ISA 2006 & DHCP VPN Setup

Posted on 2009-07-09
Last Modified: 2012-05-07
I've setup a ISA2006 server, which has VPN clients connecting succesfully and been assigned IPs by a DHCP server.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.

As a result these machines are not able to connect to other vlans.  

If a machine obtains an IP address off the DHCP server directly then they receive all the correct IP information, so I assume its something the ISA server is doing.

I've had a read around but cant seem to find anything that might point me in the right direction.

Question by:pmason08
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 29

Expert Comment

ID: 24818162
They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.
That is what it is supposed to do

As a result these machines are not able to connect to other vlans.  
They are not supposed to be able to.  That is a security design in the technology of VPN (no matter what brand/vendor it comes from).  It is designed to protect the network receiving the connection by limiting the scope of what other networks the VPN Client may be joined to at the same time.
If you want the system to drop its pants security wise then you need to override this with what is sometimes called Split-Tunneling.  To do this with a Windows DUN based VPN Client, find the setting that says "Use Gateway on Remote Network" and disable it.  However this will cause a reversal of the behavor,...meaning that on the Remote Network side of things,...the VPN Client will only be able to communicate with the subnet that they directly VPN'ed into.  This would be the subnet that matches the IP they received when they connected.  They will not be able to connect to any other subnets "futher out" on the remote side.  This could also violate security policy set by the company that owns remote system and they can revoke your access if they find out.  But if it is your own company then I guess you don't have to worry about that.

Author Comment

ID: 24821119
I see what your saying, the issue I have is the network was set up with a rather silly amount of vlans for each department, and as a result the VPN users need to be able to access servers in different vlans.

Assuming I didnt change the gateway settings, what would be the recommended way to gain access to these, servers?

LVL 29

Accepted Solution

pwindell earned 500 total points
ID: 24822821
I didn't suggest any gateway changes.  The change I suggested is simply a "toggle" in the DUN settings.  It is your only option beyond setting really ugly Static Routes on each and every effected Client that points to the LAN Router to get to the other subnets.

Expert Comment

ID: 24826963
If I understand you right, you should not need to disable the "Use Gateway on Remote Network" setting.

Instead, add static routes on your ISA Server (in the Routing and Remote access console, not ISA) to make sure the ISA server has routes to all of your different vlans.

The next step depends on how your vlan IP subnets are set up.

if all of your vlans are subnetted under one IP range, and your "supernet" is setup as your internal network, just make sure you have a policy rule that allows all outbound protocols from the VPN Clients network to the Internal network.

If not, then you need to create a Network in ISA for each of your vlans ip ranges, and then add a network access rule to allow VPN Clients to route to those networks, and also add a policy rule allowing all outbound protocols (or selected protocols if you wish) from VPN Clients to those networks.

Then your shouldn't have any problems. The thing to realise is that even though it has the IP address of the PC as the default gateway, it really is the ISA server that is your default gateway.

If you need detailed instructions on configuring ISA for those, let me know.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question