We help IT Professionals succeed at work.

ISA 2006 & DHCP VPN Setup

669 Views
Last Modified: 2012-05-07
I've setup a ISA2006 server, which has VPN clients connecting succesfully and been assigned IPs by a DHCP server.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.

As a result these machines are not able to connect to other vlans.  

If a machine obtains an IP address off the DHCP server directly then they receive all the correct IP information, so I assume its something the ISA server is doing.

I've had a read around but cant seem to find anything that might point me in the right direction.

Thanks
Paul
Comment
Watch Question

Most Valuable Expert 2011

Commented:
They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.
That is what it is supposed to do

As a result these machines are not able to connect to other vlans.  
They are not supposed to be able to.  That is a security design in the technology of VPN (no matter what brand/vendor it comes from).  It is designed to protect the network receiving the connection by limiting the scope of what other networks the VPN Client may be joined to at the same time.
If you want the system to drop its pants security wise then you need to override this with what is sometimes called Split-Tunneling.  To do this with a Windows DUN based VPN Client, find the setting that says "Use Gateway on Remote Network" and disable it.  However this will cause a reversal of the behavor,...meaning that on the Remote Network side of things,...the VPN Client will only be able to communicate with the subnet that they directly VPN'ed into.  This would be the subnet that matches the IP they received when they connected.  They will not be able to connect to any other subnets "futher out" on the remote side.  This could also violate security policy set by the company that owns remote system and they can revoke your access if they find out.  But if it is your own company then I guess you don't have to worry about that.

Author

Commented:
I see what your saying, the issue I have is the network was set up with a rather silly amount of vlans for each department, and as a result the VPN users need to be able to access servers in different vlans.

Assuming I didnt change the gateway settings, what would be the recommended way to gain access to these, servers?

Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
If I understand you right, you should not need to disable the "Use Gateway on Remote Network" setting.

Instead, add static routes on your ISA Server (in the Routing and Remote access console, not ISA) to make sure the ISA server has routes to all of your different vlans.

The next step depends on how your vlan IP subnets are set up.

if all of your vlans are subnetted under one IP range, and your "supernet" is setup as your internal network, just make sure you have a policy rule that allows all outbound protocols from the VPN Clients network to the Internal network.

If not, then you need to create a Network in ISA for each of your vlans ip ranges, and then add a network access rule to allow VPN Clients to route to those networks, and also add a policy rule allowing all outbound protocols (or selected protocols if you wish) from VPN Clients to those networks.

Then your shouldn't have any problems. The thing to realise is that even though it has the IP address of the PC as the default gateway, it really is the ISA server that is your default gateway.

If you need detailed instructions on configuring ISA for those, let me know.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.