Link to home
Start Free TrialLog in
Avatar of pmason08
pmason08

asked on

ISA 2006 & DHCP VPN Setup

I've setup a ISA2006 server, which has VPN clients connecting succesfully and been assigned IPs by a DHCP server.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.

As a result these machines are not able to connect to other vlans.  

If a machine obtains an IP address off the DHCP server directly then they receive all the correct IP information, so I assume its something the ISA server is doing.

I've had a read around but cant seem to find anything that might point me in the right direction.

Thanks
Paul
Avatar of pwindell
pwindell
Flag of United States of America image

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.
That is what it is supposed to do

As a result these machines are not able to connect to other vlans.  
They are not supposed to be able to.  That is a security design in the technology of VPN (no matter what brand/vendor it comes from).  It is designed to protect the network receiving the connection by limiting the scope of what other networks the VPN Client may be joined to at the same time.
If you want the system to drop its pants security wise then you need to override this with what is sometimes called Split-Tunneling.  To do this with a Windows DUN based VPN Client, find the setting that says "Use Gateway on Remote Network" and disable it.  However this will cause a reversal of the behavor,...meaning that on the Remote Network side of things,...the VPN Client will only be able to communicate with the subnet that they directly VPN'ed into.  This would be the subnet that matches the IP they received when they connected.  They will not be able to connect to any other subnets "futher out" on the remote side.  This could also violate security policy set by the company that owns remote system and they can revoke your access if they find out.  But if it is your own company then I guess you don't have to worry about that.
Avatar of pmason08
pmason08

ASKER

I see what your saying, the issue I have is the network was set up with a rather silly amount of vlans for each department, and as a result the VPN users need to be able to access servers in different vlans.

Assuming I didnt change the gateway settings, what would be the recommended way to gain access to these, servers?

ASKER CERTIFIED SOLUTION
Avatar of pwindell
pwindell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I understand you right, you should not need to disable the "Use Gateway on Remote Network" setting.

Instead, add static routes on your ISA Server (in the Routing and Remote access console, not ISA) to make sure the ISA server has routes to all of your different vlans.

The next step depends on how your vlan IP subnets are set up.

if all of your vlans are subnetted under one IP range, and your "supernet" is setup as your internal network, just make sure you have a policy rule that allows all outbound protocols from the VPN Clients network to the Internal network.

If not, then you need to create a Network in ISA for each of your vlans ip ranges, and then add a network access rule to allow VPN Clients to route to those networks, and also add a policy rule allowing all outbound protocols (or selected protocols if you wish) from VPN Clients to those networks.

Then your shouldn't have any problems. The thing to realise is that even though it has the IP address of the PC as the default gateway, it really is the ISA server that is your default gateway.

If you need detailed instructions on configuring ISA for those, let me know.