nevertheless each VPN connection has its unique IP address.
The problem must lie in the logon process. Please describe that in more detail, especially what is meant with "terminal session" (telnet / vt220 / RDP?).
Avatar of jackhess



Thanks for the reply.  This is using an executable call fgltty.exe and Help says it is a Genero Desktop Client.  In my configuration I'm using the RLOGIN protocol with VT100+ emulation.

Only explanation I have is that the fgltty is executed on server, not on your client.
Avatar of cheeselover73
Flag of Serbia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
As I understand you right, you logon via VPN though ISA, then you try to start an application to communicate from the client to the application? If you use terminal console, it work, but not, if you access the application direcly?

If your application reports a different IP address, have you setup a publishing rule for this application? If yes, have a look at the setting "to", where you set the IP of the server. There is an option to determine, if ISA reports the original client IP adress or the ISA IP.
If you just simply make a connection and calling an exe file, it may have a DNS problem, depending on the fuinxtionality of your exe file.

You client gets an VPN IP (i.e static pool or dynamic). If the clinet (i.e. a Laptop) is also registerd in DNS, the program may take the DNS record to send back responses instead of the currently assigned VPN IP.

Also possible, that your client has trouble with name resolution, so that the client tries to use the DNS servers of the underlying internet connection instead of the DNS servers assigned via the VPN connection.

if this is simply a problem with this singe application and everything else runs fine, I would suggest to trace the traffic through ISA to determine (ISA protocol trace), if there are packets routed into the wrong direction. If you have also trouble with other applications or services, there may be a more general problem.  
You da man!  That fixed the immediate issue of the wrong IP address.  I still have other things to do to get my application working but you absolutely answered the question.  Thanks